I OVERVIEW

At present, there is no omnibus privacy and data protection law in China, with the current provisions on privacy and data protection mainly found in laws and the industry-specific regulations.

In 2012, the Standing Committee of the National People's Congress issued the Decision on Strengthening Internet Information Protection, which provides some general principles for network service providers to protect the personal electronic information of Chinese citizens. Based on these principles, various departments under the State Council issued administrative regulations regulating the collection and processing of personal information in their respective fields. For example, the Ministry of Industry and Information Technology (MIIT) issued the Provisions on Protecting the Personal Information of Telecommunications and Internet Users in 2013, the State Post Bureau released the Provisions on the Security Management of Personal Information of Users of Posting and Delivering Services in 2014, and the People's Bank of China released the Implementing Measures for the Protection of Financial Consumers' Rights and Interests in 2016.

On 7 November 2016, the Cybersecurity Law (CSL) was issued and it took effect on 1 June 2017. The official implementation of the CSL marks the gradual formation of China's new legal framework for cybersecurity and data protection. Among other things, the CSL covers the following aspects:

  1. personal information protection;
  2. general network protection obligations of the network operators and the multi-level protection scheme (MLPS);
  3. enhanced protection for the critical information infrastructure (CII);
  4. data localisation and security assessment for the cross-border transfer of personal information and important data; and
  5. security review of the network products and services.

As the CSL is a high-level law and does not provide practical guidelines, China has been drafting a series of related implementation regulations and national standards. These implementation regulations and national standards, together with the CSL, constitute China's legal regime for cybersecurity and data protection.

II THE YEAR IN REVIEW

Since its promulgation, the CSL has exerted great influence on China's cybersecurity and data protection practice. Recent notable changes include the following.

i Personal information protection:

On 1 May 2018, the Information Security Technology – Personal Information Security Specification (the Specification), a national standard took effect. Although the Specification is a recommended national standard, owing to the lack of a uniform personal information protection law, the Specification has, to some extent, been regarded as 'best practice' by enterprises. As the enforcement authorities also refer to the Specification in various personal information protection campaigns, the Specification has gained some authority.

In the internet and mobile applications field, China has launched a number of enforcement campaigns to punish the unlawful or unreasonable collection or misuse of personal information.

In January 2018, the Cyberspace Administration of China (CAC) interviewed the relevant officials of Alipay and Zhima Credit for what is known as the Alipay annual bill incident, and called for a special rectification in their personal information collection practice.

In January 2018, the MIIT, in response to the violation of the privacy of users by relevant mobile phone apps, interviewed Baidu, Alipay and Toutiao, requiring the three enterprises to rectify their practice and to protect the users' right to know and right to choose.

In November 2018, the China Consumers Association released the Assessment Report on Collection of Personal Information by 100 Apps and their Privacy Policies.

In January 2019, the CAC and a number of other ministries jointly released the Announcement on Launching Special Crackdown Campaign Against Illegal Collection and Use of Personal Information by Apps, publicly exposing and ordering rectification of these apps' illegal collection of personal information and lack of a privacy policy.

ii Cybersecurity and data leakage

After the official implementation of the CSL, a number of enterprises have been punished for their failure to perform network security protection obligations or for data leakage.

In May 2018, a company in Yunnan province was warned and fined by the public security authority for failing to take technical measures to prevent computer viruses and cyberattacks, network intrusions and other harmful behaviour.

In July 2018, Datatang, a well-known domestic data company, was investigated and found illegally selling a huge volume of citizens' personal information.

In August 2018, many residents of Huazhu, a domestic hotel, had their personal information leaked and sold online. The perpetrators were arrested.

iii Data localisation and cross-border transfer of data

In late 2018, the Ministry of Science and Technology published its penalties against BGI and Huashan Hospital for their international cooperation with Oxford University for research on Chinese human genetic resources without the approval of the competent authority. BGI was found to have transferred abroad information on human genetic resources over the internet. The two enterprises were ordered to stop the related study projects, destroy all the genetic materials and the related research data, and suspend any international cooperation on human genetic resources until they are reassessed as qualified again. It should be noted that the punishment originated from the violation of the Provisional Administrative Measures of Human Genetic Resources, an industry-specific regulation effective long before the CSL was in place.

III REGULATORY FRAMEWORK

i Privacy and data protection legislation and standards

China's legal regime of privacy and data protection includes the CSL and privacy and data protection provisions dispersed in various laws and regulations, including:

  1. the National Security Law;
  2. the E-commerce Law;
  3. the Tourism Law;
  4. the Anti-Terrorism Law;
  5. the General Rules of the Civil Law;
  6. the Implementing Measures of the PRC for the Protection of Financial Consumers' rights and interests;
  7. the Interim Measures for the Administration of Online Taxi-Booking Business Operations and Services;
  8. the Criminal Law;
  9. the Administrative Provisions on Short Message Services;
  10. the Regulations on Management of Internet User Account Name;
  11. the Provisions on the Security Management of Personal Information of Users of Posting and Delivering Services;
  12. the Law on the Protection of Rights and Interests of Consumers;
  13. the Administrative Regulations on Credit Investigation Industry;
  14. the Several Provisions on Regulating the Order of the Internet Information Service Market;
  15. the Law on Resident Identity Cards;
  16. the Tort Law; and
  17. the Provisions on Protecting the Personal Information of Telecommunications and Internet Users;

China's legal regime on cybersecurity and data protection also includes the judicial interpretations made by the Supreme People's Court and the Supreme People's Procuratorate, such as:

  1. Interpretation of several issues regarding application of law to criminal cases of infringement of citizen's personal information handled by the Supreme People's Court and the Supreme People's Procuratorate; and
  2. Provisions of the Supreme People's Court on application of laws to cases involving civil disputes over infringement upon personal rights and interests by using information networks.

National standards are another key part of the cybersecurity and data protection legal regime. Though they are not compulsory, they are generally regarded as best practice by enterprises. Important national standards (including draft versions) include:

  1. Information Security Technology – Personal Information Security Specification;
  2. Information Security Technology – Guidelines for Personal Information Protection Within Information System for Public and Commercial Services;
  3. Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft) (draft for comment);
  4. Information Security Technology – Guide to De-Identifying Personal Information (draft for comment);
  5. Information Security Technology – Security Impact Assessment Guide of Personal Information (draft for comment);
  6. Information Security Technology – Security Requirements for Data Exchange Service (Draft for Comment); and
  7. Information Security Technology – Risk Assessment Specification for Information Security (draft for comment); etc.

The CSL defines the terms 'network operator' and 'personal information'. Under the CSL, a network operator refers to the owner or manager of a network or the provider of a network service; personal information refers to various information that is recorded in electronic or any other form and used alone or in combination with other information to recognise the identity of a natural person, including but not limited to their name, date of birth, ID number, personal biological identification information, address and telephone number of the natural person.

The Specification makes minor wording changes to the definition of 'personal information' under the CSL. According to the Specification, personal information means any information saved in electronic form or otherwise that can be used independently or together with other information to identify a natural person or reflect the activities of a natural person, including names, dates of birth, identification numbers, personal biometric information, addresses, contact information, records and content of communications, accounts and the passwords thereof, property information, credit reference information, whereabouts and tracks, hotel accommodation information, information concerning health and physiology, information on transactions, etc.

The Specification also defines the 'personal sensitive information' as personal information that may cause harm to personal or property security, or is very likely to result in damage to an individual's personal reputation or physical or mental health or give rise to discriminatory treatment, once it is leaked, unlawfully provided or abused, including identification numbers, personal biometric information, bank accounts, records and content of communications, property information, credit reference information, whereabouts and tracks, hotel accommodation information, information concerning health and physiology, information of transactions, personal information of children aged 14 or younger, etc.

China has not had a specific stipulation on the ownership of personal information. It is still disputed on whether personal information belongs to the scope of property rights or personal rights or should be treated as a brand new type of legal right. A unified Personal Information Protection Law is being drafted by legislators and is expected to be issued in the near future, which may shed more light on the ownership of personal information.

The Specification also provides the definition of 'personal information subject' and 'personal information controller'. According to the Specification, a personal information subject means a natural person who can be identified by reference to personal information; a personal information controller means an organisation or an individual who has the right to determine the purposes and means of the processing of personal information. The Specification does not define the 'personal information processor'.

According to the Specification, the basic principles for personal information protection include:

  1. Consistency between rights and liabilities: it shall bear liabilities for any damage caused by its activities of processing personal information to the legal rights and interests of personal information subjects.
  2. Clear purpose: it shall have lawful, justified, necessary and clear purposes in processing personal information.
  3. Solicitation for consent: it shall explicitly specify the purposes, manners, scope and rules in respect of the processing of personal information, and seek their authority and consent.
  4. Minimum sufficiency: it shall merely process the minimum categories and amount of personal information necessary for achieving the purpose authorised and consented to by personal information subjects, unless otherwise agreed with personal information subjects. It shall delete the personal information in a timely manner as agreed once this purpose are achieved.
  5. Openness and transparency: it shall make public the scope, purposes, rules, etc. in respect of the processing of personal information in an explicit, easily understandable and reasonable manner, and accept public oversight.
  6. Guarantee of security: it shall be capable of ensuring security to a degree corresponding to the security risks it faces, and take sufficient management measures and technological approaches to safeguard the confidentiality, completeness and availability of personal information.
  7. Involvement of personal information subjects: it shall provide personal information subjects with opportunities to access, modify and delete their own personal information and to withdraw their consent and cancel their own account.

If in violation of the related provisions on personal information protection, according to Article 64 of the CSL, if network operators or providers of network products or services infringe upon any right in personal information that is legally protected, they will receive punishments from the competent authorities, such as ratification, warning, confiscation of illegal earnings and fines; if in severe violations, the punishment may cover suspension of related business, winding up for rectification, shutdown of their website, and revocation of their business licence. Also, stealing or otherwise unlawfully obtaining any personal information, or selling or unlawfully providing such information to others that does not constitute a crime will be punished through confiscation of the illegal earnings or a fine.

ii General obligations for data handlers

The CSL only provides some general principles for personal information protection, Article 41 of the CSL provides that:

Network operators shall abide by the 'lawful, justifiable and necessary' principles to collect and use personal information by announcing rules for collection and use, expressly notifying the purpose, methods and scope of such collection and use, and obtain the consent of the person whose personal information is to be collected. No network operator may collect any personal information that is not related to the services it provides. It shall collect and use, and process and store personal the information in the light of laws and administrative regulations and agreement with the users.

As for the right of the personal information subject, Article 43 of the CSL provides that

Each individual is entitled to require a network operator to delete his or her personal information if he or she founds that collection and use of such information by such operator violate the laws, administrative regulations or the agreement by and between such operator and him or her; and is entitled to require any network operator to make corrections if he or she founds errors in such information collected and stored by such operator. Such operator shall take measures to delete the information or correct the error.

The Specification provides more specific provisions on the collection and use of personal information.

Collection of personal information

Under the Specification, the collection of personal information should be subject to the principle of lawfulness, minimisation, as well as the authorisation of the personal information subject (explicit consent should be obtained if involving sensitive personal information). However, a personal information controller may collect and use personal information, without the need to obtain the authority and consent from personal information subjects, under any of the following circumstances,

  1. where the collection and use are in direct relation to state security or national defence security;
  2. where the collection and use are in direct relation to the public security, public sanitation, or major public benefits;
  3. where the collection and use are in direct relation to investigations into crimes, prosecutions, court trials, execution of rulings, etc.;
  4. where the collection and use are for the sake of safeguarding significant legal rights and interests, such as the life and property, of personal information subjects or other individuals, but it is difficult to obtain their consent;
  5. where the personal information collected is the information voluntarily published by personal information subjects before the general public;
  6. where the personal information is collected from information that has been legally and publicly disclosed, such as legal news reports and information published by the government;
  7. where the collection and use are necessary for inking and performing contracts as required by personal information subjects;
  8. where the collection and use are necessary for ensuring the safe and stable operation of its products or services, such as identifying and disposing of faults in its products or services;
  9. where the personal information controller is a news agency and the collection and use are necessary for releasing news reports in a legal manner;
  10. where the collection and use are necessary for the personal information controller, as an institute for academic research, to have statistical programmes or academic research for the sake of the general public, and it has processed the personal information, which is contained in the results of academic research or descriptions, for de-identification purposes, while announcing these results to the general public; or
  11. Other circumstances specified by laws and regulations.

The Specification specifies that explicit consent means the act of a personal information subject granting authority for the processing of his or her personal information, either through a written statement or his or her voluntary affirmative gesture, with the affirmative gestures including voluntarily making (either electronic or written) statements, or voluntarily ticking or clicking the 'agree', 'register', 'send', 'dial', or other options by personal information subjects.

Use of personal information

According to the Specification, a personal information controller is required to disable the ability of personal information it uses to clearly point to certain identities, unless as needed for realising certain purposes, to avoid a situation in which certain individuals are successfully identified; for newly generated information from the processing of the collected personal information that can identify natural persons' identities independently or together with other information or reflect their activities, such information should be treated as personal information; and not use personal information for any purpose beyond the scope directly or reasonably related to those purposes claimed by it at the time when the personal information is collected. Where it is truly necessary to use the personal information beyond the said scope to suit its business demands, it shall obtain explicit consent of personal information subjects concerned again.

If any circumstance below occurs, the personal information controller should notify the personal information subject.

  1. Prior to the collection of personal information. Personal information controller should inform personal information subjects explicitly of the categories of personal information that will be collected under different business functions of its products or services, and the rules on how personal information will be collected and used (for example, why, how and how often personal information will be collected and used, the territory where personal information will be stored, how long personal information will be stored, its data security capability, and particulars of its sharing, transferring and public disclosure of personal information), and obtain the authority and consent of personal information subjects.
  2. Suspension of personal information controllers' operation. If a personal information controller suspends operation in regard to its products or services, it shall serve a notice of suspended operation on each personal information subject or publicly release an announcement for this purpose.
  3. Sharing and transfer of personal information. The personal information controller shall inform personal information subjects of the purposes for which their personal information will be shared or transferred and categories of data recipients, and obtain the authority and consent of personal information subjects in advance. Before sharing or transferring personal sensitive information, it shall also inform what categories of personal sensitive information are involved, identities of data recipients and their data security capability, and shall obtain explicit consent of each personal information subject.
  4. Transfer of personal information in acquisitions, mergers and restructuring
  5. Public disclosure of personal information. The personal information controller shall inform personal information subjects of the purposes for which their personal information will be publicly disclosed and what categories of information will be publicly disclosed, and obtain the authority and consent of personal information subjects in advance. Before publicly disclosing personal sensitive information, it shall also inform them of what personal sensitive information will be involved.
  6. Joint personal information controllers. The personal information controller shall determine and inform personal information subjects explicitly of, what requirements in respect of personal information security shall be fulfilled, and the respective duties and obligations of itself and the third party in respect of personal information security, in a contract or otherwise.
  7. Security incidents. A personal information controller is required to promptly notify each affected personal information subject of the particulars of the security incident, by means of emails, letters, calls or pushed notifications. Where it is difficult to notify all affected personal information subjects one by one, it shall issue alerts in relation to the general public in a reasonable and effective manner; the content of a notification shall include but not be limited to (1) what the security incident is and its impact; (2) what measures it has taken or will take to deal with the incident; (3) advice on what actions could be taken by personal information subjects themselves to avoid the impact and reduce risks; (4) remedial measures available for personal information subjects; and (5) contact information of the head in charge of personal information protection and the agency in charge of personal information protection.

iii Data subject rights

Article 43 of the CSL provides that

Each individual is entitled to require a network operator to delete his or her personal information if he or she founds that collection and use of such information by such operator violate the laws, administrative regulations or the agreement by and between such operator and him or her; and is entitled to require any network operator to make corrections if he or she founds errors in such information collected and stored by such operator. Such operator shall take measures to delete the information or correct the error.

According to the Specification, the personal information subject has the right to access, modify, delete the personal information, withdraw the consent, cancel account, obtain the copies of personal information.

Access to personal information

A personal information controller shall provide personal information subjects with methods regarding how to access the following information,

  1. what personal information of the personal information subjects it holds, or categories of this personal information;
  2. from where the personal information is sourced, and for what; and
  3. the identities of third parties that have obtained the personal information, or categories of these third parties.

It should be noted that, where a personal information subject raises a request to access their personal information that is not voluntarily provided by itself, the personal information controller, may decide whether to agree to the request or not and give reasons, after comprehensively taking into account the likely risks and damage that may arise to the personal information subject's legal rights and interests if it disagrees with his or her request, technical feasibility, costs of agreeing to the request, and other related factors.

Modification of personal information

If a personal information subject finds that his or her personal information held by a personal information controller is inaccurate or incomplete, the personal information controller shall make it possible for the subject to request correction of the information or the provision of additional information.

Deletion of personal information

A personal information controller is required to fulfil the requirements below:

  1. if a personal information subject requires it to delete their personal information under any of the following circumstances, it shall delete his or her personal information in a timely manner,
    • where the personal information controller collects or uses the personal information in a way that violates the provisions of laws and regulations; or
    • where the personal information controller collects or uses the personal information in a way that violates its agreement with the personal information subject;
  2. if it shares the personal information of a personal information subject with or transfers it to a third party, in violation of the provisions of laws and regulations or its agreement with the personal information subject, and the subject requires it to delete his or her personal information, it shall cease sharing or transferring the information immediately, and instruct the third party concerned to delete the information in a timely manner; and
  3. if it publicly discloses personal information in a way that violates the provisions of laws and regulations or its agreement with the personal information subject, and the personal information subject requires it to delete the information, it shall cease the public disclosure of the information immediately, and issue a notice to require related recipients to delete the information concerned.

Personal information subjects' withdrawal of consent

A personal information controller is required to make it possible for personal information controllers to withdraw their consent to the authorised collection and use of their personal information. Once the consent has been withdrawn, it shall no longer process the personal information concerned thereafter. A controller must also guarantee personal information controllers' rights to refuse to receive commercials pushed on the basis of their personal information. Where personal information is shared with, transferred or publicly disclosed to external parties, it shall make it possible for personal information subjects to withdraw their consent.

It should be noted that, a personal information subject's withdrawal of his or her consent does not affect the consent-based processing of personal information prior to the withdrawal.

Personal information subjects' cancellation of accounts

A personal information controller must meet the following requirements:

  1. if it offers services through registered accounts, it shall make it possible for personal information subjects to cancel their own account and the method to cancel an account should be easily and conveniently feasible; and
  2. after a personal information subject has cancelled his or her account, it shall delete or anonymise his or her personal information.

Personal information subjects' request for copies of personal information

A personal information controller shall, upon the request of a personal information subject, make it possible for the subject to obtain a copy of the following categories of his or her own personal information, or directly transit a copy of the following categories of his or her own personal information to a third party, provided that the technology is practicable:

  1. the subject's basic information and information about his or her identification; and
  2. the information about the subject's health, psychological status, education and employment.

iv Specific regulatory areas

Workplace privacy

There are no specific provisions in Chinese laws and regulations regarding workplace privacy protection. In the daily operation management, for the need of supervision and management, enterprises may monitor the behaviour of employees. It is generally considered that such monitoring behaviour falls under the enterprise's business autonomy scope, which has certain legitimacy. For example, companies may obtain images of employees through a camera, fingerprint of employees through attendance machines, or information about employees' location through app location function, which often involves collection of sensitive information of employees (whereabouts and tracks, biometric information, etc.). For the purpose of protecting the privacy of employees, enterprises should first ensure that the above-mentioned monitoring measures, as well as the employee information they collect, are for a legitimate purpose and are necessary for business operations, and avoid collecting or monitoring any employee information during non-working hours and outside the workplace. Second, the type, purpose, manner of collection and protective measures of the information collected should be notified to the employee, and the employee's written consent should be obtained.

Children's privacy

According to the Provisions on Cyber Protection of Personal Information of Children, 'network operators that collect, use, transfer or disclose personal information of children shall, in a notable and clear way, notify children's guardians of their practices, and obtain the consent from children's guardians.'

Health and medical privacy

The Measures for the Management of Population Health Information (on Trial), Law on Licensed Doctors of the PRC, Nurses Ordinance and the Regulations for Medical Institutions on Medical Records Management provide the requirements for medical institutions and staffs to protect patients' personal information. For example, the Regulations for Medical Institutions on Medical Records Management require that, 'medical institutions and medical staff shall strictly protect patient privacy. Any leakage of patients' medical records for non-medical, non-teaching or non-research purposes is forbidden'.2 It also provides the keeping, saving, borrowing and copying of the medical records.3

Financial privacy

The Notice of the People's Bank of China on Urging Banking Financial Institutions to Do a Good Job in Protecting Personal Financial Information and the Notice of the People's Bank of China on Issuing the Implementation Measures of the People's Bank of China for Protecting Financial Consumers' Rights and Interests provides the obligations that banking and financial institutions should fulfil. According to the two notices, personal financial information includes personal identity information, personal property information, personal account information, personal credit information, personal financial trading information, derivative information and other personal information obtained and preserved in the process of establishing a business in relation with a person. In protecting personal financial information, banking financial institutions should strictly abide by the legal provisions, establish and improve the internal control by-laws, improve the information security technology prevention measures, strengthen the training of the professionals and intensify professionals' awareness of personal financial information security. Provision of personal financial information collected inside China abroad is not allowed unless otherwise required by laws and regulations and the People's Bank of China.

v Technological innovation

For the use of cookies, the Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps provides that, 'For the collection of personal information by using cookies and similar technologies (including scripts, clickstreams, web beacon, flash cookie, embedded web links, SDK, etc.), the purposes and types of personal information collected shall be clearly presented to the users.'4 For the use of cookies, generally companies will describe such use in the privacy policy, rather than setting up a separate pop-up on the webpage.

For profiling or automated decision-making, according to the Specification, 'personal information controller should specify in the privacy policy the purposes for which personal information will be collected and used, and what business functions are involved in these purposes, including using personal information in pushing commercials or creating direct user profiles and the use thereof.'5 Besides, the Specification stipulates that, 'where a decision that has a dramatic impact on a personal information subject's rights and interests is made reliant only on the information system's automatic decision-making (for example, determining the subject's credit status and the quota of credit loans available to the subject, based on user profiling, or applying user profiling to shortlist candidates for interviews), the personal information controller shall make it possible for the personal information subject to lodge a complaint.'6

The CSL does not differentiate anonymisation, de-identification and pseudonymisation; it is noteworthy, however, Article 42 of the CSL provides that, 'No network operator may disclose, tamper with or destroy personal information that it has collected, or disclose such information to others without prior consent of the person whose personal information has been collected, unless such information has been processed to prevent specific person from being identified and such information from being restored.' Therefore, only when a technique, regardless of anonymisation, de-identification and pseudonymisation, could meet the requirement of 'such information has been processed to prevent specific person from being identified and such information from being restored', could the personal information processed not be regarded as personal information.

The Information Security Technology – Guide for De-Identifying Personal Information (Draft for Comment) provides the related requirements for de-identification, as well as the pseudonymisation technique.

The Specification regards the following personal information as personal sensitive information and requires the controller to obtain the personal information subject's explicit consent for the collection and process:

  1. information concerning property owned by an individual: bank account, identification information (code), deposit information (including the amount of deposits, records of receipts and payments, etc.), real estate information, credit loan records, credit reference information, records of transactions and consumptions, flow records, etc., and information about virtual property, such as virtual currency, virtual transactions, and CD-keys for games;
  2. information concerning the health and psychological status of an individual: records formed from an individual's illness and treatment, such as symptoms of illness, in-hospital logs, physician's advices, test reports, records of operations and anaesthesia, nursing records, records of drugs used, information on allergy to drugs and foods, childbirth information, his or her medical history, particulars of treatment, medical history of his or her family, history of present illness, history of infectious diseases, etc., and information generated from his or her physical conditions;
  3. biometric information of an individual: personal genes, fingerprints, vocal prints, palm prints, auricle, iris, facial features, etc.;
  4. identification information of an individual: identity card, military officer certificate, passport, driving licence, work licence, building pass, social insurance card, residence permit, etc.;
  5. information concerning online identification symbols: Account for a system, IP address, email address, and the password, code, answers to questions asked to protect the password and users' personal digital certifications for the said account or addresses, etc.; and
  6. other information: phone number, sexual orientation, marital history, religious belief, records of undisclosed violations and crimes, communication records and the content thereof, whereabouts and tracks, web-browsing history, information on hotel accommodation, information on accurate positioning, etc.

Apart from obtaining explicit consent from the personal information subject, the current law in China does not impose any other restrictions on using the personal sensitive information. It is possible that the forthcoming personal information protection law will provide more details on those controversial personal information techniques (such as facial recognition technique).

IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION

China has not yet concluded any international data protection framework or agreements.

Although the CSL provides the obligations for the CII operators to localise the personal information and important data collected and generated inside China, it does not elaborate on the definition and specific scope of the CII and the 'important data'; nor does it provide operational guidelines for the specific requirements of data localisation and security assessment for cross-border data transfer. The related implementation regulation and national standard is still in the progress of draft.

In May 2019, the CAC issued the Measures on Data Security Management (Draft for Comment) for public consultation, which provides that , 'Important data' refer to the kind of data, if divulged, may directly affect national security, economic security, social stability and public health and security, such as undisclosed government information, large-scale population, genetic health, geography and mineral resources, etc. Important data shall usually not include information related to the production and operation and internal management of enterprises or personal information, etc.'7 and 'Network operators shall assess the potential security risks prior to releasing, sharing or selling important data or transferring such data abroad, and shall report to the competent regulatory department for approval. If the competent regulatory department is unclear, network operators shall report to the cyberspace administrations at the provincial level for approval.'8

In June 2019, the CAC issued the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment) for public consultation. It provides that, 'before the cross-border transfer of personal information, network operators shall apply to the local cyberspace administrations at the provincial level for security assessment for cross-border transfer of personal information.'9 'If it is identified by the security assessment that the cross-border transfer of personal information may affect national security or damage public interest, or that it is difficult to effectively protect the security of personal information, cross-border transfer of such information shall not be allowed.'10

According to the Measures on Data Security Management (Draft for Comment) and the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment), whether the important data and personal information can be transferred abroad should be decided by the government. Whether these controversial requirements will pass as they are remains to be seen.

As for the forensics of cross-border electronic data evidence, Article 4 of the Law on International Criminal Judicial Assistance provides that 'No foreign institution, organisation or individual may conduct criminal proceedings prescribed by this Law within the territory of the People's Republic of China without the approval of the competent authority of the People's Republic of China, and no institution, organisation or individual within the territory of the People's Republic of China may provide evidentiary materials and assistance prescribed by this Law to foreign countries.'

V COMPANY POLICIES AND PRACTICES

At this stage, Chinese law has no universal requirements for network operators to establish a complete privacy management programme. The CSL only provides some high-level generic network security requirements. For example, under the CSL network operators should formulate internal security management systems and operating instructions, determine the persons responsible for cybersecurity, and implement the responsibility for cybersecurity protection. In addition, network operators shall formulate contingency plans for cybersecurity incidents, and promptly deal with system bugs, computer viruses, network attacks and intrusions and other security risks; network operators shall adopt technical measures and other necessary measures to ensure the security of the personal information they have collected and prevent such information from being divulged, damaged or lost. If personal information has been or may be divulged, damaged or lost, it is necessary to take remedial measures immediately, inform users promptly according to the provisions and report the same to the relevant competent departments.

The Specification provides that a personal information controller is required to fulfil the requirements as below:

  1. it shall make clear that its legal representative or the chief in charge of the controller shall undertake the overall leadership responsibility for personal information, including guaranteeing the human resources, financial resources and materials needed for the work to ensure personal information security;
  2. it shall appoint a head in charge of personal information protection and set up an agency in charge of personal information protection;
  3. it shall establish a system for personal information security impact assessment, and assess the personal information security impact regularly (at least once a year);
  4. it shall develop its data security capability and put into place necessary managerial and technical measures in accordance with the rules specified in applicable national standards, to avoid personal information being leaked, destroyed or lost; and
  5. it shall audit the effectiveness of its privacy policies, relevant rules and processes, and security measures.

It is noteworthy that the Specification elaborates on the content of a privacy policy and also provides a privacy policy template for enterprises to refer to:

  1. basic information about this personal information controller, including its registered name, registered address, regular business office, contact of its head, etc.;
  2. purposes for which personal information will be collected and used, and what business functions are involved in these purposes, for example, using personal information in pushing commercials or creating direct user profiles and the use thereof;
  3. what personal information will be collected under each business function, the rules on the processing of personal information, including how and how often this information will be collected and where and how long this information will be stored, and the scope of personal information it actually collects;
  4. purposes for which personal information is shared with, transferred to, or publicly disclosed among, external parties, categories of personal information concerned, categories of third parties that receive the personal information, and the legal liability it bears;
  5. what basic principles it observes for the security of personal information, what capacity it has for data security, and what safeguards it has taken to ensure the security of personal information;
  6. the rights of personal information subjects and the mechanism to exercise these rights, such as how to access, modify and delete their own personal information, how to cancel the account, how to withdraw their consent, how to obtain a copy of their own personal information, and how to impose limits on the information system's automatic decision-making;
  7. likely security risks after personal information subjects have provided their personal information, and potential impacts that may arise if they refuse to provide such information; and
  8. in what ways and under what mechanisms enquiries and complaints filed by personal information subjects will be handled, and the department in charge of handling external disputes and its contact information.

VI DISCOVERY AND DISCLOSURE

Article 18 of the Anti-Terrorism Law requires that

telecommunications business operators and internet service providers shall provide technical interface, decryption and other technical support and assistance for the prevention and investigation of terrorist activities conducted by public security authorities and national security authorities in accordance with the law.

In addition, the Specification stipulates that in principle personal information shall not be publicly disclosed. A personal information subject shall attach enough importance to risks and comply with the relevant requirements if it is truly necessary to publicly disclose the information upon legal authorisation or with justified reasons. And it shall assess the personal information security impact in advance and take effective measures to protect personal information subjects according to the assessment findings. It shall inform personal information subjects of the purposes for which their personal information will be publicly disclosed and what categories of information will be publicly disclosed and obtain the authority and consent of personal information subjects in advance. However, a personal information controller need not seek the authority and consent of personal information subjects in advance where:

  1. the sharing, transfer or public disclosure is in direct relation to state security or national defence security;
  2. the sharing, transfer or public disclosure is in direct relation to public security, public sanitation, or major public benefits;
  3. the sharing, transfer or public disclosure is in direct relation to investigations into crimes, prosecutions, court trials, execution of rulings, etc.;
  4. the sharing, transfer or public disclosure is for the sake of safeguarding significant legal rights and interests, such as the life and property, of personal information subjects or other individuals, but it is difficult to obtain their consent;
  5. the personal information to be shared, transferred or publicly disclosed is voluntarily made public by personal information subjects themselves; and
  6. the personal information is collected from information that has been legally and publicly disclosed, such as legal news reports and information published by the government.

Therefore, if for the purpose mentioned above, government agencies may require personal information controllers to publicly disclose personal information.

Information disclosure required by foreign government agencies shall comply with Article 4 of the Law on International Criminal Judicial Assistance.

VII PUBLIC AND PRIVATE ENFORCEMENT

i Enforcement agencies

Article 8 of the CSL provides that 'The national cyberspace administration authority is responsible for the overall planning and coordination of cybersecurity work and relevant supervision and administration work. The competent telecommunication department of the State Council, public security departments and other relevant authorities shall be responsible for protecting, supervising and administering cybersecurity within the scope of their respective responsibilities in accordance with the provisions of this Law and other relevant laws and administrative regulations. Responsibilities of relevant departments under local people's governments at or above the county level for protecting, supervising and administering cybersecurity shall be determined in accordance with the relevant.'

For undesirable practices, the main measure taken by the CAC is to interview the responsible persons of relevant network operators. For example, on 6 January 2018, the Network Security Coordination Bureau of the CAC interviewed relevant representatives of Alipay and Zhima Credit and pointed out that the way of using and collecting personal information in Alipay and Zhima Credit is not in line with the spirit of the Specification.

The competent telecommunications department under the State Council (i.e., the MIIT) from time to time issues notifications to organise and carry out administrative checks on network security in the telecommunications and Internet industries. For example, on 30 May 2019, the Network Security Administration of the MIIT issued a circular on the administrative inspection of network security in the telecommunications and internet industries in 2019, requiring all telecommunications and internet enterprises to cooperate in the network security inspection work.11 At the same time, local telecommunications authorities usually notify enterprises that fail to implement their network security obligations. For example, on 12 July 2018, the Shanghai Communication Administration notified four internet enterprises that their network security requirements had not been implemented effectively.12

The MPS is mainly responsible for the protection of cybersecurity levels. For example, it issued the Regulation on Network Security Graded Protection (Draft for Comment) in June 2018 and the Provisions on Internet Security Supervision and Inspection by Public Security Organs in September 2018. At the same time, the MPS has launched the campaign 'Network Clearance Campaign' to punish illegal activities on the internet.13

In recent years, with the frequent occurrence of security incidents on mobile internet, the China Consumers Association began to study this and released the Assessment Report on Collection of Personal Information by and the Privacy Policy of 100 Apps.14

In addition, the competent authorities of various industries also have the right to supervise violations in their industries. For instance, the Notice of the People's Bank of China on Issuing the Implementation Measures of the People's Bank of China for Protecting Financial Consumers' Rights and Interests provides that 'A financial consumer shall, when having any dispute on financial consumption with a financial institution, file the complaint with the financial institution first in principle. If the financial institution refuses to accept the complaint or fails to handle the complaint within a certain time limit, or the financial consumer is of the opinion that the financial institution's handling result is irrational, the financial consumer may file a complaint with the PBC branch at the place where the financial institution is located, the disputes occur or the contract is signed.'

VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS

Foreign organisations face significant compliance challenges in relation to data localisation requirements. Article 37 of the CSL provides that:

Critical information infrastructure operators shall store personal information and important data gathered and produced during operations within the territory of the PRC. Where it is really necessary to provide such information and data to overseas parties due to business requirements, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration authority in concert with the relevant departments under the State Council. Where the laws and administration regulations have other provisions, those provisions shall prevail.

However, since the promulgation of the CSL, there have been no clear definitions for the terms CII and 'important data'. It is difficult for foreign organisations to predict whether they will fall under the strict data localisation rules.

Nevertheless, a number of industries have also enacted restrictions on specific data localisation, as descrived below.

i Banking

The Notice of the People's Bank of China on Urging Banking Financial Institutions to Do a Good Job in Protecting Personal Financial Information and the Notice of the People's Bank of China on Issuing the Implementation Measures of the People's Bank of China for Protecting Financial Consumers' Rights and Interests both provide that personal financial information acquired inside China shall be stored, processed and analysed inside China and no personal financial personal information acquired inside China should be transferred abroad, except as otherwise required by law, regulation or provisions.

ii Insurance

Article 82 of the Standards for the Financial and Accounting Work of Insurance Companies (2012) requires that 'the business and financial data in the financial information system of an insurance company shall be stored inside the territory of China and backed up offsite.'

iii Credit investigation industry 

Article 24 of the Regulation on the Administration of Credit Investigation Industry provides that credit investigation institutions shall arrange, save and process information collected inside China within the territory; and if transferring the information abroad, it shall abide by relevant laws and regulations.

iv Mails and express mails

Article 16 of the Measures for the Administration of the Real-Name Receipt and Delivery of Mails and Express Mails provides that delivery enterprises should store the user information and important data collected and generated by it during its receiving and sending activities inside China within the territory.

v Population health information

Article 10 of the Measures for the Administration of Population Health Information provides that responsible units shall not store information on the population on any server outside China, nor shall they host or lease any server outside China.

Article 30 of the National Health and Medical Big Data Standards, Safety and Service Management Measures (trial) provides that specifies that, if it is indeed necessary to provide health and medical Big Data abroad due to business needs, it shall be subject to security assessment and audit as required by relevant laws and regulations.

vi Online taxi-booking business operations and services 

Article 27 of the Interim Measures for the Administration of Online Taxi Booking Business Operations and Services provides that an online taxi booking platform company shall store and use the personal information collected and business data formed in China; and the information and data shall not be provided abroad, unless otherwise required by laws and regulations.

vii Map

Article 34 of the Regulation on Map Management provides that an internet map service entity should set the server storing map data inside China.

viii Network of civil aviation

Article 28 of the Interim Measures of Civil Aviation Network Information Security Management (Draft for Comment) stipulates that personal information and important data collected and generated by important information systems in operation inside China shall be stored within the territory.

IX CYBERSECURITY AND DATA BREACHES

The CSL is more focused on cybersecurity than personal information protection and has proposed the concepts of 'network operation security' and 'network information security'. Article 21 of Chapter III (Network Operation Security) provides that the state implements multi-level protection scheme for cybersecurity and network operators should prevent the network from interference, damage or unauthorised access and network data from being divulged, stolen or falsified.

Article 25 of the CSL provides that network operators should formulate contingency plans for cybersecurity incidents and deal with system bugs, computer viruses, network attacks and intrusions in a timely manner; if the incident endangers cybersecurity, network operators shall immediately initiate the contingency plan, take remedial measures and report to the relevant competent authority.

In addition, the CSL provides separately that operation security of CII. The CII is related to national economy and people's livelihoods, national security and public interests, and involves important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services and e-government. But the CSL does not specify the specific scope of CII and security protection methods.

According to the Article 21 of the CSL, all network operators in China are obligated to participate in the multiple -level protection scheme (MLPS). From late 2018 to May 2019, the MPS and other departments jointly issued several national standards on the MLPS. These standards include network infrastructure, important information systems, large internet websites, big data centres, and cloud computing platforms, 'internet of things' systems, industrial control systems, and public service platforms. In addition, these standards put forward new security expansion requirements for new technologies of cloud computing, internet of things, mobile internet, industrial control and big data.

Article 40 of Chapter IV Network Information Security provides that 'Network operators shall strictly keep confidential users' personal information that they have collected, and establish and improve the users' information protection system.' Article 55 of the CSL provides that 'For the occurrence of cybersecurity incidents, it is necessary to activate contingency plans for cybersecurity incidents immediately, investigate and assess such incidents, require network operators to take technical measures and other necessary measures to eliminate potential security hazards, prevent expansion of the harm, and promptly issue warning information in relation to the public to society.'

X OUTLOOK

With the promulgation of the CSL, the Chinese data protection and cybersecurity legal regime has taken shape rapidly. China is drafting a separate Data Security Law and a Personal Information Protection Law, and these are expected to be passed in the next four years. These new laws will also be part of China's legal regime of cybersecurity and data protection.


Footnotes

1 Hongquan (Samuel) Yang is a partner at AnJie Law Firm.

2 Article 6 of the Regulations for Medical Institutions on Medical Records Management.

3 Article 16 of the Regulations for Medical Institutions on Medical Records Management.

4 Item 21, part 2 of the Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps.

5 5.6 of the Specification.

6 7.10 of the Specification.

7 Article 38 of the Measures on Data Security Management (Draft for Comment).

8 Article 28 of the Measures on Data Security Management (Draft for Comment).

9 Article 3 of the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment).

10 Article 2 of the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment).

11 MIIT, the Circular on Doing a Good Job in the Administrative Inspection of Network Security in the Telecommunications and Internet Industries in 2019.

http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057724/n3057729/c6983820/content.html.

12 MIIT, The Shanghai communication administration notified four Internet companies that the implementation of network security requirements was inadequate.

http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057724/n3057733/c6254778/content.html.

13 The MPS notification of launching the 2018 'Net Action' campaign, http://www.mps.gov.cn/n2254536/n2254544/n2254552/n6422073/index.html; The MPS notification of typical cases of launching the2019 'Net Action' campaign, http://www.mps.gov.cn/n2254536/n2254544/n2254552/n6528162/index.html.

14 China Consumers Association, Assessment Report on Collection of Personal Information by and Privacy Policy of 100 Apps.