The Privacy, Data Protection and Cybersecurity Law Review: China
At present, there is no omnibus privacy and data protection law in China, with the current provisions on privacy and data protection mainly found in laws and the industry-specific regulations.
In 2012, the Standing Committee of the National People's Congress (NPC) issued the Decision on Strengthening Internet Information Protection, which provides some general principles for network service providers to protect the personal electronic information of Chinese citizens. Based on these principles, various departments under the State Council issued administrative regulations regulating the collection and processing of personal information in their respective fields. For example, the Ministry of Industry and Information Technology (MIIT) issued the Provisions on Protecting the Personal Information of Telecommunications and Internet Users in 2013, the State Post Bureau released the Provisions on the Security Management of Personal Information of Users of Posting and Delivering Services in 2014, and the People's Bank of China released the Implementing Measures for the Protection of Financial Consumers' Rights and Interests in 2016.
On 7 November 2016, the Cybersecurity Law (CSL) was issued and it took effect on 1 June 2017. The official implementation of the CSL marks the gradual formation of China's new legal framework for cybersecurity and data protection. Among other things, the CSL covers the following aspects:
- personal information protection;
- general network protection obligations of the network operators and the multi-level protection scheme (MLPS);
- enhanced protection for the critical information infrastructure (CII);
- data localisation and security assessment for the cross-border transfer of personal information and important data; and
- security review of the network products and services.
On 28 May 2020, the NPC passed the Civil Code of the People's Republic of China (the Civil Code), which contains provisions on the protection of privacy and personal information and some high-level principles that are similar to those in the CSL.
As both the CSL and Civil Code are high-level laws and do not provide practical guidelines, China has been drafting a series of related implementation regulations and national standards.
These implementation regulations and national standards, together with the CSL and the Civil Code, constitute China's legal regime for cybersecurity and data protection. According to the 2020 legislative work plan of the NPC Standing Committee, several draft laws, such as the Personal Information Protection Law and the Data Security Law, will be submitted for deliberation.
The year in review
Since its promulgation, the CSL has exerted great influence on China's cybersecurity and data protection practice. Recent notable changes include the following.
i Personal information protection
On 1 May 2018, the Information Security Technology – Personal Information Security Specification (the Specification), a national standard took effect. Although the Specification is a recommended national standard, owing to the lack of a uniform personal information protection law, the Specification has, to some extent, been regarded as 'best practice' by enterprises. As the enforcement authorities also refer to the Specification in various personal information protection campaigns, the Specification has gained some authority. On 6 March 2020, a revised version of the Specification was issued and will take effect on 1 October 2020.
In the internet and mobile applications field, China has launched a number of enforcement campaigns to punish the unlawful or unreasonable collection or misuse of personal information:
- In January 2018, the Cyberspace Administration of China (CAC) interviewed the relevant officials of Alipay and Zhima Credit for what is known as the Alipay annual bill incident, and called for a special rectification in their personal information collection practice.
- In January 2018, the MIIT, in response to the violation of the privacy of users by relevant mobile phone apps, interviewed Baidu, Alipay and Toutiao, requiring the three enterprises to rectify their practice and to protect the users' right to know and right to choose.
- In November 2018, the China Consumers Association released the Assessment Report on Collection of Personal Information by 100 Apps and their Privacy Policies.
- In March 2019, the App Special Governance Panel, an organisation formed by the National Information Security Standardization Technical Committee (NISSTC) and three other associations, released the Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps, for app operators to carry out self-check and self-correction concerning their collection and use of personal information.
- In November 2019, the CAC, MIIT, Ministry of Public Security (MPS) and the State Administration for Market Regulation released the Notice on Promulgation of the Method for Identifying the Illegal Collection and Use of Personal Information by Apps for the enforcement agencies for reference.
- In July 2020, the NISSTC released the Network Security Standard Practice Guidelines – Self-Assessment Guidelines for Apps to Collect and Use Personal Information for App operators to have self-assessment.
ii Cybersecurity and data leakage
After the official implementation of the CSL, a number of enterprises have been punished for their failure to perform network security protection obligations or for data leakage:
- In May 2018, a company in Yunnan province was warned and fined by the public security authority for failing to take technical measures to prevent computer viruses and cyberattacks, network intrusions and other harmful behaviour.
- In July 2018, Datatang, a well-known domestic data company, was investigated and found illegally selling a huge volume of citizens' personal information.
- In August 2018, many residents of Huazhu, a domestic hotel, had their personal information leaked and sold online. The perpetrators were arrested.
- In March 2020, Sina Weibo, a domestic social network giant, was interviewed by the MIIT for App data leakage caused by malicious access to user interface.
iii Data localisation and cross-border transfer of data
In late 2018, the Ministry of Science and Technology published its penalties against BGI and Huashan Hospital for their international cooperation with Oxford University for research on Chinese human genetic resources without the approval of the competent authority. BGI was found to have transferred abroad information on human genetic resources over the internet. The two enterprises were ordered to stop the related study projects, destroy all the genetic materials and the related research data, and suspend any international cooperation on human genetic resources until they are reassessed as qualified again. It should be noted that the punishment originated from the violation of the Provisional Administrative Measures of Human Genetic Resources, an industry-specific regulation effective long before the CSL was in place.
i Privacy and data protection legislation and standards
China's legal regime of privacy and data protection includes the Civil Code, the CSL and privacy and data protection provisions dispersed in various laws and regulations, including:
- the National Security Law;
- the E-commerce Law;
- the Tourism Law;
- the Anti-Terrorism Law;
- the Implementing Measures of the PRC for the Protection of Financial Consumers' rights and interests;
- the Interim Measures for the Administration of Online Taxi-Booking Business Operations and Services;
- the Criminal Law;
- the Administrative Provisions on Short Message Services;
- the Regulations on Management of Internet User Account Name;
- the Provisions on the Security Management of Personal Information of Users of Posting and Delivering Services;
- the Law on the Protection of Rights and Interests of Consumers;
- the Administrative Regulations on Credit Investigation Industry;
- the Several Provisions on Regulating the Order of the Internet Information Service Market;
- the Law on Resident Identity Cards; and
- the Provisions on Protecting the Personal Information of Telecommunications and Internet Users.
China's legal regime on cybersecurity and data protection also includes the judicial interpretations made by the Supreme People's Court and the Supreme People's Procuratorate, such as:
- Interpretation of several issues regarding application of law to criminal cases of infringement of citizen's personal information handled by the Supreme People's Court and the Supreme People's Procuratorate; and
- Provisions of the Supreme People's Court on application of laws to cases involving civil disputes over infringement upon personal rights and interests by using information networks.
National standards are another key part of the cybersecurity and data protection legal regime. Though they are not compulsory, they are generally regarded as best practice by enterprises. Important national standards (including draft versions) include:
- Information Security Technology – Personal Information Security Specification;
- Information Security Technology – Guidelines for Personal Information Protection Within Information System for Public and Commercial Services;
- Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft) (draft for comment);
- Information Security Technology – Guide to De-Identifying Personal Information (draft for comment);
- Information Security Technology – Security Impact Assessment Guide of Personal Information (draft for comment);
- Information Security Technology – Security Requirements for Data Exchange Service (Draft for Comment); and
- Information Security Technology – Risk Assessment Specification for Information Security (draft for comment); etc.
The CSL defines the terms 'network operator' and 'personal information'. Under the CSL, a network operator refers to the owner or manager of a network or the provider of a network service; personal information refers to various information that is recorded in electronic or any other form and used alone or in combination with other information to recognise the identity of a natural person, including but not limited to their name, date of birth, ID number, personal biological identification information, address and telephone number of the natural person.
The Civil Code defines 'personal information' as all kinds of information recorded by electronic or otherwise that can be used to independently identify or be combined with other information to identify specific natural persons, including the natural persons' names, dates of birth, ID numbers, biometric information, addresses, telephone numbers, email addresses, health information, whereabouts, etc.
The Specification makes minor wording changes to the definition of 'personal information' under the CSL and the Civil Code. According to the Specification, personal information means any information saved in electronic form or otherwise that can be used independently or together with other information to identify a natural person or reflect the activities of a natural person, including names, dates of birth, identification numbers, personal biometric information, addresses, contact information, records and content of communications, accounts and the passwords thereof, property information, credit reference information, whereabouts and tracks, hotel accommodation information, information concerning health and physiology, information on transactions, etc.
The Specification also defines the 'personal sensitive information' as personal information that may cause harm to personal or property security, or is very likely to result in damage to an individual's personal reputation or physical or mental health or give rise to discriminatory treatment, once it is leaked, unlawfully provided or abused, including identification numbers, personal biometric information, bank accounts, records and content of communications, property information, credit reference information, whereabouts and tracks, hotel accommodation information, information concerning health and physiology, information of transactions, personal information of children aged 14 or younger, etc. Also, the Specification clarifies that personal information formed by the personal information controller through the processing of personal information or other information that may cause harm to personal or property security, or is very likely to result in damage to an individual's personal reputation or physical or mental health or give rise to discriminatory treatment, once it is leaked, unlawfully provided or abused, is personal sensitive information.
China has not had a specific stipulation on the ownership of personal information, and it has been disputed whether personal information belongs to the relevant personal information subjects. The newly issued Civil Code stipulates the protection of personal information in the 'Personality Rights' Chapter, indicating that the rights pertaining to personal information are personality rights of the personal information subjects. However, the Civil Code is silent on whether the personal information subjects 'own' their personal information, or whether they are entitled to any property rights in relation to their personal information. As a unified Personal Information Protection Law is being drafted by legislators, whether there will be provisions dealing with the ownership of personal information remains to be seen.
The Specification also provides the definition of 'personal information subject' and 'personal information controller'. According to the Specification, a personal information subject means a natural person who can be identified or connected to by reference to personal information; a personal information controller means an organisation or an individual who is capable of determining the purposes and means of the processing of personal information. The Specification does not define the 'personal information processor'.
According to the Specification, the basic principles for personal information protection include:
- consistency between rights and liabilities: it shall take technical and other necessary measures to ensure the security of personal information and bear liabilities for any damage caused by its activities of processing personal information to the legal rights and interests of personal information subjects;
- clear purpose: it shall have explicit, clear and specific purposes in processing personal information;
- solicitation for consent: it shall explicitly specify the purposes, manners, scope and rules in respect of the processing of personal information, and seek their authority and consent;
- minimum sufficiency: it shall merely process the minimum categories and amount of personal information necessary for achieving the purpose authorised and consented to by personal information subjects. It shall delete the personal information in a timely manner as agreed once this purpose is achieved;
- openness and transparency: it shall make public the scope, purposes, rules, etc., in respect of the processing of personal information in an explicit, easily understandable and reasonable manner, and accept public oversight;
- guarantee of security: it shall be capable of ensuring security to a degree corresponding to the security risks it faces, and take sufficient management measures and technological approaches to safeguard the confidentiality, completeness and availability of personal information; and
- involvement of personal information subjects: it shall provide personal information subjects with opportunities to access, modify and delete their own personal information and to withdraw their consent and cancel their own account and make complaints.
If in violation of the related provisions on personal information protection, according to Article 64 of the CSL, if network operators or providers of network products or services infringe upon any right in personal information that is legally protected, they will receive punishments from the competent authorities, such as rectification, warning, confiscation of illegal earnings and fines; if in severe violations, the punishment may cover suspension of related business, winding up for rectification, shutdown of their website, and revocation of their business licence. Also, stealing or otherwise unlawfully obtaining any personal information, or selling or unlawfully providing such information to others that does not constitute a crime will be punished through confiscation of the illegal earnings or a fine.
ii General obligations for data handlers
The CSL only provides some general principles for personal information protection, Article 41 of the CSL provides that:
Network operators shall abide by the 'lawful, justifiable and necessary' principles to collect and use personal information by announcing rules for collection and use, expressly notifying the purpose, methods and scope of such collection and use, and obtain the consent of the person whose personal information is to be collected. No network operator may collect any personal information that is not related to the services it provides. It shall collect and use, and process and store personal the information in the light of laws and administrative regulations and agreement with the users.
The principles for personal information protection in the Civil Code are similar to those in the CSL. Article 1035 of the Civil Code provides that:
The processing of personal information shall be subject to the principle of legitimacy, rightfulness and necessity, with no excessive processing, and shall meet the following conditions:
(a) Obtaining the consent of the natural person or the guardian thereof, unless otherwise provided by laws or administrative regulations;
(b) Disclosing rules on processing information;
(c) Expressly stating the purpose, method and scope of information to be processed; and
(d) Not violating the provision of the laws and administrative regulations and the agreement of both parties.
Processing of personal information includes the collection, storage, use, processing, transmission, provision and disclosure of personal information, etc.
As for the right of the personal information subject, Article 43 of the CSL provides that:
Each individual is entitled to require a network operator to delete his or her personal information if he or she founds that collection and use of such information by such operator violate the laws, administrative regulations or the agreement by and between such operator and him or her; and is entitled to require any network operator to make corrections if he or she founds errors in such information collected and stored by such operator. Such operator shall take measures to delete the information or correct the error.
Article 1037 of the Civil Code provides that:
A natural person may consult or copy his or her personal information with any information processor in accordance with the law; if any error is found in the information, the natural person has the right to raise an objection and request the information processor to take necessary measures such as corrections in a timely manner.
Where a natural person discovers that an information processor has processed his or her personal information in violation of the provisions of laws and administrative regulations or the agreement between both parties, he or she shall have the right to request that the information processor promptly delete the information.
The Specification provides more specific provisions on the collection and use of personal information.
Collection of personal information
Under the Specification, the collection of personal information should be subject to the principle of lawfulness, minimisation, as well as the authorisation of the personal information subject (explicit consent should be obtained if involving sensitive personal information). However, a personal information controller may collect and use personal information, without the need to obtain the authority and consent from personal information subjects, under any of the following circumstances:
- where the collection and use are related to the performance of the obligations under laws and regulations by the personal information controller;
- where the collection and use are in direct relation to state security or national defence security;
- where the collection and use are in direct relation to the public security, public sanitation, or major public benefits;
- where the collection and use are in direct relation to investigations into crimes, prosecutions, court trials, execution of rulings, etc.;
- where the collection and use are for the sake of safeguarding significant legal rights and interests, such as the life and property, of personal information subjects or other individuals, but it is difficult to obtain their consent;
- where the personal information collected is the information voluntarily published by personal information subjects before the general public;
- where the personal information is collected from information that has been legally and publicly disclosed, such as legal news reports and information published by the government;
- where the collection and use are necessary for inking and performing contracts as required by personal information subjects;
- where the collection and use are necessary for ensuring the safe and stable operation of its products or services, such as identifying and disposing of faults in its products or services;
- where the personal information controller is a news agency and the collection and use are necessary for releasing news reports in a legal manner; and
- where the collection and use are necessary for the personal information controller, as an institute for academic research, to have statistical programmes or academic research for the sake of the general public, and it has processed the personal information, which is contained in the results of academic research or descriptions, for de-identification purposes, while announcing these results to the general public.
The Specification specifies that explicit consent means the act of a personal information subject granting authority for the processing of his or her personal information, either through making voluntary (either electronic or written) statements such as a written or oral statement or his or her voluntary affirmative action, with the affirmative action including voluntarily ticking or clicking the 'agree', 'register', 'send', 'dial', or voluntarily filling in or providing their personal information, etc. by personal information subjects.
Use of personal information
According to the Specification, a personal information controller is required to disable the ability of personal information it uses to clearly point to certain identities, unless as needed for realising certain purposes, to avoid a situation in which certain individuals are successfully identified; for newly generated information from the processing of the collected personal information that can identify natural persons' identities independently or together with other information or reflect their activities, such information should be treated as personal information; and not use personal information for any purpose beyond the scope directly or reasonably related to those purposes claimed by it at the time when the personal information is collected. Where it is truly necessary to use the personal information beyond the said scope to suit its business demands, it shall obtain explicit consent of personal information subjects concerned again.
If any circumstance below occurs, the personal information controller should notify the personal information subject:
- Prior to the collection of personal information. The personal information controller should inform personal information subjects explicitly of the categories of personal information that will be collected under different business functions of its products or services, and the rules on how personal information will be collected and used (for example, why, how and how often personal information will be collected and used, the territory where personal information will be stored, how long personal information will be stored, its data security capability, and particulars of its sharing, transferring and public disclosure of personal information), and obtain the authority and consent of personal information subjects.
- Suspension of personal information controllers' operation. If a personal information controller suspends operation in regard to its products or services, it shall serve a notice of suspended operation on each personal information subject or publicly release an announcement for this purpose.
- Sharing and transfer of personal information. The personal information controller shall inform personal information subjects of the purposes for which their personal information will be shared or transferred, categories of data recipients and the possible consequence of the sharing and transfer, and obtain the authority and consent of personal information subjects in advance. Before sharing or transferring personal sensitive information, it shall also inform what categories of personal sensitive information are involved, identities of data recipients and their data security capability, and shall obtain explicit consent of each personal information subject.
- Transfer of personal information in acquisitions, mergers, restructuring and bankruptcy.
- Public disclosure of personal information. The personal information controller shall inform personal information subjects of the purposes for which their personal information will be publicly disclosed and what categories of information will be publicly disclosed, and obtain the authority and consent of personal information subjects in advance. Before publicly disclosing personal sensitive information, it shall also inform them of what personal sensitive information will be involved.
- Joint personal information controllers. The personal information controller shall determine and inform personal information subjects explicitly of, what requirements in respect of personal information security shall be fulfilled, and the respective duties and obligations of itself and the third party in respect of personal information security, in a contract or otherwise.
- Security incidents. A personal information controller is required to promptly notify each affected personal information subject of the particulars of the security incident, by means of emails, letters, calls or pushed notifications. Where it is difficult to notify all affected personal information subjects one by one, it shall issue alerts in relation to the general public in a reasonable and effective manner; the content of a notification shall include but not be limited to (1) what the security incident is and its impact; (2) what measures it has taken or will take to deal with the incident; (3) advice on what actions could be taken by personal information subjects themselves to avoid the impact and reduce risks; (4) remedial measures available for personal information subjects; and (5) contact information of the head in charge of personal information protection and the agency in charge of personal information protection.
iii Data subject rights
Article 43 of the CSL provides that:
Each individual is entitled to require a network operator to delete his or her personal information if he or she founds that collection and use of such information by such operator violate the laws, administrative regulations or the agreement by and between such operator and him or her; and is entitled to require any network operator to make corrections if he or she founds errors in such information collected and stored by such operator. Such operator shall take measures to delete the information or correct the error.
The Civil Code contains similar data subject rights.
According to the Specification, the personal information subject has the right to access, modify, delete the personal information, withdraw the consent, cancel account, obtain the copies of personal information.
Access to personal information
A personal information controller shall provide personal information subjects with methods regarding how to access the following information: what personal information of the personal information subjects it holds, or categories of this personal information; from where the personal information is sourced, and for what; and the identities of third parties that have obtained the personal information, or categories of these third parties.
Where a personal information subject raises a request to access their personal information that is not voluntarily provided by itself, the personal information controller, may decide whether to agree to the request or not and give reasons, after comprehensively taking into account the likely risks and damage that may arise to the personal information subject's legal rights and interests if it disagrees with his or her request, technical feasibility, costs of agreeing to the request, and other related factors.
Modification of personal information
If a personal information subject finds that his or her personal information held by a personal information controller is inaccurate or incomplete, the personal information controller shall make it possible for the subject to request correction of the information or the provision of additional information.
Deletion of personal information
A personal information controller is required to fulfil the requirements below:
- if a personal information subject requires it to delete their personal information under any of the following circumstances, it shall delete his or her personal information in a timely manner where:
- the personal information controller collects or uses the personal information in a way that violates the provisions of laws and regulations; or
- the personal information controller collects or uses the personal information in a way that violates its agreement with the personal information subject;
- if it shares the personal information of a personal information subject with or transfers it to a third party, in violation of the provisions of laws and regulations or its agreement with the personal information subject, and the subject requires it to delete his or her personal information, it shall cease sharing or transferring the information immediately, and instruct the third party concerned to delete the information in a timely manner; and
- if it publicly discloses personal information in a way that violates the provisions of laws and regulations or its agreement with the personal information subject, and the personal information subject requires it to delete the information, it shall cease the public disclosure of the information immediately, and issue a notice to require related recipients to delete the information concerned.
Personal information subjects' withdrawal of consent
A personal information controller is required to make it possible for personal information controllers to withdraw their consent to the authorised collection and use of their personal information. Once the consent has been withdrawn, it shall no longer process the personal information concerned thereafter. A controller must also guarantee personal information subjects' rights to refuse to receive commercials pushed on the basis of their personal information. Where personal information is shared with, transferred or publicly disclosed to external parties, it shall make it possible for personal information subjects to withdraw their consent.
A personal information subject's withdrawal of his or her consent does not affect the consent-based processing of personal information prior to the withdrawal.
Personal information subjects' cancellation of accounts
A personal information controller must meet the following requirements:
- if it offers products or services through registered accounts, it shall make it possible for personal information subjects to cancel their own account and the method to cancel an account should be easily and conveniently feasible; and
- after a personal information subject has cancelled his or her account, it shall delete or anonymise his or her personal information. If the personal information should be retained under laws and regulations, the personal information controller shall not use it for day-to-day business activities.
Personal information subjects' request for copies of personal information
A personal information controller may, upon the request of a personal information subject, make it possible for the subject to obtain a copy of the following categories of his or her own personal information, or directly transit a copy of the following categories of his or her own personal information to a third party, provided that the technology is practicable:
- the subject's basic information and information about his or her identification; and
- the information about the subject's health, psychological status, education and employment.
iv Specific regulatory areas
There are no specific provisions in Chinese laws and regulations regarding workplace privacy protection. In the daily operation management, for the need of supervision and management, enterprises may monitor the behaviour of employees. It is generally considered that such monitoring behaviour falls under the enterprise's business autonomy scope, which has certain legitimacy. For example, companies may obtain images of employees through a camera, fingerprint of employees through attendance machines, or information about employees' location through app location function, which often involves collection of sensitive information of employees (whereabouts and tracks, biometric information, etc.). For the purpose of protecting the privacy of employees, enterprises should first ensure that the above-mentioned monitoring measures, as well as the employee information they collect, are for a legitimate purpose and are necessary for business operations, and avoid collecting or monitoring any employee information during non-working hours and outside the workplace. Second, the type, purpose, manner of collection and protective measures of the information collected should be notified to the employee, and the employee's written consent should be obtained.
According to the Provisions on Cyber Protection of Personal Information of Children, network operators that collect, use, transfer or disclose personal information of children shall, in a notable and clear way, notify children's guardians of their practices, and obtain the consent from children's guardians.
Health and medical privacy
The Measures for the Management of Population Health Information (on Trial), Law on Licensed Doctors of the PRC, Nurses Ordinance and the Regulations for Medical Institutions on Medical Records Management provide the requirements for medical institutions and staffs to protect patients' personal information. For example, the Regulations for Medical Institutions on Medical Records Management require that, 'medical institutions and medical staff shall strictly protect patient privacy. Any leakage of patients' medical records for non-medical, non-teaching or non-research purposes is forbidden'.2 It also provides the keeping, saving, borrowing and copying of the medical records.3
The Specification also provides guidance on collection and use of personal biometric information. According to the Specification, personal biometric information includes personal gene, fingerprint, voiceprint, palmprint, auricle, iris, facial recognition features, etc. Before collecting personal biometric information, personal information controller should serve a separate notice to the personal information subject of the purpose, method and scope of the collection and use of the personal biometric information, as well as the storage period and other processing rules and obtain the personal information subject's explicit consent. In principle, personal biometric information should not be shared or transferred. If it is truly necessary to share or transfer personal biometric information owing to business needs, the personal information controller should separately inform the personal information subject of the purpose of the sharing and transfer, the category of the personal biometric information involved, the identity and data security capacity of the data recipient, and obtain the personal information subject's explicit consent.
The Specification also emphasises that personal biometric information should be stored separately from personal identity information. In principle, the original personal biometric information (such as samples, images, etc.) should not be stored. The measures that can be taken include but are not limited to:
- storing only the summary information of personal biometric information;
- using personal biometric information directly in the collection terminal; and
- deleting the original image, which can extract personal biometric information after using facial recognition features, fingerprint, palmprint, iris to identify, authenticate and other functions.
The Notice of the People's Bank of China on Urging Banking Financial Institutions to Do a Good Job in Protecting Personal Financial Information and the Notice of the People's Bank of China on Issuing the Implementation Measures of the People's Bank of China for Protecting Financial Consumers' Rights and Interests provides the obligations that banking and financial institutions should fulfil. According to the two notices, personal financial information includes personal identity information, personal property information, personal account information, personal credit information, personal financial trading information, derivative information and other personal information obtained and preserved in the process of establishing a business in relation with a person. In protecting personal financial information, banking financial institutions should strictly abide by the legal provisions, establish and improve the internal control by-laws, improve the information security technology prevention measures, strengthen the training of the professionals and intensify professionals' awareness of personal financial information security. Provision of personal financial information collected inside China abroad is not allowed unless otherwise required by laws and regulations and the People's Bank of China.
v Technological innovation
For profiling or automated decision-making, the Specification stipulates that where the information system used by the personal information controller in business operations has an automatic decision-making mechanism and can have a significant impact on the rights and interests of personal information subjects (for example, automatically determining the subject's credit status and the quota of credit loans available to the subject, or used for automated screening of interviewers), the personal information controller shall:
- carry out the personal information security impact assessment in the planning and design stage or before the first use, and take effective measures to protect the personal information subject according to the assessment results;
- carry out the personal information security impact assessment regularly (at least once a year) during use, and improve the measures to protect the personal information subject according to the assessment results; and
- provide a complaint channel for personal information subjects for automatic decision-making results, and allow manual review of the automatic decision-making results.
The CSL does not differentiate anonymisation, de-identification and pseudonymisation; it is noteworthy, however, Article 42 of the CSL provides that, 'No network operator may disclose, tamper with or destroy personal information that it has collected, or disclose such information to others without prior consent of the person whose personal information has been collected, unless such information has been processed to prevent specific person from being identified and such information from being restored.' Therefore, only when a technique, regardless of anonymisation, de-identification and pseudonymisation, could meet the requirement of 'such information has been processed to prevent specific person from being identified and such information from being restored', could the personal information processed not be regarded as personal information.
The Information Security Technology – Guide for De-Identifying Personal Information (Draft for Comment) provides the related requirements for de-identification, as well as the pseudonymisation technique.
The Specification regards the following personal information as personal sensitive information and requires the controller to obtain the personal information subject's explicit consent for the collection and process:
- information concerning property owned by an individual: bank account, identification information (code), deposit information (including the amount of deposits, records of receipts and payments, etc.), real estate information, credit loan records, credit reference information, records of transactions and consumptions, flow records, etc., and information about virtual property, such as virtual currency, virtual transactions, and CD-keys for games;
- information concerning the health and psychological status of an individual: records formed from an individual's illness and treatment, such as symptoms of illness, in-hospital logs, physician's advices, test reports, records of operations and anaesthesia, nursing records, records of drugs used, information on allergy to drugs and foods, childbirth information, his or her medical history, particulars of treatment, medical history of his or her family, history of present illness, history of infectious diseases, etc.;
- biometric information of an individual: personal genes, fingerprints, vocal prints, palm prints, auricle, iris, facial recognition features, etc.;
- identification information of an individual: identity card, military officer certificate, passport, driving licence, work licence, social insurance card, residence permit, etc.;
- other information: sexual orientation, marital history, religious belief, records of undisclosed violations and crimes, communication records and the content thereof, contact lists, lists of friends, list of groups the individual has joined, whereabouts and tracks, web-browsing history, information on hotel accommodation, information on accurate positioning, etc.
Apart from obtaining explicit consent from the personal information subject, the current law in China does not impose any other restrictions on using the personal sensitive information. It is possible that the forthcoming Personal Information Protection Law will provide more details on those controversial personal information techniques (such as facial recognition technique).
International data transfer and data localisation
China has not yet concluded any international data protection framework or agreements.
Although the CSL provides the obligations for the CII operators to localise the personal information and important data collected and generated inside China, it does not elaborate on the definition and specific scope of the CII and the 'important data'; nor does it provide operational guidelines for the specific requirements of data localisation and security assessment for cross-border data transfer. The related implementation regulation and national standard is still in the progress of draft.
In May 2019, the CAC issued the Measures on Data Security Management (Draft for Comment) for public consultation, which provides that , 'Important data' refer to the kind of data, if divulged, may directly affect national security, economic security, social stability and public health and security, such as undisclosed government information, large-scale population, genetic health, geography and mineral resources, etc. Important data shall usually not include information related to the production and operation and internal management of enterprises or personal information, etc.'5 and 'Network operators shall assess the potential security risks prior to releasing, sharing or selling important data or transferring such data abroad, and shall report to the competent regulatory department for approval. If the competent regulatory department is unclear, network operators shall report to the cyberspace administrations at the provincial level for approval.'6
In June 2019, the CAC issued the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment) for public consultation. It provides that, 'before the cross-border transfer of personal information, network operators shall apply to the local cyberspace administrations at the provincial level for security assessment for cross-border transfer of personal information.'7 'If it is identified by the security assessment that the cross-border transfer of personal information may affect national security or damage public interest, or that it is difficult to effectively protect the security of personal information, cross-border transfer of such information shall not be allowed.'8
According to the Measures on Data Security Management (Draft for Comment) and the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment), whether the important data and personal information can be transferred abroad should be decided by the government. Whether these controversial requirements will pass as they are remains to be seen.
On 3 July 2020, a draft version of the Data Security Law (DSL) was issued to solicit public opinions. The draft DSL provides some high-level principles for cross-border flow of data. Article 10 of the DSL stipulates that 'The state actively carries out international exchange and cooperation in the field of data, participates in the formulation of international rules and standards related to data security, and promotes cross-border flow of data safely and freely.' However, the DSL also set restrictions on cross-border flow of data under some special conditions. Article 23 of the DSL stipulates that 'The state exercises export control over data pertaining to controlled items related to fulfilling international obligations and maintaining national security.'
The DSL does not list the data types of items subject to export control. It remains to be seen whether the legislature will continue to revise the provisions of the DSL, which restrict the cross-border flow of data, or whether it will formulate relevant supplementary regulations to implement the DSL.
As for the forensics of cross-border electronic data evidence, Article 4 of the Law on International Criminal Judicial Assistance provides that:
No foreign institution, organisation or individual may conduct criminal proceedings prescribed by this Law within the territory of the People's Republic of China without the approval of the competent authority of the People's Republic of China, and no institution, organisation or individual within the territory of the People's Republic of China may provide evidentiary materials and assistance prescribed by this Law to foreign countries.
Article 33 of the draft DSL also stipulates that:
If an overseas law enforcement agency requests access to the data stored in the People's Republic of China, the relevant organisations and individuals shall report to the relevant competent authorities and provide the data only after obtaining authorities' approval. If the international treaties and agreements concluded or acceded to by the People's Republic of China have provisions on the access of domestic data by foreign law enforcement agencies, such provisions shall prevail.
Company policies and practices
At this stage, Chinese law has no universal requirements for network operators to establish a complete privacy management programme. However, Article 25 of the draft DSL stipulates that:
When carrying out data activities, a whole process data security management system shall be established and improved in accordance with the provisions of laws, administrative regulations and the mandatory requirements of national standards, education and training on data security shall be organised, and corresponding technical measures and other necessary measures shall be taken to ensure data security. The processor of important data shall set up a person in charge of data security and a management organisation to implement the responsibility of data security protection.
The CSL provides some high-level generic network security requirements. For example, under the CSL network operators should formulate internal security management systems and operating instructions, determine the persons responsible for cybersecurity, and implement the responsibility for cybersecurity protection. In addition, network operators shall formulate contingency plans for cybersecurity incidents, and promptly deal with system bugs, computer viruses, network attacks and intrusions and other security risks; network operators shall adopt technical measures and other necessary measures to ensure the security of the personal information they have collected and prevent such information from being divulged, damaged or lost. If personal information has been or may be divulged, damaged or lost, it is necessary to take remedial measures immediately, inform users promptly according to the provisions and report the same to the relevant competent departments.
The Specification provides that a personal information controller is required to fulfil the requirements as below:
- it shall make clear that its legal representative or the chief in charge of the controller shall undertake the overall leadership responsibility for personal information, including guaranteeing the human resources, financial resources and materials needed for the work to ensure personal information security;
- it shall appoint a head in charge of personal information protection and set up an agency in charge of personal information protection;
- it shall establish, maintain, and update records of processing activities of personal information being collected and used;
- it shall establish a system for personal information security impact assessment, and assess the personal information security impact regularly (at least once a year);
- it shall develop its data security capability and put into place necessary managerial and technical measures in accordance with the rules specified in applicable national standards, to avoid personal information being leaked, destroyed, lost or tampered with;
- it shall pay attention to the personnel management and training, such as entering into a confidentiality agreement with personnel who are in the position of personal information processing and conducting a background review for personnel who are exposed to large amounts of personal sensitive information, making clear the security duties of each internal post in relation to the processing of personal information, and having in place the mechanism to impose punishments when a security incident arises;
- offering specialised training programmes and assessment for personal information security to personnel who are in posts concerning the processing of personal information, either on a regular basis (once a year) or when there are drastic changes to its privacy policies, etc.; and
- it shall audit the effectiveness of its privacy policies, relevant rules and processes, and security measures.
- basic information about this personal information controller, including name and contact method of the controller;
- business functions for which personal information will be collected and used, and categories of personal information collected under various business functions (if personal sensitive information is involved, it shall be clearly marked or highlighted);
- rules on the processing of personal information, including how this information will be collected and how long this information will be stored, and information on cross-border data transfer;
- purposes for which personal information is shared with, transferred to, or publicly disclosed among, external parties, categories of personal information concerned, categories of third parties that receive the personal information, and the legal liability borne by them;
- the rights of personal information subjects and the mechanism to exercise these rights, such as how to access, modify and delete their own personal information, how to cancel the account, how to withdraw their consent, how to obtain a copy of their own personal information, and how to make complaints against the result by the information system's automatic decision-making;
- likely security risks after personal information subjects have provided their personal information, and potential impacts that may arise if they refuse to provide such information;
- what basic principles it observes for the security of personal information, what capacity it has for data security and what safeguards it has taken to ensure the security of personal information. Certificates of compliance related to data security and personal information protection can be published when necessary; and
- in what ways and under what mechanisms enquiries and complaints filed by personal information subjects will be handled, and the department in charge of handling external disputes and its contact information.
Discovery and disclosure
Article 18 of the Anti-Terrorism Law requires that:
telecommunications business operators and internet service providers shall provide technical interface, decryption and other technical support and assistance for the prevention and investigation of terrorist activities conducted by public security authorities and national security authorities in accordance with the law.
In addition, the Specification stipulates that in principle personal information shall not be publicly disclosed. When the personal information controller is authorised by law or has reasonable grounds for public disclosure, it should meet the following requirements:
- conduct a personal information security impact assessment in advance and take effective measures to protect the personal information subject based on the assessment results;
- inform the subject of personal information of the purpose for the public disclosure and categories of personal information to be disclosed, and obtain the explicit consent of the subject of personal information in advance;
- before publicly disclosing personal sensitive information, the subject of personal information should also be informed of the content of personal sensitive information involved;
- accurately record and store the public disclosure of personal information, including the date, scale, purpose and scope of public disclosure;
- bear the corresponding responsibility for the damage caused by the public disclosure of personal information to the legitimate rights and interests of personal information subjects;
- personal biometric information should not be publicly disclosed; and
- analysis results of personal sensitive data such as race, ethnicity, political views and religious beliefs of citizens should not be publicly disclosed.
However, a personal information controller need not seek the authority and consent of personal information subjects in advance where:
- the sharing, transfer or public disclosure is related to the performance of obligations under laws and regulations by the personal information controller;
- the sharing, transfer or public disclosure is in direct relation to state security or national defence security;
- the sharing, transfer or public disclosure is in direct relation to public security, public sanitation, or major public benefits;
- the sharing, transfer or public disclosure is in direct relation to investigations into crimes, prosecutions, court trials, execution of rulings, etc.;
- the sharing, transfer or public disclosure is for the sake of safeguarding significant legal rights and interests, such as the life and property, of personal information subjects or other individuals, but it is difficult to obtain their consent;
- the personal information to be shared, transferred or publicly disclosed is voluntarily made public by personal information subjects themselves; and
- the personal information is collected from information that has been legally and publicly disclosed, such as legal news reports and information published by the government.
Therefore, if for the purpose mentioned above, government agencies may require personal information controllers to publicly disclose personal information.
Information disclosure required by foreign government agencies shall comply with Article 4 of the Law on International Criminal Judicial Assistance.
Public and private enforcement
Article 8 of the CSL provides that 'The national cyberspace administration authority is responsible for the overall planning and coordination of cybersecurity work and relevant supervision and administration work. The competent telecommunication department of the State Council, public security departments and other relevant authorities shall be responsible for protecting, supervising and administering cybersecurity within the scope of their respective responsibilities in accordance with the provisions of this Law and other relevant laws and administrative regulations. Responsibilities of relevant departments under local people's governments at or above the county level for protecting, supervising and administering cybersecurity shall be determined in accordance with the relevant.'
For undesirable practices, the main measure taken by the CAC is to interview the responsible persons of relevant network operators. For example, on 6 January 2018, the Network Security Coordination Bureau of the CAC interviewed relevant representatives of Alipay and Zhima Credit and pointed out that the way of using and collecting personal information in Alipay and Zhima Credit is not in line with the spirit of the Specification.
The competent telecommunications department under the State Council (i.e., the MIIT) from time to time issues notifications to organise and carry out administrative checks on network security in the telecommunications and Internet industries. For example, on 30 May 2019, the Network Security Administration of the MIIT issued a circular on the administrative inspection of network security in the telecommunications and internet industries in 2019, requiring all telecommunications and internet enterprises to cooperate in the network security inspection work.9 At the same time, local telecommunications authorities usually notify enterprises that fail to implement their network security obligations. For example, on 12 July 2018, the Shanghai Communication Administration notified four internet enterprises that their network security requirements had not been implemented effectively.10
The MPS is mainly responsible for the protection of cybersecurity levels. For example, it issued the Regulation on Network Security Graded Protection (Draft for Comment) in June 2018 and the Provisions on Internet Security Supervision and Inspection by Public Security Organs in September 2018. At the same time, the MPS has launched the campaign 'Network Clearance Campaign' to punish illegal activities on the internet.11
In recent years, with the frequent occurrence of security incidents on mobile internet, China has established the App Special Governance Panel, an organisation formed by the NISSTC and three other associations to assist government in investigating and evaluating unlawful collection and use of personal information by Apps.
In addition, the competent authorities of various industries also have the right to supervise violations in their industries. For instance, the Notice of the People's Bank of China on Issuing the Implementation Measures of the People's Bank of China for Protecting Financial Consumers' Rights and Interests provides that 'A financial consumer shall, when having any dispute on financial consumption with a financial institution, file the complaint with the financial institution first in principle. If the financial institution refuses to accept the complaint or fails to handle the complaint within a certain time limit, or the financial consumer is of the opinion that the financial institution's handling result is irrational, the financial consumer may file a complaint with the PBC branch at the place where the financial institution is located, the disputes occur or the contract is signed.'
Considerations for foreign organisations
Foreign organisations face significant compliance challenges in relation to data localisation requirements. Article 37 of the CSL provides that:
Critical information infrastructure operators shall store personal information and important data gathered and produced during operations within the territory of the PRC. Where it is really necessary to provide such information and data to overseas parties due to business requirements, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration authority in concert with the relevant departments under the State Council. Where the laws and administration regulations have other provisions, those provisions shall prevail.
However, since the promulgation of the CSL, there have been no clear definitions for the terms CII and 'important data'. It is difficult for foreign organisations to predict whether they will fall under the strict data localisation rules.
Nevertheless, a number of industries have also enacted restrictions on specific data localisation, as described below.
The Notice of the People's Bank of China on Urging Banking Financial Institutions to Do a Good Job in Protecting Personal Financial Information and the Notice of the People's Bank of China on Issuing the Implementation Measures of the People's Bank of China for Protecting Financial Consumers' Rights and Interests both provide that personal financial information acquired inside China shall be stored, processed and analysed inside China and no personal financial personal information acquired inside China should be transferred abroad, except as otherwise required by law, regulation or provisions.
Article 82 of the Standards for the Financial and Accounting Work of Insurance Companies (2012) requires that 'the business and financial data in the financial information system of an insurance company shall be stored inside the territory of China and backed up off-site.'
iii Credit investigation industry
Article 24 of the Regulation on the Administration of Credit Investigation Industry provides that credit investigation institutions shall arrange, save and process information collected inside China within the territory; and if transferring the information abroad, it shall abide by relevant laws and regulations.
iv Mails and express mails
Article 16 of the Measures for the Administration of the Real-Name Receipt and Delivery of Mails and Express Mails provides that delivery enterprises should store the user information and important data collected and generated by it during its receiving and sending activities inside China within the territory.
v Population health information
Article 10 of the Measures for the Administration of Population Health Information provides that responsible units shall not store information on the population on any server outside China, nor shall they host or lease any server outside China.
Article 30 of the National Health and Medical Big Data Standards, Safety and Service Management Measures (trial) provides that specifies that, if it is indeed necessary to provide health and medical Big Data abroad due to business needs, it shall be subject to security assessment and audit as required by relevant laws and regulations.
vi Online taxi-booking business operations and services
Article 27 of the Interim Measures for the Administration of Online Taxi Booking Business Operations and Services provides that an online taxi booking platform company shall store and use the personal information collected and business data formed in China; and the information and data shall not be provided abroad, unless otherwise required by laws and regulations.
Article 34 of the Regulation on Map Management provides that an internet map service entity should set the server storing map data inside China.
viii Network of civil aviation
Article 28 of the Interim Measures of Civil Aviation Network Information Security Management (Draft for Comment) stipulates that personal information and important data collected and generated by important information systems in operation inside China shall be stored within the territory.
Cybersecurity and data breaches
According to the DSL, the state shall establish a centralised, unified, efficient and authoritative mechanism for data security risk assessment, reporting, information sharing, monitoring and early warning, and strengthen the acquisition, analysis, research and judgment, and early warning of data security risk information.12 When carrying out data activities, enterprises shall strengthen risk monitoring, and take immediate remedial measures when data security defects and loopholes are found. When data security incidents occur, users shall be informed in time and reported to relevant competent authorities.13
The CSL is more focused on cybersecurity than personal information protection and has proposed the concepts of 'network operation security' and 'network information security'. Article 21 of Chapter III (Network Operation Security) provides that the state implements multi-level protection scheme for cybersecurity and network operators should prevent the network from interference, damage or unauthorised access and network data from being divulged, stolen or falsified.
Article 25 of the CSL provides that network operators should formulate contingency plans for cybersecurity incidents and deal with system bugs, computer viruses, network attacks and intrusions in a timely manner; if the incident endangers cybersecurity, network operators shall immediately initiate the contingency plan, take remedial measures and report to the relevant competent authority.
In addition, the CSL provides separately that operation security of CII. The CII is related to national economy and people's livelihoods, national security and public interests, and involves important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services and e-government. But the CSL does not specify the specific scope of CII and security protection methods.
According to the Article 21 of the CSL, all network operators in China are obligated to participate in the multiple-level protection scheme (MLPS). From late 2018 to May 2019, the MPS and other departments jointly issued several national standards on the MLPS. These standards include network infrastructure, important information systems, large internet websites, big data centres, and cloud computing platforms, 'internet of things' systems, industrial control systems, and public service platforms. In addition, these standards put forward new security expansion requirements for new technologies of cloud computing, internet of things, mobile internet, industrial control and big data.
Article 40 of Chapter IV Network Information Security provides that 'Network operators shall strictly keep confidential users' personal information that they have collected, and establish and improve the users' information protection system.' Article 55 of the CSL provides that '[f]or the occurrence of cybersecurity incidents, it is necessary to activate contingency plans for cybersecurity incidents immediately, investigate and assess such incidents, require network operators to take technical measures and other necessary measures to eliminate potential security hazards, prevent expansion of the harm, and promptly issue warning information in relation to the public to society.'
With the promulgation of the CSL and Civil Code, the Chinese data protection and cybersecurity legal regime has taken shape rapidly. A separate Data Security Law and a Personal Information Protection Law are expected to be passed soon. These new laws will also be an important part of China's legal regime of cybersecurity and data protection.
1 Hongquan (Samuel) Yang is a partner at AnJie Law Firm.
2 Article 6 of the Regulations for Medical Institutions on Medical Records Management.
3 Article 16 of the Regulations for Medical Institutions on Medical Records Management.
4 Item 21, part 2 of the Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps.
5 Article 38 of the Measures on Data Security Management (Draft for Comment).
6 Article 28 of the Measures on Data Security Management (Draft for Comment).
7 Article 3 of the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment).
8 Article 2 of the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment).
9 MIIT, the Circular on Doing a Good Job in the Administrative Inspection of Network Security in the Telecommunications and Internet Industries in 2019. http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057724/n3057729/c6983820/content.html.
10 MIIT, The Shanghai communication administration notified four Internet companies that the implementation of network security requirements was inadequate. http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057724/n3057733/c6254778/content.html.
11 The MPS notification of launching the 2018 'Net Action' campaign, http://www.mps.gov.cn/n2254536/n2254544/n2254552/n6422073/index.html; The MPS notification of typical cases of launching the2019 'Net Action' campaign, http://www.mps.gov.cn/n2254536/n2254544/n2254552/n6528162/index.html.
12 Article 20 of the DSL.
13 Article 27 of the DSL.