China’s Compliance Requirements on Personal Data Protection
Cybersecurity and personal data protection witnessed rapid legislative developments in years of 2018 and 2019, while intensive enforcement activities were conducted by the competent authorities against noncompliance in 2019. Certain high-level provisions of the Cybersecurity Law of the People’s Republic of China (hereinafter referred to as the “Cybersecurity Law”) have then been clarified by the new legislation and through the enforcement actions by the competent authorities.
This article aims to provide a very brief overview of personal data requirements for network operators operating in China[i], which may also hopefully serve as a guidance for those overseas companies involving collecting and / or using of personal data in China.[ii] Although the relevant legislative activities are still ongoing, the draft laws and regulations, etc, to a certain extent, reflect the legislative trends on personal data protection. The author, therefore, tries to briefly introduce the provisions of these draft laws and regulations where necessary and appropriate.
1. Legal Sources for Personal Data Protection
There has already been a basic legal system established for protecting personal data, which sets out the compliance requirements for market players to follow. This legal system consists of laws, administrative regulations, department regulations / provisions by national regulatory bodies, statutory national standards, national standards recommended for application as well as industrial standards[iii], etc. The author hereby summarizes or refers to certain key provisions pertaining to data protection as follows:
Article 25 of National Security Law of the People’s Republic of China, which specifies that the nation shall establish network and information security safeguards systems; the nation shall safeguard the security of information systems and data for critical information infrastructure (“CII”) and key sectors; the nation shall prevent, stop and penalize cyber-related crimes such as network attacks, intrusion, theft as well as spreading illegal and harmful information, etc.
Article 111 of General Provisions of the Civil Law of the People's Republic of China sets out the basic principle that natural person’s personal data shall be protected by law; any organization and individuals must collect personal data after obtaining the personal data subject’s consent and conduct the collection according to the law; they shall ensure the security of the personal data collected; illegal collection, using, processing and transmitting of others’ personal data, illegal transaction of selling / purchasing personal data, and illegal provision / disclosure of personal data shall be prohibited.
The Cybersecurity Law sets out the legal principles and high-level requirements on protection of personal data collected and / or processed via the networks. The compliance requirements set out by this law universally applies to all network operators. Certain provisions thereof are similar to those contained in European Union’s General Data Protection Regulation (“GDPR”).
Provisions on the Cyber Protection of Children’s Personal Data, which are administrative regulations dedicated to strengthening the protection of children’s personal data[iv] collected or processed via networks within China[v]. These provisions set out more detailed and stringent compliance requirements as compared with those set out by the Cybersecurity Law.
Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases of Infringing on Citizens' Personal Data (hereinafter referred to as “Interpretation on Criminal Cases of Infringing on Citizen’s Personal Data”) identifies the standards for prosecuting / constituting the crime of infringing on citizen’s personal data.
2. Personal Data Protection Concepts
Personal data: There are slightly different definitions for this terminology. According to the Cybersecurity Law, personal data refers to various information which is recorded in electronic or any other forms and used alone or in combination with other information to recognize the identity of a natural person, including but not limited to name, date of birth, ID number, personal biological identification information (biometric data), address and telephone number of the same.
However, for the purpose of lawful prosecution and trial of the suspected crime of infringing citizen’s personal data, the Interpretation on Criminal Cases of Infringing on Citizen’s Personal Data expands the definition of “personal data” to include various information, which, solely or in combination of other information, reflects the activities status of specific natural persons, including telecommunication contact information, account passwords, property status, whereabouts and tracking record, etc. The national standards recommended for application, i.e., “Information Security Technology - Personal Data Security Specification” (GB/T 35273 - 2017)[vi] (hereinafter referred to as the “Personal Data Protection Specification”) adopts the same expanded definition.
Sensitive personal data: The laws and regulations fail to define what sensitive personal data refers to. However, according to the Personal Data Protection Specification, it refers to the personal data which may probably cause personal and property damage, or alternatively is quite possible to result in reputation damage, physical or mental health damage or trigger discrimination treatment to the personal data subject, should such data be disclosed, illegally provided or misused.
Persona data subject: According to the Personal Data Security Specification, it refers to the natural person identified by personal data.
Controller: Personal Data Security Specification defines the controller as organizations or personals who shall have the right to determine the purpose of processing and the way in which such data is processed, etc.
Processor: It is not defined under the Chinese law. However, Personal Data Security Specification provides guidelines for the controllers to monitor / supervise the third parties which are entrusted to process personal data on behalf of the controllers.
Joint controller: Personal Data Security Specification does not define this terminology. However, it lists examples of joint controllers. Taking as an example, service platforms and the contracting business owners on these platforms constitute joint controllers. Where the controller and the third party constitute joint controllers, the controller shall, together with the third party, determine the data security requirements to be satisfied and identify respective security related responsibilities and obligations by ways of signing contracts with the third party, etc.
3. Territorial Scope of Chinese Personal Data Protection Legislations
In general, the currently effective data protection legislations have no extraterritorial effect.[vii] Taking as an example, the cornerstone data protection related law, the Cybersecurity Law, provides that it applies to construction, operation, maintenance and use of networks as well as supervision and administration over cybersecurity within China’s territory.
However, please note that the Measures for Security Assessment of Cross-border Transfer of Personal Data (Draft for Comments) (hereinafter referred as the “Draft Data Transfer Security Assessment Measures”)[viii], require the overseas entities collecting personal data within China’s territory via the internet, etc during its operational activities shall, through appointment of the legal representative or organizations, perform the responsibilities and obligations of network operators defined therein. The foregoing requirement actually extends the territorial scope of application to overseas entities collecting personal data from China. To a certain extent, it is similar to GDPR provisions that non-EEA entities providing services or goods to EU residents (whether it is free of charge or not) or monitoring activities of EU residents shall be subject to the regulation by GDPR.
Entities engaging in collection of personal data within China via networks are recommended to keep alert on the legal updates in this regard.
4. Processing Principles
The following are the summarized major principles for processing personal data according to the Cybersecurity Law:
Lawfulness：The collection / use / processing of personal data shall not violate the laws, administrative regulations or the agreement concluded with the personal data subjects.
Openness / Transparency: Network operators must publish rules for collecting and using the personal data and inform the personal data subjects the purpose(s) and scope for which the data is collected / used. The methods in which the data is collected / used must also be notified.
Consent: Consent must be obtained from personal data subjects prior to collection / use of their personal data[ix]. The Cybersecurity Law does not list specific situations where such consent is not required. Certain sector-specific laws / administrative regulations grant relevant regulatory bodies / authorized entities the power to collect / use the personal data without consent of individuals concerned. Moreover, the Personal Data Protection Specification specifies that no consent is required for certain specific circumstances, including but not limited to those relating to national security, public security, criminal investigation / prosecution / trial / enforcement of sentences, etc, or those situations for protecting significant rights and interests (life and property security, etc) of personal data subjects or others. The Personal Data Protection Specification also requires obtaining explicit consent from personal data subjects in terms of sensitive personal data.
Purpose limitation: The personal data subjects must be informed the purpose(s) of collecting / using of personal data by network operators. According to the Personal Data Protection Specification, the use of personal data shall not exceed the scope which is directly or reasonably relating to the purpose notified by the controller before collecting the data, and where it is required to exceed the scope, further explicit consent must be obtained from the personal data subjects.
Data minimization: According to Article 41 of the Cybersecurity Law, network operators shall adhere to the principle of “necessary” when collecting and using the personal data and shall not collect personal data irrelevant to their service provided to personal data subjects. Guidelines and draft national standards for identifying situations of excessive collection of data were formulated or released for comments.
Integrity and confidentiality: Network operators must take technical measures and other measures to ensure the security of personal data, including protection against leak, destruction or damage. Personal data shall not be provided to other parties without consent of the data subjects or statutory requirements, unless the data has been processed in a way that it can no longer identify the specific data subjects and cannot be restored to the status enabling identification of specific data subjects.
Storage limitation: This can be inferred from the principle of “necessary” according to the Cybersecurity Law. The Personal Data Protection Specification further defines the time frame for storing the personal data, which shall be limited to the minimum periods required for realizing the purpose(s), and the data shall be properly disposed of by deletion[x] or anonymization.
5. Personal Data Subjects’ Rights
The Cybersecurity Law provides for the following data subjects’ rights:
Right to Information: Prior to the collection / use of personal data by the network operators, personal data subjects shall have the right to be notified the purpose of collection / use of the personal data, the way of collection / use, and the scope of personal data to be collected / used.
Right to deletion: Personal data subjects shall have the right to request deletion of their personal data if they discover network operators’ collection or use of the data is in violation of compliance requirements.
Right to rectification: Personal data subjects who discover their personal data collected or stored is incorrect shall have the right to request rectification by network operators.
6. Security of Personal Data
The Cybersecurity Law sets out the network operators’ obligations to ensure cybersecurity, which is the basis for ensuring the security of information, including personal data. One general requirement is to implement graded system for cybersecurity protection, which is not a new requirement for network operators.
Such graded system requires implementation of technical safeguard measures in respect of physical security, network security, host security, applications security and data security. It also requires implementation of organizational safeguard measures covering formulation of internal security rules / regulations and processes, establishment of data protection department / data protection positions, construction / maintenance of networks, etc.
Notably，Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues concerning the Application of Law in Handling Criminal Cases Involving Crimes of Illegally Using an Information Network or Providing Aid for Criminal Activities in Relation to Information Network, which became effective as of 1 November 2019, clarifies the standards for constituting the crime of rejecting to perform obligations of managing information network security in terms of data breach by network operators. As for data breach, these foregoing standards, among others, include but not limited to the circumstances of leak of more than 500 pieces of users’ personal data such as whereabouts and tracking record, communications contents, property information, credit information, or leak of more than 5,000 pieces of users’ personal data such as accommodation information, communication records, health and physiology information and transactions information as well as other information that may affect users’ personal and property safety. One of the factors leading to constituting the crime is failing to follow rectification orders by the competent authorities.
Having mentioned the above, criminal risks highlight the importance of network operators to keep security of the systems/networks and personal data.
7. Localization and International Transfer of Personal Data
The following mainly summarizes the requirements on the place of storing and international transfer of personal data collected and generated by CII network operators.
Important data and personal data collected and generated during CII’s domestic operations shall be stored within China’s territory according to the Cybersecurity Law.
The Cybersecurity Law provides a non-exhaustive list of industries and sectors of which the network facilities and information systems fall within CII category, such as public communications, information services, energy, transport, water conservancy, finance, public services and e-government, etc. The law also vests the State Council the power to develop regulations over the specific scope of CII and the security measures required for CII.
Please note that the Regulations for the Security Protection of Critical Information Infrastructure (Draft for Comments) expands CII scope to include network facilities and information systems operated / administered by government agencies and entities from the following sectors: education, social insurance, environmental protection, public utilities, broadcasting television networks, cloud computing, big data, etc. Those scientific and research entities from sectors of national defense, large equipment manufacturing, chemicals, food and drug, etc are also included.
Multinationals whose businesses involve collecting / using personal data from China are recommended to keep alert on the legal updates in this regard and see if it necessary to adjust the location of storing the personal data.
Such important data and personal data collected and generated by network operators from CII category shall be allowed for transfer to overseas only if it is necessarily required for business purpose.
An additional requirement is, prior to the cross-border transfer, that the exporter must conduct security assessment in compliance with the measures[xi] formulated by the Cyberspace Administration of China and the relevant departments of the State Council, unless otherwise provided for in other laws and administrative regulations.
In addition, it is worth noting that there is a legal trend of expanding the scope of localization of personal data to non-CII category, reflected in the draft measures released seeking public comments, including the Draft Data Transfer Security Assessment Measures. The Draft Data Transfer Security Assessment Measures require going through prior security assessment formalities with provincial-level cyberspace administration authorities before transferring personal data abroad. Materials including the contracts with required terms and conditions, which are signed with the overseas recipients, shall be submitted for review. Such prior security assessment mechanism seems to incorporate standard contractual clauses and case-by-case review by the supervisory authorities.
8. Data Protection Authorities
Different from GDPR which requires member states to set independent and specialized data protection authorities, various industrial regulatory bodies have the powers to administrate and supervise the personal data protection in China while the cyberspace administration authorities will coordinate the supervision of data protection with the industrial regulatory bodies.
Different industrial regulatory bodies may have the power to enforce the data protection law on the same case. Certain laws resolve such conflicts. Taking as an example, the Law of PRC on Protection of Consumers’ Rights and Interests specifies that the market supervision and administration authorities shall take charge of enforcing administrative penalties on violation of personal data protection requirements unless otherwise specified in other laws / administrative regulations. However, not all laws / administrative regulations provide resolution for conflict of provisions on competence of supervisory authorities and different range of penalties in this regard.
In 2019, joint enforcement actions were taken by the market supervision and administration authorities, the industrial and information technology administration authorities, public security authorities, etc to investigate and rectify data protection violations by Apps. This joint action also brought the promulgation of the Method for Identifying the Illegal Collection and Use of Personal Information by Apps in November 2019, which summarizes the authorities’ stance and ways for identifying illegal circumstances by Apps. This provides guidelines for Apps operators to refer to for internal examination and rectification.
9. Penalties for Violation and Other Liabilities
According to the Cybersecurity Law, violation of data protection requirements may lead to penalties such as warning, being ordered to rectify, being ordered to stop business activities, closure of websites, cancellation of approval or business license, etc, as well as fine up to RMB 1 million for the entities. Persons directly in charge or directly responsible may also be subject to fines up to RMB 0.1 million. Although the monetary costs for violating compliance requirements are not high, the exposure of noncompliance cases is detrimental to network operators’ reputation, and the administrative penalties of closure of websites, cancellation of approval or business license, etc will probably devastate the future of the business.
Depending on the specific situations, the entities or individuals violating the data protection requirements set by laws and regulations may also be subject to civil liabilities or even criminal liabilities.
The above is a brief summary of some points regarding compliance requirements on personal data protection. As extensive legislative activities relating to personal data protection are still ongoing, companies are recommended to keep alert on legal updates in this regard, including those particular requirements set by the laws and regulations governing the specific sector which they fall within.
[i] According to the Cybersecurity Law, network operators refer to owner of network, manager of network and network service provider.
[ii] Please note that personal data shall be protected according to the General Provisions of the Civil Law of the People's Republic of China, regardless of the form of data (in electronic form or other forms) and whether it is collected via the network.
[iii] Depending on the specific situations, non-statutory national / industrial standards may, to certain extent, include more details for requirements set by the laws and administrative regulations and may be referred to by the relevant law enforcement authorities as the basis for combating noncompliance cases, where these standards de facto become enforceable and therefore act as quasi laws/regulations.
[iv] Children are those who don’t reach 14 years old.
[v] For the purpose of this article, Hong Kong, Macau and Taiwan are excluded.
[vi] The third version for revisions of this Specification has been released for comments. Please note that where this Specification is referred to in this article, it refers to its currently applicable version.
[vii] Please note that Article 50 of the Cybersecurity Law of PRC prescribes that for the information sourced from the overseas and falling within the category of information which is prohibited from publishing or transmitting according to the laws and administrative regulations, the Cyber Administration Authorities shall notify relevant departments to take technical measures and other necessary measures to block the transmission.
[viii] The draft for comments were released on 13 June 2019 and the term for comments expired on 13 July 2019. These department regulations so far have not been passed.
[ix] There are laws and administrative regulations specifying the collection of personal data without consent from data subjects. The PRC Law on Prevention and Treatment of Infectious Diseases is an example.
[x] According to the currently effective Personal Data Protection Specification, deletion refers to removing personal data from network operators’ systems involved in realizing the operators’ daily business functions to keep the data un-retrievable and inaccessible.
[xi] Such measures have not been passed and therefore are not in effect.