Introduction

In light of the development of technology and the widespread use of internet to transmit data, personal data protection has become a hot topic nowadays as people became more aware of their right to privacy. This article aims to provide a general introduction to the relevant legal requirements regarding data protection in China, particularly in the context of collecting, processing and storing personal data. This article also covers some points to note when transferring personal data to overseas recipients outside China, including through storing personal data in a system with overseas network servers ("Cross-border Transmission of Personal Data").

China does not currently have a comprehensive data protection law – rules governing data protection are scattered in the relevant existing laws, regulations, national standards and governmental guidelines such as the Cybersecurity Law, the Civil Code and the Decision on Strengthening Online Information Protection.

There are also numerous draft laws, regulations and national standards that are yet to be promulgated by the Chinese legislative or administrative authorities. These include the draft Personal Information Protection Law, draft Data Security Law, draft Administrative Measures on Data Security, draft Measures for Security Assessment on Cross-border Transfer of Personal Information, draft Information Security Technology Guidelines for Cross-border Data Transfer Security Assessment, and draft Critical Information Infrastructure Security Protection Regulation. Since these "drafts" are still not effective yet, they do not have the status of law, but they are of great value for reference for now as the latest legislative trend in China appears to indicate that China is actively speeding up the promulgation of the relevant laws on data protection.

On 26 April 2021, the draft Personal Information Protection Law was proposed to the Standing Committee of the National People's Congress of China for second review. We anticipate that the draft Personal Information Protection Law will come into effect within the next one to two years. Given its significant impact on personal data protection once it comes into effect, we have also covered the relevant rules under such draft law in this article.

Practical Suggestions

Based on the relevant rules set out in sections A and B below, we suggest that companies which are processing or are looking to process personal data in China (including transferring personal data to overseas recipients) should at least take the following precautious measures to ensure compliance with the relevant legal requirements:

  • obtaining the consent of the data subjects for collecting their personal data;
  • formulating and disclosing to the data subjects the relevant policies regarding the collection, use, purpose, processing, remedial actions etc. in respect of the personal data to be collected;
  • only collecting the personal information to the extent necessary for the permitted statutory purpose(s);
  • keeping the personal data collected confidential, taking proper measures to ensure security of the information and not disclosing to any third party without the consent of the data subjects;
  • providing rights to the data subjects for accessing, copying, correcting or deleting etc. their personal data collected;
  • keeping the personal information collected within China. If not, there is a risk that the relevant risk assessment, security assessment and/or any other statutory procedures on the proposed Cross-border Transmission of Personal Data may need to be carried out.

We set out in the sections below the relevant specific requirements regarding personal data protection under the related existing laws and regulations in China, as well as the draft Personal Data Protection Law.

Brief Summary of the Rules

A. Collection, processing and storage of personal data

1. Rules under the draft Personal Information Protection Law (the "draft PIPL") (currently in draft form, but is likely to come into effect in the near future)

The draft PIPL, upon being passed as a law, will become China's first comprehensive law on the protection of personal data.

It applies to the processing of individuals' personal data that takes place in China regardless of their nationality. It imposes an obligation to protect personal data not just on network operators, but on all "personal data processors" in general. "Personal data processors" is defined in Art. 72(1) as "organizations or individuals that independently determine the purpose, scope and means of processing of personal data".

Art. 13 sets out the six lawful bases for processing personal data:

(i) The data subject's consent is obtained;
(ii) Necessary for the conclusion or performance of a contract to which the data subject is a party;
(iii) Necessary for the fulfilment of statutory duties or obligations;
(iv) Necessary for responding to public health incidents or for the protection of life, health and property of the data subject or other individuals in emergency cases;
(v) To the reasonable extent processing the personal data which are already in public domain pursuant to the rules under the PIPL;
(vi) To the reasonable extent for journalism or media supervision in public interest; and
(vii) Other circumstances as provided by Chinese laws and regulations.

The data subject's consent is not required under the circumstances which are subject items (ii) to (vii) above. The "consent" as referred to in item (i) above must be an informed, specific, freely given, indication of wishes of the data subject (Art. 14). Separate opt-in consent is required for processing sensitive personal data, which includes but not limited to race, ethnic group, religious beliefs, personal biometric data, health data, financial account data and location data (Art. 29, 30). The data processor must inform the data subject, (i) the purpose, method and scope of processing his personal information, and (ii) how long such information will be kept (Art. 18).

The draft PIPL also provides for various rights of the data subject, including the right to information and explanation on the data processing (Art. 45), right to access and request for a copy of personal data (Art. 45), right to correction (Art. 46), right to object processing (Art. 44), right to withdraw consent (Art. 16) and right to deletion (Art. 47).

Last but not least, the draft PIPL imposes an obligation on personal data processors to adopt a holistic data protection compliance program to protect personal data throughout the whole lifecycle of personal data, such as regular compliance audits, risk assessments, periodic employee training, records of personal data processing activities, protocols to respond to data subjects' requests, data breach reporting, remedial measures to data breach, and designating a data protection responsible person (Art. 51-56).

2. Rules under the Cybersecurity Law (the "CSL") (effective from June 1, 2017)

The following provisions of the CSL set out the requirements of personal data protection regarding "non-network operators":

  • Art. 12 states that "any person and organization using networks...must not... create or disseminate... information that infringes on the reputation, privacy, intellectual property or other lawful rights and interests of others".
  • Art. 44 states that "individuals or organizations must not steal or use other illegal methods to acquire personal information, and must not unlawfully sell or unlawfully provide others with personal information".

"Network operators" is defined as "network owners, managers, and network service providers" (Art. 76).

3. Rules under the Civil Code (the "Code") (effective from January 1, 2021)

Art. 1035 and 1038 of the Code stipulate the following requirements that personal information processors must comply with when processing personal information:

  • Obtain the consent of the data subjects;
  • Express the purpose, method and scope of processing personal information to the data subjects;
  • Comply with the provisions of applicable laws and regulations and agreements with the data subjects;
  • Keep the personal information collected confidential and stored without any tampering;
  • Not to provide the personal information to third parties without the consent of the data subjects, except for information that cannot be identified and cannot be recovered after processing;
  • Take technical measures or other necessary measures to ensure the security of the personal information; and
  • If a data breach occurs or may occur, take remedial measures to notify the data subjects and report to the regulatory agency.

Art. 1037 grants data subjects the following rights:

  • The right to access and copy their personal information;
  • The right to raise objections and request correction of their personal information; and
  • The right to delete their personal information when it is found that the personal information processor violates any laws and regulations or the agreement between the two parties.

4. Rules under the Decision on Strengthening Online Information Protection (the "Decision") (effective from December 28, 2012)

The Decision's application is limited to online personal information.

Similar to the draft PIPL, it provides that organizations and individuals are prohibited from obtaining citizens' personal digital information by theft or other illegal approaches, or selling or illegally providing that information to others.

The Decision also sets out the following obligations for companies that intend to collect and use personal digital information:

  • Must make their policies for data collection and use public;
  • Must explicitly state the purposes, means, and scope of the data collection;
  • Must obtain the consent of all of the data subjects;
  • Must not violate any relevant laws and regulations; and
  • Must not violate any agreements or contracts with the data subjects.

B. Cross-border Transmission of Personal Data

1. Rules under the draft Personal Information Protection Law
The draft PIPL extends the reach to entities other than CIIOs. Under the draft PIPL, different measures will apply to:

(i) personal data processors who engage in cross-border transfer of data up to a certain threshold level (to be specified by the Chinese government after the law is passed);
(ii) personal data processors who engage in cross-border transfer of data above that threshold level; and
(iii) CIIOs (Critical Information Infrastructures).

Art. 38 provides that, up to the specified threshold (i.e. category (i) above), personal data processors will be permitted to transfer personal data out of China if they meet one of the following three conditions; either:

  • obtaining a personal data protection certification via a certification body accredited by the Cyberspace Administration of China;
  • entering into a contract with the overseas data recipient and supervising the recipient's activities to ensure compliance with PIPL standards; or
  • passing a government security assessment.

Above the specified threshold (i.e. category (ii) above) and for CIIOs, organisations will be required to pass a security assessment that is organised by the PRC cyberspace authorities before they can transfer data overseas.

The draft PIPL does not lay down any process for undertaking such a security assessment. This is likely to be announced in the related implementation rules after the law is passed.

Apart from the above mechanisms for data export, the draft PIPL also requires all data exporters to:

  • notify data subjects of the circumstances of the transfer and obtain a separate consent (Art. 39);
  • carry out a risk assessment. The risk assessment shall cover: whether the purpose and method of processing personal information are legitimate, justifiable and necessary; impact on individuals and the degree of risks; and whether the security protection measures taken are legitimate, effective and appropriate to the degree of risks. The risk assessment report and processing record shall be kept for at least three years (Art. 55); and
  • ensure that foreign recipients are not subject to the data export restriction/prohibition list as may be announced by the Chinese government (Art. 42).

2. Rules under the Cyber Security Law
In terms of the localisation of storage of personal data, the CSL applies only to the operators of 'Critical Information Infrastructure' ("CIIO") who are required to store personal data gathered and produced during their operations in China (Art. 37). Under the CSL, where it is necessary for a CIIO to provide such data to parties outside mainland China (including HK and Macau) due to business requirements, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration authority in concert with the relevant departments under the State Council (Art. 37).

'Critical Information Infrastructure' ("CII") is defined as infrastructure "which—if destroyed, suffering a loss of function, or experiencing leakage of data—might seriously endanger national security, national welfare, the people's livelihood, or the public interest" (Art. 31). The designation of the term leaves a very significant scope for interpretation. The CSL only provides some examples of the industries in which CIIs may exist, e.g. public communication and information services, energy, communications, water conservation, finance, public services and e-government affairs. The Draft Critical Information Infrastructure Security Protection Regulation (the "CII Regulations") further provides that the CII protection should apply to:

  • government agencies and entities in the energy, finance, transportation, water conservation, healthcare, education, social insurance, environmental protection and public utilities sector;
  • information networks, such as telecommunication networks, broadcast television networks and the internet, and entities that provide cloud computing, big data and other large-scale public information network services;
  • research and manufacturing entities in sectors such as science and technology for defence, large equipment manufacturing, chemicals industry and food and drug sectors; and
  • press entities such as broadcasting and television stations, news agencies and other key entities.

In theory, the localization requirement does not apply to companies that do not belong to the above-mentioned CII sectors. However, given the ambiguity of the definition of CII, there is always a risk that such localisation requirement will apply. Moreover, the draft PIPL mentioned above, once passed, will probably impose a data localization requirement for all companies, whether or not in the CII sectors.

Conclusion

The above only provides a brief summary of the current legal requirements regarding personal data protection under the relevant laws and regulations in China (including the draft laws which may come into effect in the near future). There is no doubt that the laws on data protection in China will develop at a fast pace in the next few years based on the recent legislative trend in China, and companies in China will face significant compliance challenges as a result of such development. Accordingly, companies and foreign investors doing business in China are suggested to keep alert of the latest developments in this regard to ensure compliance with the relevant legal requirements.

This article was co-written with Trainee Mary Lam.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.