Where are we now with data protection law in China?
Where are we now with data protection law in China?
Until recently, China’s data privacy framework has consisted of fragmented rules found in various laws, measures and sector-specific regulations.
However, the Cyber Security Law (the CS Law), which came into effect on 1 June 2017, includes for the first time a comprehensive set of data protection provisions in the form of national-level legislation. These provisions are of general application to personal information collected over information networks.
The CS Law at least partially supersedes previously key data privacy related provisions in other regulations, while other provisions will continue to have an effect in parallel.
Additionally, on 19 May 2017, the Cyberspace Administration of China (CAC) held an experts session to discuss an updated version of Measures on Evaluating the Security of Transmitting Personal Information and Important Data Overseas (the Draft Security Assessment Measures). CAC issued an announcement on 2 June 2017 confirming that an official revised draft will be released in due course, although the unofficial draft is already in circulation. This version has a stated effective date of 1 June 2017 and is therefore likely to be in near final form.
This briefing summarises the most important data privacy provisions now in effect under Chinese law.
You can find our previous briefing on the CS Law here.
Data protection obligations under the cybersecurity law and related regulations
The CS Law imposes several data privacy obligations on network operators. The term ‘network operator’ in both the CS Law and the Draft Security Assessment Measures includes both owners and administrators of a network as well as network service providers.
The CS Law defines a ‘network’ as any system that consists of computers or other information terminals, and related equipment for collecting, storing, transmitting, exchanging and processing information. Accordingly, because the definition of network operators is particularly wide, the data privacy provisions in the CS Law will apply to virtually all organisations in China that provide services over the internet. Internal networks and systems might potentially be caught as well, but this is far less clear.
Definition of personal information
The CS Law defines personal information as information that identifies a natural person either by itself or in combination with other information. The information may be recorded in either electronic or in any other form. The term includes a person’s name, address, telephone number, date of birth, identity card number and biometric identifiers.
The Draft Security Assessment Measures expands the definition to include information that discloses a person’s activity. It also expands the listed examples to include account numbers and passwords, location information and activity information.
Data collection and processing
Network operators are prohibited from collecting personal information that is not relevant to the services that they offer.
Before collecting data from an individual (the Data Subject), a network operator is required to explicitly inform the individual of the purposes, means and scope of the collection and use of their data, and obtain their consent for collection. Any processing of personal information must be done in accordance within the scope of those consents.
It is unclear whether the same standards are intended to apply to employee information. Various references within the data privacy provisions of the law to the provision of ‘services’ and the making of collection statements ‘public’ indicate that the law may not be intended to capture internal systems. However, the definition of a ‘network’ is certainly wide enough to include internal systems, as noted above.
Under the Provisions of the Employment Service and Employment Management (in effect since 2008), there is already a general obligation on employers to keep employees’ personal information confidential and to obtain written consent before disclosing their personal information to third parties.
Storage and security
The CS Law requires network operators to keep users’ personal information in strict confidence and to establish a system to ensure its security. Network operators must implement technical measures to monitor and record the operational status of their networks and the occurrence of cyber security incidents.
Network operators are also required to back up and encrypt ‘important data’, and to store operations logs for at least six months. The Draft Security Assessment Measures define important data as data closely related to national security, economic development and societal and public interests (the CS Law does not provide a definition). Therefore, it is not currently necessary to encrypt all personal information collected in China. It is expected that future national standards and guidelines will define the specific scope of what constitutes important data.
The CS Law also imposes a mandatory obligation to promptly inform Data Subjects of a data breach or loss of data. The network operator is also required to report the incident to the relevant sector regulator and to take immediate remedial action.
The CS Law requires network operators to allocate persons responsible for network security as a baked-in part of its internal security management systems. But the law appears to fall short of requiring organisations to appoint a specific data protection officer. Nevertheless, the responsible persons may have direct personal liability for breaches of the core data privacy provisions, and the non-binding National Standard does provide that organisations are expected to designate a person or agent to manage personal information.
Transfer of personal information (within and outside China)
Under the CS Law, it is necessary to obtain the consent of the Data Subject to transfer any of its personal information to a third party.
The Draft Security Assessment Measures provides that the Data Subject’s consent will be required to transfer its personal information outside of China. This will apply even where the transfer is to an affiliate or to an overseas storage facility, e.g. in connection with the use of offshore cloud storage.
To obtain an informed consent, the network operator must first notify the Data Subject of:
(i) what type of personal information is being transferred (it is unclear how much detail must be given);
(ii) the purpose and scope of the transfer; and
(iii) which country the data will be transferred to.
In certain circumstances, consent may be implied by the Data Subject’s actions, such as making international telephone calls, sending international emails or instant messages, and conducting international transactions over the internet. This is extended to other ‘proactive’ (i.e. voluntary) personal actions that indicate that the Data Subject has consented to the overseas transfer.
A network operator will also need to conduct an internal security assessment before transferring personal information overseas. The security assessment must take into account factors such as:
- the necessity of the overseas transfer;
- the amount and sensitivity of the personal information involved;
- the security measures taken by the recipient;
- the risk of a data leak;
- whether the transfer includes so-called ‘important data’; and
- the risks to national security, societal and public interests or personal legitimate interests.
It will not be permissible to transfer personal information outside of China if to do so damages public and national interests, or the security of national politics, or the territory, military, economy, culture, society, technology, information, environment, resources or nuclear facilities, etc of China. Despite the broad nature of these interests, the prohibition would seem unlikely on its face to affect a transfer of personal information other than in exceptional cases.
Another criteria for the security assessment is whether it involves ‘important data’. This is defined as data that is closely related to national security, economic development and societal and public interests.
The Draft Security Assessment Measures contains a general provision allowing CAC and other relevant government departments to prohibit data from being transferred overseas in other circumstances.
The security assessment must be repeated if the purpose, scope, type and amount of data transferred changes significantly, or where a material security incident has occurred. (It is presumed that a cross-border transfer to a different recipient will also necessitate a separate security assessment.) An obligation in the first version of the Draft Security Assessment Measures to refresh the security assessment every 12 months and to report the results to the relevant regulatory authority is absent from the most recent version.
The current version does not include any obligation to report the results of the assessment to the authorities. Nevertheless, it is recommended to conduct the assessment diligently and to record the outcome in the event that an organisation ever becomes subject to an investigation by the authorities to demonstrate compliance with the regulation. The Draft Security Assessment Measures mandates the competent regulators to carry out regular inspections of cross-border transfers. Consistent with past practices, inspections will in all likelihood be directed at the activities of multi-nationals and other foreign companies first and foremost.
In certain circumstances, companies will need to submit to an external security assessment conducted by the competent industry regulator. These include where:
- the transfer comprises in aggregate the personal information of more than 500,000 individuals (no period of time is specified); and
- other circumstances that could affect national security, societal and public interests.
In the absence of a designated regulator for a particular sector that is competent to conduct a security assessment, it will be carried out by CAC.
Under the current revised version of the Draft Security Assessment Measures organisations would be required to comply with the new rules on cross-border transfers from 31 December 2018 (effectively allowing an 18-month grace period from the implementation of the CS Law).
The provisions on data localisation in the CS Law only applies to a specific class of network operators known as critical information infrastructure operators (CIIOs). This requirement is discussed in further detail below.
Data localisation obligations for critical information infrastructure operators
Under the CS Law, all personal information and ‘important data’ held by CIIOs must be stored in China.
Data export will only be allowed:
- where it is genuinely necessary for business reasons to transfer the data outside of China; and
- after undergoing a security assessment conducted by CAC and other departments of the State Council (expected primarily to be the Ministry of Industry and Information Technology).
The law itself does not contain a definition of ‘critical information infrastructure’. However, China’s Cyberspace Security Strategy, released by CAC on 27 December 2016, defines critical information infrastructure as “information infrastructure that affects national security, the national economy and people’s livelihoods, such that, if data is leaked, damaged or loses its functionality, national security and public interests may be seriously harmed”. The Cyberspace Security Strategy also provides that certain sectors and industries will automatically be considered critical information infrastructure, including (i) telecommunications, (ii) important information systems in the energy, finance, transportation, manufacturing and healthcare sectors, and (iii) important internet-based systems.
The revised version of the Draft Security Assessment Measures additionally subjects transfers of data relating to nuclear facilities, national defence, major engineering projects, biological chemistry, population health, the marine environment, security defects of critical information infrastructure and sensitive geographic information to an external security assessment (see above).
The data localisation requirement applicable to data collected on critical information infrastructure applies to all types of data and not only to personal information. Because CIIOs are a class of network operators, the requirements described above in relation to data export by network operators will also apply (i.e. conducting a security review and obtaining informed consent for personal information transfers).
Data localisation requirements in other laws
Data localisation is not a new concept in China. Existing data localisation provisions are contained in sectoral regulations in the banking, insurance and healthcare industries:
- Under the Notice of the People’s Bank of China (the PBoC) on Improving Work Related to the Protection of Personal Financial Institutions of the Banking Industry (effective 21 January 2011), financial personal information relating to Chinese citizens collected within China is required to be stored, processed and analysed within China. Banks in China are not permitted to transfer Chinese citizens’ personal financial information to any other country without the approval of the PBoC except if permitted by separate rules or regulations. The Shanghai branch of the PBoC issued implementing rules (18 May 2011) that clarify that PRC branches of foreign banks may transfer client information to their overseas headquarters, parent bank and subsidiaries for storage, processing and analysis if certain criteria are satisfied.
- The China Insurance Regulatory Commission has issued various regulations requiring business and financial data of insurance companies to be stored within China. Insurance companies are also required to have independent data storage systems and remote backup facilities in China.
- The National Health and Family Planning Commission’s Administrative Measures on Management of Population Health Information (5 May 2014) prohibit the overseas export of personal information by health and family planning institutions in China. These institutions are also prohibited from storing medical information on servers outside of China.
In addition, the recently released draft Security Assessment Measures for the Information Technology Management of Securities and Funds Operators propose data localisation obligations applicable to securities and funds operators.
Data protection obligations under other PRC laws and regulations
Sensitive personal information
With the exception of a non-binding National Standard, none of the PRC data-related rules and regulations distinguish between general and ‘sensitive’ personal information. Under the National Standard, sensitive personal information is defined as personal information that, if disclosed or altered without the Data Subject’s consent, could have an adverse impact on the individual concerned. This may include ID card numbers, mobile phone numbers, race, political views, religion, genetic information and fingerprints.
The National Standard states that when collecting sensitive personal information, an individual’s express consent may be obtained (opt-in), whereas when collecting general personal information, tacit consent is sufficient. Organisations are not permitted to collect sensitive personal information of minors under the age of 16 or other persons who are of limited capacity, unless it is strictly necessary and their legal guardians have given their express consent.
Compliance with the National Standard is voluntary and no penalty is imposed in the event of a breach.
Additional obligations on internet information service providers and telecommunications services operators
Under the Personal Information Regulation, telecommunications and internet information service providers are subject to additional personal information protection obligations that are not mentioned in the CS Law.
The definition of internet information service providers is wide. It broadly translates as any entity that ‘provides information through the internet to users’. This definition may capture a wide range of commercial websites operated in China, including corporate websites and product information sites.
The Personal Information Regulation states that where telecommunications and internet information service providers transfer personal information to direct user-facing third parties (e.g. for their marketing or technical services), they must supervise the transferee to ensure the protection of the transferred personal information.
Telecommunications and internet information service providers are also required to establish a user complaint mechanism and reply to complaints concerning personal information protection within 15 days. They must also conduct at least one self-inspection of their protection of users’ personal information each year, record the results of the inspection and promptly eliminate any security hazards discovered in the process.
Additional obligations on App providers
Administrative Provisions on Information Services of Mobile Internet Application Programs (effective 28 June 2016), App providers must clearly indicate to customers if they are collecting geolocation data, accessing address books on their smartphones, making use of cameras or activating audio recording or other functions, and obtain their consent. The Provisions also prohibit the activation of functions that are unrelated to the service or the bundling of unrelated applications.
Access and correction
The Personal Information Regulation requires telecommunications and internet service providers to inform users about the channels through which they may consult and make corrections to their personal information.
Under a draft E-Commerce Law released at the end of 2016, Data Subjects have the right to access their information. If an e-commerce business entity receives an access request, it must respond promptly after verifying the subject’s identity. Similarly, upon receiving a correction request from a Data Subject, it must make the correction promptly.
The National Standard contains non-binding provisions relating to individuals’ rights of access and correction. When an individual enquires about their personal information, the organisation controlling the information is required to notify the individual (free of charge) whether it has the personal information requested, the content of the information and the status of processing the information. This requirement applies unless the cost of notifying the individual is unreasonable or the request itself is unreasonable.
Under the non-binding National Standard, organisations are expected to delete personal information after the notified purpose of collection and use has been achieved.
Under the Personal Information Regulation, telecommunications and internet service providers must stop collecting users’ data after they have stopped using the service, and provide them with deregistration services.
The draft E-Commerce Law contains a provision requiring e-commerce business entities to delete a user’s personal information upon the expiry of any agreed retention period, either on their own initiative or at the user’s request.
The Consumer Protection Law prohibits businesses from sending commercial information to consumers where they have not requested or consented to receiving that information, or where they have expressly objected to receiving that information.
Under the Public Networks Decision, businesses are prohibited from carrying out direct marketing to individuals by telephone or email without the recipients’ consent or request. The Public Networks Decision does not state whether active or passive consent is required.
The Measures for the Administration of Email Services prohibit the sending of any email containing commercial advertisements without (i) the recipient’s clear consent, and (ii) including the word ‘Ad’ or the Chinese word for ‘advertisement’ in the email subject. If a recipient subsequently opts out from receiving commercial advertisements, the sender must stop sending them.
Penalties for infringements of the core data protection provisions of the CS Law may include a fine of up to 10 times the amount of unlawful gains or a fine of up to RMB 1,000,000. Persons in charge of data protection compliance within an organisation, and other responsible individuals, may be separately subject to a fine of between RMB 10,000 and 100,000, or between RMB 50,000 and 500,000 for serious cases.
The Interpretations of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ Personal Information (9 May 2017) sets out certain circumstances in which the unauthorised collection, transfer or receipt of personal information will constitute a criminal offence under the PRC Criminal Law, and the associated penalties.
For example, the establishment of websites or communication groups for obtaining, selling or transferring personal information can be punished upon conviction by a fine of up to five times the illegal proceeds, and imprisonment of up to three years. A person convicted of illegally obtaining personal information concerning communication records, health information or credit or asset information can be punished by a fine of up to five times the illegal proceeds and imprisonment for up to seven years.
- The implementation of the Cyber Security Law on 1 June 2017 has created a major change in the landscape of personal data protection in China.
- The new law codifies core data privacy obligations, such as notification and consent requirements and the adoption of security measures. It also introduces a mandatory obligation to report data leakages.
- In addition, draft Measures on Evaluating the Security of Transmitting Personal Information and Important Data Overseas will set down rules for a security assessment that all organisations will need to undertake to transfer any personal data outside of China, as well as a general requirement to obtain informed consent from individuals to cross-border transfers of personal data.
- High volume transfers of personal data (comprising the data of more than 500,000 individuals) will require the approval of sectoral regulators or the Cyberspace Administration.
- In most cases, consented transfers of personal data outside of China will be permitted (unless the transfer damages national security and political interests).
- All personal information and ‘important data’ held by critical information infrastructure operators must be stored in China.
- Other overlapping data privacy regulations remain in effect and organisations in particular sectors need to be aware of additional constraints on their handling of personal information.