Data protection in China: overview
A Q&A guide to data protection in China.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the data protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
In summary, the EU model of personal data protection law does not yet exist in the People's Republic of China. China has not enacted a single piece of legislation that specifically addresses the collection, storage, transmission and operation of personal information. China also has not entered into any treaty with the EU or any sovereignty similar to the EU-US safe harbour framework. However, the Civil Code and Tort Liability Law provide legal recourse for infringement of rights to privacy. There are also a few provisions in the PRC laws and regulations. These generally address the protection of personal information, typically regulating a specific industrial sector (for example, the telecommunication sector) or relate to certain information of a specific nature (for example, individual financial credit information, consumer information, population health information and medical records).
Major general laws
The major general laws include:
The PRC Constitution.
The Decision of the Standing Committee of the National People's Congress on Strengthening the Network Information Protection (NPC Decision).
The major sectoral laws include:
The Decision of the Standing Committee of the National People's Congress on Revising the Consumer Rights Protection Law of the People's Republic of China (Consumer Rights Law).
Regulation on Personal Information Protection of Telecom and Internet Users (MIIT Regulation).
Administrative Measures for Online Transactions.
Personal Information Security Measures for Mailing and Courier Services.
Medical Records Administration Measures of Medical Institutions.
Measures for Administration of Population Health Information (PHI Measures).
Scope of legislation
Different types of personal information are regulated by different laws and regulations.
For example, the NPC Decision applies to electronic information that is able to identify the identity of individual citizens and electronic information concerning the personal privacy of citizens.
The MIIT Regulation defines "personal information of users" as:
Information that can be used to identify the user (including, name, date of birth, identification number, address, telephone number and account numbers and associated passwords) when used independently or when combined with other information; and
Information that concerns the time and location of the users' use of service that is collected by telecom business operators and internet information service providers during their provision of services.
The Measures for Punishment of Infringements on Consumer Rights and Interests issued by the SAIC defines consumers' personal information as "the information collected by business operators during the provision of goods or services that may be used for identifying a consumer either independently or in combination with other information, and shall include name, gender, occupation, date of birth, identity document number, residential address, contact details, income and asset conditions, health conditions and consumption habits of a consumer."
The PHI Measures define "population health information" as all of the following:
Basic demographic information.
Medical and health care services information.
Other population health information.
The population health information is generated by all types of medical, health care and family planning services and at all levels during the process of management and providing services pursuant to laws and regulations, and according to their work responsibilities.
Main data protection rules and principles
Main obligations and processing requirements
There is no specific definition of a data controller under the current PRC law.
Companies and other legal entities that collect and use personal information are generally required to:
Comply with the principles of legitimacy, rightfulness and necessity when collecting and using personal information.
Specify and comply with their policies regarding the purpose, manner and scope of collecting and using personal information.
Obtain consent from any individual that has information collected.
Refrain from collecting or using personal information in breach of any laws or regulations and with the agreement of any individual that has information collected.
Ensure that personal information is kept confidential, and not disclosed, sold or provided illegally to others.
According to the NPC Decision, Consumer Rights Law and MIIT Regulation, consent is required for the collection and use of an individual's personal information. However, there are no detailed requirements under the current PRC law regarding the specific form, content of the consent, or whether consent can be implied or inferred.
Rights of individuals
Under the MIIT Regulation, the following information must be provided by telecom business operators and internet service providers when they collect personal information:
The purpose, method and scope of information to be collected or used.
The ways in which users can inquire about and/or correct information.
The consequences of refusing to provide information.
Telecom business operators and internet service providers must provide ways for users to inquire about and/or correct their personal information (see Question 12).
The NPC Decision and the MIIT Regulation do not specifically allow individuals the right to request the deletion of their personal information. However, the MIIT Regulation does require that after users have terminated the use of telecommunications or internet information services, telecom business operators and internet information service providers must stop the collection and use of the users' personal information, and provide the users with services for deregistering relevant phone numbers or account numbers.
The MIIT Regulation imposes the following security requirements on telecom business operators and internet information service providers (Article 13):
To specify the responsibilities of each department, post and branch in terms of managing the security of personal information.
To establish work processes and security management systems for the collection and use of personal information and any related activities.
To manage the authority of different staff members and agents, review the batch export, duplication and destruction of information, and take measures to prevent the leak of confidential information.
To properly keep the carriers recording users' personal information, such as paper medium, optical media and magnetic medium, and take appropriate secure storage measures.
To conduct access inspection of the information system that stores users' personal information, and take intrusion prevention, anti-virus and other measures.
To record the staff members who perform operations of users' personal information, including the time and place of such operations and the matters involved.
To carry out communications network security protection work as required by the relevant Telecommunications Authority.
Other necessary measures prescribed by the relevant Telecommunications Authority.
The MIIT Regulation also requires that telecom business operators and internet information service providers must give members of staff relevant training on the knowledge, skills and responsibility relating to the protection of personal information (Article 15). They must also conduct at least one self-inspection of their methods of protection of personal information, record self-inspection results and promptly eliminate any security risks discovered during the self-inspection (Article 16).
It is required under the MIIT Regulation that where personal information kept by a telecom business operator or an internet information service provider has been, or is likely to be, divulged, damaged or lost, the telecom business operator or internet information service provider must take remedial measures. It must immediately report the situation to the specific Telecommunications Authority that had previously granted licensing or record-filing permission. It must also co-operate with the relevant departments in the investigation and handling of the situation if serious consequences are or may be caused. There is no national level requirement, however in certain local consumer protection regulations (for example, Shanghai), it is also required to notify personal data security breaches to data subjects.
Processing by third parties
Although there is no specific legal requirement on conditions upon which an enterprise or individual can store cookies or equivalent devices on other individuals' terminal equipment, the information collected through cookies or equivalent devices may be considered as “users' personal information” under the MIIT Regulation, and so the installation of cookies or equivalent devices for the purpose of collecting such information may be required to follow all the relevant legal requirements.
Under the NPC Decision and the Consumer Rights Law, no organisation or individual is permitted to send commercial information to consumers:
Unless the consumer requests the information.
Unless the consumer consents to receiving the information.
Where consumers have expressly refused to receive this information.
The Administrative Measures Regarding Internet E-mail Services (E-mail Measures) issued by MIIT, effective from 20 February 2006, sets out the more specific requirements for communications by e-mail. Any organisation or individual must not directly or indirectly (Article 13, E-mail Measures):
Intentionally destroy or forge e-mail contents.
Send e-mail(s) containing business advertisements without the explicit consent of the recipient.
Fail to give a clear indication of the word "advertisement" or "AD" at the beginning of the e-mail title when sending e-mail(s) containing commercial advertisement content.
Under the Email Measures, where an e-mail recipient clearly agrees to receive e-mail(s) containing commercial advertisement content, but later withdraws his consent, the e-mail sender should stop sending such e-mails unless otherwise agreed by both parties. When sending e-mails containing commercial advertisements, the sender must provide contact information to the receiver to refuse receipt of further e-mails. The contact information must include the e-mail address of the sender, and a guarantee that this information is valid for 30 days.
The Administrative Provisions on Short Message Services for Communication issued by the MIIT, effective from 30 June 2015 also imposes various requirements for sending SMS, for example, a SMS provider must:
Make available convenient and effective methods for users to refuse to receive such messages. The users must then be informed of such methods and not hinder the users from refusing to receive messages in any form.
Clearly indicate the names of the message content providers.
The Advertisement Law also provides that no organisation or individual can deliver advertisements to the houses or means of transportation of the parties concerned without their consent or their request or send advertisements to the parties concerned through electronic message. When an advertisement is sent through electronic message, the true identity and contact information of the sender must be clearly indicated and those to whom the advertisement is sent must be provided with the methods for refusing to continue to receive the advertisements.
International transfer of data
Transfer of data outside the jurisdiction
There are currently no specific legal requirements for the transfer of personal information outside of China. However, where the personal information transferred is of a specific nature, there are certain requirements under industrial regulations and rules. For example, the processing of personal information collected by commercial banks, must be stored, handled and analysed within the territory of China and such personal information is not allowed to be transferred overseas. In addition, disclosing information to an offshore entity is strictly prohibited if the information involves state secrets of the PRC.
Data transfer agreements
There is currently no specific legal requirement regarding data transfer agreements (see Question 22).
There is no such requirement in place in China (see Question 22).
Enforcement and sanctions
There is currently no national regulator that is specifically responsible for general personal information compliance matters. The major regulators involved include:
The Ministry of Industry and Information Technology (MIIT). Regulates personal data collected and used in telecom and internet sectors.
The National Health and Family Planning Commission (NHFPC). Regulates medical records and population health information.
The State Post Bureau (SPB). Regulates personal data collected and used in mailing and courier services.
The State Administration for Industry and Commerce (SAIC). Regulates consumer personal information, except in areas or sectors where a specific authority has been given responsibility.
Non-compliance with data protection laws can result in the following consequences (subject to the type of personal information concerned and the nature and severity of non-compliance):
Administrative penalties, including warnings, confiscation of illegal business earnings, and/or a fine.
The Ministry of Industry and Information Technology (工业和信息化部)
The Ministry of Industry and Information Technology of the PRC, established in March 2008, is the state agency of the PRC responsible for regulation and development of industry, telecommunication and informazation.
State Administration for Industry and Commerce (国家工商行政管理总局)
The State Administration for Industry and Commerce is the state agency of the PRC mainly responsible for supervision and administration of the market.
Description. The website page of the central government of China on which laws and regulations promulgated are published. All the laws and regulations are in Chinese.
Marissa Xiao Dong, Partner
Jun He Law Offices
Professional qualifications. Qualified in PRC
Areas of practice. Corporate and M&A; Information Law.
Marissa Dong has advised many private and public transactions for multinational companies, private equity firms and Chinese state-owned and private companies and across the wide spectrum of industrial sectors, particularly internet and telecommunication, education and manufacturing business. In addition to her corporation and M&A practice, as an Information Law expert, Marissa Dong has advised many multinationals (including both Chinese and foreign nationals) on data privacy, information security and related regulatory matters in China.
Languages. Mandarin, English
China contributor to Global Security and Privacy Law.
Recent articles in Bloomberg BNA: Agency Issues Draft Regulation on Administration of Personal Health Information (January 2014), New Online Transaction Rules Enhance Protection of Consumer (March 2014).
Authorities to Accelerate Introduction of Personal Info Law (February 2015), China’s Draft Cyber Security Law (July 2015).