Home / Publications / Data Law Navigator | China

Data Law Navigator | China

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security >>

Data Protection

Last reviewed March 2020

Risk scale

Risk Scale Orange

Laws

  • PRC Cybersecurity Law (2017)
  • Personal Information Security Specification (GB/T 35273-2017)

Authority

The following departments and their local branches:

•    Cyberspace Administration of China 
•    Ministry of Industry and Information Technology
•    Ministry of Public Security
•    sector regulators

Anticipated changes to law

The new version of the Personal Information Security Specification (GB/T 35273-2010) will substitute the current version and take effect on 1 October 2020.

Scope 

Data protection requirements apply to personal data, which refers to information that can be used to identify a specific individual either independently or when used in combination with other information.

The regulatory focus is on data controllers who collect personal data within the territory of China. If a foreign data controller targets the Chinese market and offers products or services to data subjects within China, it might also be subject to Chinese data protection law.

Data processors who process personal data on behalf of a data controller shall also satisfy a series of obligations concerning data security and protection.

Penalties/enforcement

Violation of data protection requirements can trigger administrative fines, the confiscation of illegal income, the suspension of business operations, and the revocation of business licences. There might also be criminal liabilities if a violation is serious.

Registration / notification 

There is no registration for collecting personal data in China.

A data controller is required to report data breaches or incidents to the relevant government authorities and to notify the affected data subjects.

Main obligations and processing requirements

A data controller is required to:

  • publish rules specifying the purpose, methods and scope of the collection and use of personal data;
  • obtain consent from data subjects;
  • follow the principle of legality, propriety, and necessity;
  • take technical measures to prevent personal data from being disclosed, damaged or lost;
  • take remedial measures, in a timely manner, when a leak, destruction or loss of personal data occurs;
  • inform affected data subjects of any incident, and report the incident to the relevant government authorities; and
  • delete or revise the personal data collected, after receiving legitimate complaints from data subjects.

 A data controller shall also ensure that the data processors engaged follow all applicable data protection requirements.

Data subject rights

A data subject has the following rights: 

  • Right to be informed 
  • Right of access 
  • Right to rectification 
  • Right to withdrawal consent 
  • Right to erasure 
  • Rights related to profiling

Processing by third parties

Sharing personal data with a third party requires the consent of data subjects. The data controller must also assess the data protection capabilities of the recipient before sharing. 

Transfers out of country

The current law requires a critical information infrastructure operator to store all personal data collected within China in China. No cross-border transfer is allowed unless the required security assessment is passed. 

A few draft regulations propose to extend the coverage of this data localisation requirement to all data controllers. It is not clear whether the proposal will remain unchanged in the final versions.

Data Protection Officer

There is no mandatory requirement to appoint a data protection officer. However, a data controller must designate qualified staff or a team to be responsible for personal data protection matters.

In the privacy policies, a data controller must share the contact information of the person or team who is able to take enquiries or complaints from data subjects.  

Security

Depending on the nature of personal data and the contexts of where personal data is collected and processed, security measures concerning data back-up, classification, encryption, access control and the general IT security environment must be taken in accordance with the relevant technical standards. 

Breach notification

 After a data breach or incident occurs, a data controller is obliged, within a reasonable time, to report it to the relevant government authorities and to notify it to the affected data subjects.

Direct marketing

A data controller must obtain explicit consent from a data subject in order to use his/her personal data for direct marketing purposes, and cannot refuse to provide the core functions of its services if the data subjects refuse to consent. The data subject also has the right to withdraw consent.

Cookies

There is no designated law governing the specific use of Cookies. The general cybersecurity and data protection requirements apply.

Useful links

  • The official website of CAC (where relevant regulations and rules are typically published): http://www.cac.gov.cn/
  • The official website of the National Information Security Standardization Technical Committee (where major technical standards will be published): https://www.tc260.org.cn/

Cyber Security

Last reviewed March 2020

Risk scale

Risk Scale Orange

Laws and regulations

PRC Cybersecurity Law (2017), as well as a series of implementation regulations and supporting technical standards. 

Anticipated changes to law

More implementation rules and technical standards will be published to provide detailed requirements concerning the scope of critical information infrastructure, the implementation of the classified cybersecurity protection regime, and the security quality requirements for connected network devices. 

Application 

The Cybersecurity Law and the implementation rules apply to the establishment, operation, maintenance, and use of networks. 

The scope is broad and might not only cover operators registered in China, but also foreign operators who supply goods or services to Chinese users or who place IT facilities within China.

Authority

The Cyberspace Administration of China is the leading authority in charge of cybersecurity administration.

The Ministry of Industry and Information Technology, the Ministry of Public Security, various sector regulators and their local branches are responsible for cybersecurity matters within their own jurisdiction.

Key obligations 

  • Network operators and online service providers shall perform security protection obligations according to the applicable cybersecurity multi-level protection system (MLPS) requirements:
    • formulating internal security management systems, operating rules and assigning responsible personnel;
    • taking technical measures to prevent computer viruses, network attacks, and other actions endangering cybersecurity;
    • monitoring and recording network operational status and network security incidents, and keeping network logs for at least six months;
    • taking data classification, important data back-up, data encryption and other relevant measures; and
    • establishing cybersecurity incident response capabilities, mitigating breaches and reporting to the relevant government authorities.
  • Critical information infrastructure operators are subject to additional requirements concerning data localisation and the use of certified network products.
  • Manufacturers of connected products must comply with the mandatory technical requirements provided in the applicable national standards, and get their “critical equipment and specialised network security products” (if any) certified.

Penalties/enforcement

Violation of cybersecurity requirements can trigger administrative fines, the confiscation of illegal income, the suspension of business operations, and the revocation of business licences. There might also be criminal liabilities if a violation is serious.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The Cybersecurity Administration of China (and the Emergency Response Office to be established under the CAC) will coordinate with other relevant government authorities to handle national cybersecurity incidents. 

Is there a national incident management structure for responding to cyber security incidents?

Yes. The National Cybersecurity Incident Response Plan (2017) sets out the basic national incident management structure, as well as allocation of responsibilities among different government authorities. 

Business operators are required to formulate their own internal incident response plans, and report incidents to the relevant government authorities in time.

Other cyber security initiatives 

None

Useful links

  • The official website of the CAC (where relevant regulations and rules are typically published): http://www.cac.gov.cn/
  • The official website of the National Information Security Standardization Technical Committee (where major technical standards will be published): https://www.tc260.org.cn/

 

<< back to Overview

Authors

Picture of Nick Beckett
Nick Beckett
Managing Partner
Beijing
Picture of Amanda Ge
Amanda Ge
Associate
Beijing