Data protection and cybersecurity laws in China

Data protection

1. Local data protection laws and scope

PRC Cybersecurity Law (2017), a high-level legislation setting out the basic regulatory framework for both data protection and cybersecurity matters. 

Personal Information Security Specification (GB/T 35273-2020), a comprehensive standard setting out detailed data protection requirements. 

3. Anticipated changes to local laws

China published the Draft Data Security Law on 3 July 2020 for public consultation until 16 August 2020. Once passed, this legislation will be the first specialised data security supervision law in China.

China published the Draft Personal Information Protection Law on 21 October 2020 for public consultation until 19 November 2020. Once passed, this legislation will be the first designated personal data protection law in China.

4. Sanctions & non-compliance

Administrative sanctions:
  • administrative fines 
  • confiscation of illegal income
  • suspension of business operations
  • revocation of business licences
Criminal sanctions:
  • criminal detention
  • imprisonment up to seven years
  • criminal fines    
Others: 
  • negative impact on social credit scores

5. Registration / notification / authorisation

There is no registration for collecting personal data in China.

A data controller is required to report data breaches or incidents to the relevant government authorities and to notify the affected data subjects.

6. Main obligations and processing requirements

A data controller is required to:

  • publish rules specifying the purpose, methods and scope of the collection and use of personal data;
  • obtain consent from data subjects;
  • follow the principle of legality, propriety, and necessity;
  • take technical measures to prevent personal data from being disclosed, damaged or lost;
  • take remedial measures, in a timely manner, when a leak, destruction or loss of personal data occurs;
  • inform affected data subjects of any incident, and report the incident to the relevant government authorities; and
  • delete or revise the personal data collected, after receiving legitimate complaints from data subjects.

A data controller shall also ensure that the data processors engaged follow all applicable data protection requirements.

7. Data subject rights

A data subject has the following rights: 

  • right of access 
  • right to rectification 
  • right to erasure 
  • right to withdrawal consent
  • right to deregister accounts
  • right to request copies 
  • right to request responses to their request based on the above rights
  • right to complain

8. Processing by third parties

Entrusting third party processors and sharing data with third party are both allowed. They both require data subjects' consent and impact assessments, and are subject to different requirements concerning recipient due diligence, continuous monitoring, and liability allocation. 

9. Transfers out of country

The current law requires a critical information infrastructure operator to store all personal information and important data collected within China in China. No cross-border transfer is allowed unless the required security assessment is passed. 

A few draft regulations propose to extend the coverage of this data localisation requirement to all data controllers. It is not clear whether the proposal will remain unchanged in the final versions.

The Draft Personal Information Protection Law provides alternative conditions for cross-border transmission of personal information other than the required security assessment, including obtaining personal information protection certification by professional agencies or signing a contract with overseas recipient of the personal information to stipulate the rights and obligations of both parties as well as supervise the recipient’s personal information protection. Therefore, requirements for cross-border transmission of personal information and important data may be further updated by the enactment of the PRC Personal Information Protection Law and relevant regulations.

10. Data Protection Officer

The current law requires the appointment of the persons who are responsible for cybersecurity. Therefore, a data controller must designate qualified staff or a team to be responsible for personal data protection matters.

In the privacy policies, a data controller must share the contact information of the person or team who is able to take enquiries or complaints from data subjects.  

11. Security

Depending on the nature of personal data and the contexts of where personal data is processed, security measures concerning data back-up, classification, encryption, access control and the general IT security environment must be taken in accordance with the relevant technical standards. 

12. Breach notification

After a data breach or incident occurs, a data controller is obliged, within a reasonable time, to report it to the relevant government authorities and to notify it to the affected data subjects.

13. Direct marketing

Data subjects’ explicit consent is required. Not giving such consent shall not prevent data subjects’ access to core functions of the underlying services or products. Data subjects must be given the option to withdraw consent and receive non-personalised push or display.

14. Cookies and adtech

There is no designated law governing the specific use of Cookies or adtech. The general cybersecurity and data protection requirements apply. 

15. Risk scale

Moderate.

Cybersecurity

1. Local cybersecurity laws and scope

PRC Cybersecurity Law (2017), a high-level legislation setting out the basic regulatory framework for both cybersecurity and data protection matters. 

A series of implementation regulations and supporting technical standards following the principles of the PRC Cybersecurity Law. 

2. Anticipated changes to local laws

More implementation rules and technical standards will be published to provide detailed requirements concerning the scope of critical information infrastructure, the implementation of the classified cybersecurity protection regime, and the security quality requirements for connected network devices. 

3. Application 

The Cybersecurity Law and the implementation rules apply to the establishment, operation, maintenance, and use of networks. 

The scope is broad and might not only cover operators registered in China, but also foreign operators who supply goods or services to Chinese users or who place IT facilities within China.

5. Key obligations 

Network operators and online service providers shall perform security protection obligations suitable for the specific cybersecurity protection levels that they fall in. The main obligations include: 

  • formulating internal security management systems, operating rules and assigning responsible personnel;
  • taking technical measures to prevent computer viruses, network attacks, and other actions endangering cybersecurity;
  • monitoring and recording network operational status and network security incidents, and keeping network logs for at least six months;
  • taking data classification, important data back-up, data encryption and other relevant measures; and
  • establishing cybersecurity incident response capabilities, mitigating breaches and reporting to the relevant government authorities.

Critical information infrastructure operators are subject to additional requirements concerning data localisation and the use of certified network products.

Manufacturers of connected products must comply with the mandatory technical requirements provided in the applicable national standards, and get their “critical equipment and specialised network security products” (if any) certified.

6. Sanctions & non-compliance 

Administrative sanctions:

  • administrative fines 
  • confiscation of illegal income
  • suspension of business operations
  •  revocation of business licences 
Criminal sanctions:
  • criminal detention
  • imprisonment 
  • criminal fines 
Others: 
  • negative impact on social credit scores

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The Cybersecurity Administration of China (and the Emergency Response Office to be established under the CAC) will coordinate with other relevant government authorities to handle national cybersecurity incidents.

8. National cybersecurity incident management structure

The National Cybersecurity Incident Response Plan (2017) sets out the basic national incident management structure, as well as an allocation of responsibilities among different government authorities. 

Business operators are required to formulate their own internal incident response plans, and report incidents to the relevant government authorities in time.

9. Other cybersecurity initiatives 

None.

Portrait of Amanda Ge
Amanda Ge
Senior Associate
Beijing