Home / Publications / Data Law Navigator | China

Data Law Navigator | China

Information on Data Protection and Cyber Security laws from CMS experts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security

 

Data Protection

Last reviewed 8 October 2018

Risk scale

Risk Scale Orange

Laws

  • PRC Cybersecurity Law (2017)
  • Provisions on Protecting the Personal Information of Telecommunications and Internet Users (2013)
  • Decision of the Standing Committee of the NPC on Strengthening Network Information Protection (2012)

Authority

The

following departments and their local branches:

  • Cyberspace Administration of China (the “CAC”)
  • Ministry of Industry and Information Technology
  • Ministry of Public Security
  • sector regulators

Anticipated changes to law

The legislator has recently been discussing formulating a designated data protection law in China. The specific legislation schedule has not been decided yet.

Scope 

Data protection requirements apply to "personal data", which refers to information that can be used to identify a specific individual either independently or when used in combination with other information.

The regulatory focus is on "data controllers", who decide the purpose and manner in which personal data is to be collected, processed and used.

“Data processors” who process personal data on behalf of a data controller shall also satisfy a series of obligations concerning data security and protection.

If a foreign party targets the Chinese market and offers products or services to users within China, its activities concerning the collection, processing and use of personal data will be subject to Chinese data protection law. 

Penalties/enforcement

Violation of data protection requirements can trigger: administrative fines, the confiscation of illegal income, the suspension of business operations, and the revocation of business licences. There might also be criminal liabilities if a violation is serious.

Registration / notification 

There is no registration for collecting personal data in China.

However, a data controller is required to report data breaches or incidents to the relevant government authorities and to notify the affected data subjects.

Main obligations and processing requirements

A data controller is required to:

  • publish rules specifying the purpose, methods and scope of the collection and use of personal data;
  • obtain consents from data subjects;
  • follow the principle of legality, propriety, and necessity;
  • take technical measures to prevent personal data from being disclosed, damaged, or lost;
  • take remedial measures, in a timely manner, when a leak, destruction or loss of personal data occurs;
  • inform affected data subjects of any incident, and report the incident to the relevant government authorities; and
  • delete or revise the personal data collected, after receiving legitimate complaints from data subjects.

A data controller shall also ensure that the data processors engaged by it follow all applicable data protection requirements. 

Data subject rights

A data subject has a right to:

  • prevent the processing of their data for direct marketing;
  • have their inaccurate personal data rectified, blocked, erased or destroyed in certain circumstances; and
  • claim compensation for damages caused by a breach of the data protection requirements.

Processing by third parties

Generally, personal data shall not be distributed unless the data subject's consent has been given previously.

As an exception, consent is no longer needed where such data has been anonymised and is incapable of identifying a specific individual.

Transfers out of country

The current law requires a critical information infrastructure operator to store all personal data collected within China in China. If any data needs to be transferred to a foreign country, the data controller must pass a security assessment.

A draft implementation rule proposes to extend the coverage of this data localisation requirement to all ordinary network operators and online service providers. It is not clear whether the proposal will remain unchanged in the final version. 

Data Protection Officer

There is no mandatory requirement to appoint a data protection officer.

However, a data controller must designate qualified staff or a team to be responsible for personal data protection matters.

In the privacy policies entered into with users, a data controller must share the contact information of a person or team who is able to take enquiries or complaints from data subjects.  

Security

In addition to the general legal requirements, the "Information Security Technology – Personal Information Security Specifications" set out a series of technical standards concerning personal data protection. Although such requirements are not mandatory, they are recommended and are considered to be best practice. 

Breach notification

After a data breach or incident occurs, a data controller is obliged, within a reasonable time, to report it to the relevant government authorities and to notify it to the affected data subjects. 

Direct marketing

Personal data shall not be used for direct marketing purposes unless it is consented to by the data subject. The data subject also has the right to request a data controller to stop direct marketing activities. 

Cookies

There is no designated law governing the specific use of Cookies. The general cybersecurity and data protection requirements apply. 

Useful links

  • The official website of CAC (where relevant regulations and rules are typically published): http://www.cac.gov.cn/
  • The official website of the National Information Security Standardization Technical Committee (where major technical standards will be published): https://www.tc260.org.cn/

 

Cyber Security

Last reviewed 8 October 2018

Risk scale

Risk Scale Orange

Application 

The CSL applies to the establishment, operation, maintenance, and use of networks within the territory of China.

The scope is broad and covers not only organisations registered in China, but also foreign registered organisations that supply services through networks to Chinese users or that place online service facilities within China.

Authority

The Cyberspace Administration of China (the “CAC”) is the leading authority in charge of cybersecurity administration.

The Ministry of Industry and Information Technology, the Ministry of Public Security, various sector regulators and their local branches are responsible for cybersecurity matters within their own jurisdiction. 

Key obligations 

  • Network operators and online service providers shall perform security protection obligations according to the applicable cybersecurity multi-level protection system (MLPS) requirements:
    • formulating internal security management systems, operating rules and assigning responsible personnel;
    • taking technical measures to prevent computer viruses, network attacks, and other actions endangering cybersecurity;
    • monitoring and recording network operational status and network security incidents, and keeping network logs for at least six months;
    • taking data classification, important data back-up, data encryption and other relevant measures; and
    • establishing cybersecurity incident response capabilities, mitigating breaches and reporting to the relevant government authorities.
  • Operators of critical information infrastructures are subject to additional requirements concerning data localisation and the use of certified network products.
  • Manufacturers of network products must comply with the mandatory technical requirements provided in the applicable national standards, and get their “critical equipment and specialised network security products” (if any) certified.
  • Network users shall refrain from any activities that endanger cybersecurity and from distributing any illegal information online. 

Penalties/enforcement

Violation of cybersecurity requirements can trigger: administrative fines, the confiscation of illegal income, the suspension of business operations, and the revocation of business licences. There might also be criminal liabilities if a violation is serious. 

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The CAC (and the Emergency Response Office to be established under the CAC) will coordinate with other relevant government authorities to handle national cybersecurity incidents. 

Is there a national incident management structure for responding to cyber security incidents?

Yes. The National Cybersecurity Incident Response Plan (published in June 2017) sets out the national incident management structure.

Business operators are also obliged to report cybersecurity incidents to the relevant government authorities. 

Other cyber security initiatives 

A series of implementation rules and technical standards are under formulation, and are expected to be published during 2018 and 2019.

While they provide more detailed requirements to implement the general principles provided in the CSL, they might also expand the application scope of certain requirements.

Useful links

  • The official website of the CAC (where relevant regulations and rules are typically published): http://www.cac.gov.cn/
  • The official website of the National Information Security Standardization Technical Committee (where major technical standards will be published): https://www.tc260.org.cn/

 

< back to Overview

Authors

Picture of Nick Beckett
Nick Beckett
Managing Partner
Beijing
Picture of Amanda Ge
Amanda Ge
Associate