suirow7 Data protection in China’ overview | Practical Law Data protection in China: overview by Marissa Xiao Dong, Jun He Law Offices Law stated as at 01 Oct 2016 + China Related Content A QBA guide to data protection in China This Q&A guide gives a high-level overview of data protection rules and principle, including obligations onthe data controler and the consent of data subjects; rights fo access personal data or objec oi colaction; and secuny requirements. It also covers cookies and spam; dala processing by third parties; and the intemational transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across mutiple jurisdictions, visi the data protection County Q&A tool This article is part ofthe glabal guide to data protection. For @ ful list of contents, please vist www practicallaw.comidetaprotection gud, Regulation Legislation 1. What national laws regulate the collection and use of personal data? General laws Im summary, the EU model of personal data protection law doss not yet exist in the People's Republic of China. China has not enacted a single piece ‘of agiatation that specifically addresses the collection, storage, transmission and aperalion of personal information, China also has nat entered into ‘any treaty withthe EU or any sovereignty similar to the EUAUS safe harbour framework. However, the Civl Code and Tort Liability Law provide legal recourse forinfingement of rights to privacy. There are also few provisions in the PRC laws and regulations. These generally address the protection ‘of personal information, typically regulating a specific industrial sector (for example, the telecommunication Sector or relat to certain information of a speci nature (for example, indivcual nancial credit information, consumer information, population heath information and medical records) Major general laws “The major general laws include: + The PRO Constitution + The Decision ofthe Standing Committee of the National People's Congress on Strengthening the Network Information Protection (NPC Decision) Sectoral laws “The major sectoral laws include: 19 htpsicontent next westlaw.com/Documeri/102084fatcb6 1163857817 coc3BdcheeView/FulToxthimI7contexDatsuirow7 Data protection in China’ overview | Practical Law + The Decision ofthe Standing Committee of the National People's Congrass on Revising the Consumer Rights Protection Law of the People’s Republic of China (Consumer Rights Law) + Regulation on Personal information Protection of Telecom and Intemet Users (MIIT Regulation), ‘Administrative Measures for Online Transactions. Personal Information Security Measures for Malling and Courier Services, + Medical Records Administration Measures of Medical Institutions. Measures for Administration of Population Health Information (PHI Measures), Scope of legislation 2. Te whom do the laws apply? The laws and regulations apply to diferent industry sectors according to the nature of personal information 3. What data is regulated? Different types of personal information ae regulated by ferent laws and regulations. For exampl ‘concarning the personal privacy of citizens. the NPC Decision applies to electronic information that is able to identi the identiy of individual clizens and electronic information ‘The MIIT Regulation defines "personal information of users" as: + Information that can be used to dently the user (Including, name, date of bith, identification number, address, telephone number and account numbers and associated passwords) when used independently or when combined with other information; and + Information that concerns the time and location ofthe users’ use of service that is collected by telecom business operators and internet information service providers during their provision of services, “The Measures for Punishment of lvringements on Consumer Rights and Interests issued by the SAIC defines consumers’ personal information as “ine information collected by business operators during the provision of goods or services that may be used for identifying a consumer either independently oF in combination with ether information, and shall include name, gender, occupation, date of birth, identity document number, residential address, contact details, income and asset conditions, health conditons and consumption habits of a consumer” “The PHI Measures define “population health information” as all of the folowing + Basic demographic information + Medical and health care services information. + Other population health information ‘The population heath information ie generated by all ypes of medical, heath care and family planning services and at al levels during the process of management and providing services pursuant to laws and regulations, and according to telr work responsibltes. 4, What acts are regulated? ‘The collection and use of personal information is generally regulated 5. What is the jurisdictional scope of the rules? 29 htpsicontent next westlaw.com/Documeri/102064fatcb6 1163857817 coc3BdcheeView/F Text himI7contexDatsuirow7 Data protection in China’ overview | Practical Law ‘The jurisdictional scope ofthe rules isthe PRC (and for these purposes does not include Hong Kong, Macau and Taiwan), 6. What are the main exemptions (if any)? There are no exemptions Notification 7. 1s notification or registration required before processing data? “There is no spocific requirement for notification or registration with a governmental authoiy before processing data Main data protection rules and principles Main obligations and processing requirements £8. What are the main obligations Imposed on data controllers to ensure data is processed properly? “There is no specific dentin ofa data controller under the curent PRC law. Companies and other legal enties that collect and use personal information are generalyrequited to: + Comply with the principles of agitmacy, ghtulness and necessity when collecting an using personal information + Spacty and comply with ther policies regarding the purpose, manner and scope of coletng and using personal information. + Obtain consent from any inivdual that has information collacte. + Refrain from collecting or using personal information in breach of any laws or regulations and with th information callected .greement of any individual that has + Ensure that personal information is kept confidental, and not disclosed, sold or provided legally to others. 9. Is the consent of data subjects required before processing personal data? ‘According to the NPC Decision, Consumer Rights Law and MIIT Regulation, consent is required for the collection and use ofan individual's personal information, However, there are no detailed requirements under the current PRC law regarding the specific form, content of the consent, or whether ‘consent can be implied or inferred. 10. If consent is not given, on what other grounds (if any) can processing be justified? Personal information can be processed by public securty andor procurational authorities and without consent in accordance witn procedures prescribed by law + For satisfying the needs of national security. + Foran on-going criminal investigation. Special rules hitpsicontent next estlaw.com/Documeri/102064fatcb6 1163857817 coc3Bdchee/View/F Text him! 7eontexDat 39suirow7 Data protection in China’ overview | Practical Law 11, Do special rules apply for cartain types of personal data, such as sensitive data? ‘There is currently ne spectic defnion of sensitive data in Chinese law. However, special ules apply to certain types of personal data, including + Mogical records. + Population health information, + Personal information collected by commercial banks. + Personal erect information Rights of individuals 12, What information should be provided to data subjects at the point of collection of the personal data? Under the MIT Regulation, the following information must be provided by telecom business operators and internet service providers whan they collect personal information: + The purpose, method and scope af information to be collected or used. +The ways in which users can inquire about andlor corect information + The consequences of refusing to provide information 13, What other specific rights are granted to data subjects? Telecom business operators and internet service providers must provide ways for users to inguite about andfor correct thelr personal information (see Question 12), 14, Do data subjects have a right to request the deletion of their data? ‘The NPC Decision and the MIIT Regulation do nat specifically allow inlviduals the right to request the deletion of thelr personal information. However, -ommunication or intemet information services, telecom business the MITT Regulation doos require that after users have terminated the use of ‘operators and internet information service providers must stop the collection and use of the users’ personal information, and provide the users with ‘services for deregistering relevant phone numbers or account numbers Security requirements 15, What security requirements are imposed in relation to personal data? ‘The MIIT Regulation imposes the following security requirements on telecom business operators and intemet information service providers (Article. 13) + To specify the responsibiies of each depariment, post and branch in terms of managing the securty of personal information + To establish work processes and security management systems forthe collection and use of personal information and any related activites. + Tomanage the authority of different staff members and agents, review the batch export, duplication and destruction of information, and take ‘measures to prevent the leak of confidential information. 49 htpsicontent next westlaw.com/Documeri/102064fatcb6 163857817 coc3Bdchee/View/FulToxthimI7contexDatsuirow7 Data protection in China’ overview | Practical Law + To properly keep the caries recording users’ personal information, such as paper medium, optical mada and magnetic medium, and take appropriate secure storage measures + To conduct access inspection ofthe information system thal stores users’ personal information, and lake intrusion prevention, ant-vius and other + To record the staff members wha perform operations af users’ personal information, including the time and place af such operations and the matters invalved, + To carryout communications network security protection work as required by the relevant Telacommunications Authorty + Other necessary measures prescribed by the relevant Telecommunications Authoriy. The MIIT Regulation also requires that talacom business operators and intemet information service providers must give members of staff relevant ‘raining onthe knowledge, skils and responsiblity relating tothe protection of personal information (Article 18). They must also conduct at least ane ‘selFinspection of thelr methods of protection of personal information, record sel-nspection results and promptly eliminate any secur risks discovered during the sell-nspection (Arlo 16) 16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator? Itis required under the MIIT Regulation that whare personal information kept by a telecom business operator or an intemet information service provider has been, ori likely to be, divulged, damaged or lost, the telecom business operator oF intomet information service provider must take remecial measures. It must immediately repor the situation tothe specific Telecommunications Authoriy that had previously granted licensing or recording permission. It must also co-operate with the relevant departments in the investigation and handling of th situation i serious consequences are or may be caused. There is no national level requirement, however in certain local consumer protection regulations (or example, ‘Shanghai, itis also required to notty personal data securty breaches to data subjects, Processing by third parties 17, What additional requirements (if any) apply where a third party processes the data on behalf of the data controller? Consent needs tobe obtained from the relevant individuals when a third party processes their personal information Electronic communications 18, Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment? [Atthough there isn specific legal requirement on conditions upon which an enterprise or individual can store cookies or equivalent devices on other individuals’ terminal equipment, the information collected through cookies or equivalent devices may be considered as users’ personal information” Under the MIIT Regulation, and go the installation of cookles or equivalent devices forthe purpose of collecting such Information may be required to follow all the relevant logal requirements 19, What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)? Under the NPC Decision and the Consumer Rights Law, no organisation or individual is permitted to send commercial information to consumers: + Unless tho consumer requests the information + Unless the consumer consents to receiving the information + Where consumers have expressly refused to receive this information htpsicontent next westlaw.com/Documeri/102064fatcb6 163857817 coc3Bdchee/View/FulToxthimI7contexDat 59suirow7 Data protection in China’ overview | Practical Law ‘The Administrative Measures Regarding Intemet E-mail Services (E-mall Measures) issued by MIT, affective from 20 February 2008, sets out the more specif requirements for communications by e-mail, Ary o;ganistion or individual must not diecty or indirectly (Article 13, E-mail Measures) + Intentionally destroy or forge e-mail contents. + Send e-mai's} containing business advertisements without the explicit consent of the recipient + Fall to give a clear indication of the word “advertisement” or "AD" al the beginning ofthe e-mail ite when sending e-mails) containing commercial advertisement content, Under the Email Measures, where an e-mail ecipint clearly agrees to receive e-mai(s) containing commercial advertisement content, but later \ithoraws his consent, the e-mail sender should stop sending such e-malls unless otherwise agreed by bath partes, When sending e-mall containing ‘commercial advertisements, the sender must provide contact information tothe receiver to refuse receipt of further e-mails. The contact information must include the e-mail address ofthe sender, and @ quarantee that this information is valid for 30 days. ‘The Administrative Provisions on Short Message Services for Communication issued by the MII, effective from 30 June 2015 also imposes various requirements for sending SMS, for example, a SMS provider must: ‘+ Make available convenient and effective methods for users to refuse to receive such messages. The users must then be informed of such ‘methods and not hinder the users from refusing fo recsive messages in any form + Clearly indicate the names ofthe message content providers. The Advertisement Law also provides thal no organisation or individual can deliver advertisements tothe houses or means of transportation of the partes concerned without their consent or their requestor send advertisements to the parties concemed through electronic message. When an ‘advertisement is sent through electronic message, the true identty and contact information of the sender must be cleat indicated and those to whom the advertisements gent must be provided with the methods for refusing to continue to raceive the advertisements International transfer of data ‘Transfer of data outside the jurisdiction 20, What rules regulate the transfer of data outside your jurisdiction? “There are currently no speci legal requirements forthe vansfer of personal information outside of China. However, where the personal information ‘wansfered is ofa spect nature, there are certain requirements under industrial regulations and rules. For example, the processing of personal information collected by commercial banks, must be stored, handled and analysed within the terrtory of China and such personal information is not allowed to be transferred overseas. In action, fisclosing information to an offshore ently is still prohibited ifthe information involves state secrets fof the PRC, 21. Is there a requirement to store (certain types of) personal data inside the jurisdiction? Certain ypes of personal data are required tobe stored and processed with the teritory ofthe PRC, for example, population neath information and personal financial credit information collected by banks in China Data transfer agreements 22, Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities? Data ansfor agreements are notin use in China. hitpsicontent next estlaw.com/Documeri/102064fatcb6 1163857817 coc3Bdchee/View/F Text him! 7eontexDat a9suirow7 Data protection in China’ overview | Practical Law 23, Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied? ‘There is currently no specific legal requirement regarding data transfer agreemenis (see Question 22), 24, Does the relevant national regulator need to approve the data transfer agreement? ‘There is no such requirement in place in China (see Question 22). Enforcement and sanctions 25, What are the enforcement powers of the national regulator? There is currently no national regulator tha is specifically responsible for general personal information compliance matters. The majar regulators involve include: + The Ministry of industry and Information Technology (MIIT). Regulates personal data callocted and used in telecom and internet sectors. + The National Health and Family Planning Commission (NHFPC). Regulates medical records and population health information. + The State Post Bureau (SPB). Regulates personal data collected and used in maling ané courier services. + The State Administration for Industry and Commerce (SAIC). Regulates consumer personal information, except in areas or sectors where a ‘specific authority has been given responsibilty. 26, What are the sanctions and remedies for non-compliance with data protection laws? Non-compliance with dala protection laws can result the folowing consequences (subject to te type of personal information concerned and the nature and severity of non-compliance): + Administrative penalties, including warrings, confiscation of ilagal business earings, andlor a fine. + Tor laity. + Criminal Habit. Regulator details The Ministry of Industry and Information Technology (“LMA (46) W wenwmif gov.on/ The Ministry of Industry and Information Technology ofthe PRC, established in March 2008, isthe state agency of the PRC responsible for regulation and development of industry, telecommunication and informazation, State Administration for Industry and Commerce (( 3 I-F5 75H. 5) W ven sac. gover! ‘The State Adminstration for Industry and Commerce isthe state agency ofthe PRC mainly responsible for supervision and administration of the market 719 htpsicontent next westlaw.com/Documeri/102064fatcb6 163857817 coc3Bdchee/View/FulToxthimI7contexDatswuieow7 Data protection in China’ overview | Practical Law Online resources W winw.goven/zhengce/zc_fifg him Description. The website page ofthe central government of China on which laws and regulations promulgated are published. Allthe laws and regulations are in Chinese. Contributor profiles Marissa Xiao Dong, Partner Jun He Law Offices T+ 86108519 1293, F +9610 8519 1350 dongx@junhe.com W wine junhe.com Professional qualifications. Qualified in PRC ‘Areas of practice. Corporate and M&A; Information Law. Recent transactions Marlesa Dong has advised many private and public transactions for multnalonal companies, private equ fms and Chinese state-owned ‘and private companies and across the wide spectrum of industrial sectors, pariculaty intemet and telecommunication, education and ‘manufacturing business. In adtion to her corporation and MBA practice, as an Information Law expert, Marissa Dong has advised many ‘multintonals (including both Chinese and foreign nationals) on data privacy, information security and related regulatory matters in China Languages. Mandarin, Engish Publications. + China contributor fo Global Security and Privacy Law. ‘+ Recent articles in Bloomberg BNA: Agency Issues Draft Regulation an Administration of Personal Health Information (January 2014), New Onin Transaction Rules Enhance Protection of Consumer (March 2014), + Authorities to Accelerate Introduction of Personal Info Law (February 2016), China's Draft Cyber Security Law (July 2018) ‘This document to view but most Practical Law documents require a subscription, ‘They can bo accossed by signing n or requesting a foe tral of Practical Law. Request a Free Trial! Already @ Subscriber callus at 1-800-837-8529 or contact your Practical Law Account Executva. PRODUCTS: China, Data Protection mult jurisdictional guide, Data Protection, Local government, PLC Commercial, PLC Corporate Law, PLC Cross-border, PLC Employment Law, PLC Financial Services, PLC IPandlT Law, PLC Law Department, PLC Public Sector, PLC US Intellectual Property and Technology, htpsicontent next estlaw.com/Documeri/102084fat cb 163857817 coc3Bdchee!View/FulText himI7contexDate=(s0.Detaul)&transiionType=Dsfaul.. 89suirow7 Data protection in China’ overview | Practical Law PLC US Law Department, Pubic Law (© 2017 THOMSON REUTERS, NO CLAIM TO ORIGINAL U.S, GOVERNMENT WORKS. Wenon ©2017 henson Rau | Prey Samer! | Acaelly | Terms of Use | Cones | Mab0.WESTLAW (1009978525) htpsiicontent next westlaw.com/Documeri/I02064fatcb6 163857817 coc3BdcheeView/FulTexthimI7contextDat 39