August 9, 2022


Let'S Talk Law

PRC Legal Update: Introduction to the authorized prerequisites on particular knowledge protection in China | Bryan Cave Leighton Paisner

[co-author: Mary Lam]


In gentle of the advancement of technological know-how and the widespread use of world wide web to transmit details, individual facts protection has become a warm subject presently as people today turned much more knowledgeable of their proper to privateness. This article aims to present a normal introduction to the appropriate lawful demands concerning info security in China, especially in the context of gathering, processing and storing own info. This write-up also addresses some factors to note when transferring individual information to overseas recipients outside the house China, such as via storing individual details in a procedure with abroad network servers (“Cross-border Transmission of Own Data”).

China does not now have a detailed information defense legislation – guidelines governing knowledge safety are scattered in the pertinent present rules, laws, countrywide criteria and governmental guidelines this sort of as the Cybersecurity Law, the Civil Code and the Choice on Strengthening On the internet Details Security.

There are also many draft rules, polices and national requirements that are however to be promulgated by the Chinese legislative or administrative authorities. These involve the draft Individual Info Safety Legislation, draft Data Security Legislation, draft Administrative Steps on Facts Safety, draft Steps for Security Evaluation on Cross-border Transfer of Personal Information and facts, draft Information and facts Stability Technological innovation Recommendations for Cross-border Information Transfer Stability Evaluation, and draft Crucial Information and facts Infrastructure Stability Security Regulation. Given that these “drafts” are nonetheless not successful yet, they do not have the standing of legislation, but they are of excellent value for reference for now as the latest legislative pattern in China seems to reveal that China is actively speeding up the promulgation of the related laws on data safety.

On 26 April 2021, the draft Personalized Info Protection Regulation was proposed to the Standing Committee of the Countrywide People’s Congress of China for second evaluation. We anticipate that the draft Individual Information Safety Legislation will come into influence inside the following a person to two several years. Supplied its substantial effect on own info protection once it will come into impact, we have also included the applicable procedures less than these kinds of draft law in this post.

Simple Recommendations

Based mostly on the relevant guidelines established out in sections A and B underneath, we propose that corporations which are processing or are wanting to course of action individual data in China (including transferring personalized knowledge to abroad recipients) need to at least acquire the pursuing precautious actions to ensure compliance with the related authorized demands:

  • getting the consent of the details subjects for amassing their personal information
  • formulating and disclosing to the data topics the applicable procedures concerning the assortment, use, function, processing, remedial actions and many others. in respect of the own data to be gathered
  • only gathering the private info to the extent essential for the permitted statutory purpose(s)
  • keeping the particular details gathered confidential, taking good measures to make sure security of the info and not disclosing to any third social gathering without the need of the consent of the facts subjects
  • providing rights to the information subjects for accessing, copying, correcting or deleting etcetera. their own data gathered
  • trying to keep the particular info gathered inside China. If not, there is a risk that the relevant risk assessment, safety assessment and/or any other statutory methods on the proposed Cross-border Transmission of Particular Knowledge might will need to be carried out.

We established out in the sections below the relevant distinct necessities with regards to personalized details security beneath the relevant current legislation and polices in China, as effectively as the draft Private Facts Safety Legislation.

Brief Summary of the Principles

A. Collection, processing and storage of personalized info

1. Regulations underneath the draft Own Information and facts Protection Law (the “draft PIPL”) (at the moment in draft form, but is probable to occur into result in the in the vicinity of long run)

The draft PIPL, on remaining passed as a legislation, will come to be China’s initial thorough regulation on the safety of particular data.

It applies to the processing of individuals’ individual facts that will take area in China regardless of their nationality. It imposes an obligation to protect personalized info not just on community operators, but on all “personal facts processors” in typical. “Personal data processors” is defined in Artwork. 72(1) as “organizations or people that independently ascertain the reason, scope and signifies of processing of personal data”.

Art. 13 sets out the 6 lawful bases for processing personal knowledge:

(i) The data subject’s consent is attained
(ii) Essential for the summary or effectiveness of a deal to which the info issue is a get together
(iii) Required for the fulfilment of statutory responsibilities or obligations
(iv) Important for responding to community health and fitness incidents or for the security of lifestyle, health and fitness and residence of the information subject or other persons in unexpected emergency circumstances
(v) To the realistic extent processing the own knowledge which are previously in public domain pursuant to the guidelines less than the PIPL
(vi) To the realistic extent for journalism or media supervision in community desire and
(vii) Other instances as offered by Chinese rules and regulations.

The details subject’s consent is not required beneath the situation which are topic products (ii) to (vii) above. The “consent” as referred to in product (i) above need to be an informed, distinct, freely provided, indication of wishes of the knowledge subject (Artwork. 14). Individual choose-in consent is necessary for processing sensitive personalized data, which consists of but not constrained to race, ethnic group, spiritual beliefs, individual biometric data, wellness info, financial account info and area details (Artwork. 29, 30). The facts processor need to advise the knowledge issue, (i) the goal, process and scope of processing his personalized details, and (ii) how extended these information and facts will be stored (Artwork. 18).

The draft PIPL also offers for several legal rights of the data subject, like the proper to information and explanation on the facts processing (Artwork. 45), right to entry and ask for for a duplicate of private info (Art. 45), ideal to correction (Artwork. 46), appropriate to item processing (Art. 44), suitable to withdraw consent (Artwork. 16) and suitable to deletion (Art. 47).

Very last but not the very least, the draft PIPL imposes an obligation on private info processors to undertake a holistic facts defense compliance software to safeguard private data in the course of the total lifecycle of private knowledge, these kinds of as common compliance audits, possibility assessments, periodic worker coaching, information of particular data processing functions, protocols to answer to information subjects’ requests, details breach reporting, remedial steps to data breach, and designating a info defense liable particular person (Artwork. 51-56).

2. Principles underneath the Cybersecurity Law (the “CSL”) (helpful from June 1, 2017)

The next provisions of the CSL established out the prerequisites of individual data defense about “non-network operators”:

  • Art. 12 states that “any particular person and group utilizing networks…must not… produce or disseminate… facts that infringes on the track record, privacy, intellectual property or other lawful rights and pursuits of others”.
  • Art. 44 states that “individuals or corporations have to not steal or use other unlawful techniques to get private facts, and must not unlawfully provide or unlawfully present other people with particular information”.

“Network operators” is described as “network entrepreneurs, administrators, and community services providers” (Art. 76).

3. Procedures below the Civil Code (the “Code”) (helpful from January 1, 2021)

Art. 1035 and 1038 of the Code stipulate the next specifications that particular details processors will have to comply with when processing individual information:

  • Obtain the consent of the facts topics
  • Specific the purpose, method and scope of processing personal facts to the data topics
  • Comply with the provisions of applicable legal guidelines and rules and agreements with the facts subjects
  • Retain the personal details collected confidential and stored devoid of any tampering
  • Not to provide the private information and facts to third parties without the consent of the knowledge subjects, apart from for information that can’t be recognized and can not be recovered after processing
  • Take technological actions or other necessary actions to make sure the protection of the particular details and
  • If a facts breach takes place or could take place, get remedial measures to notify the details subjects and report to the regulatory company.

Artwork. 1037 grants knowledge subjects the subsequent legal rights:

  • The suitable to access and duplicate their personalized details
  • The ideal to increase objections and ask for correction of their private info and
  • The ideal to delete their particular info when it is discovered that the personal information processor violates any rules and laws or the agreement between the two functions.

4. Regulations beneath the Final decision on Strengthening On line Details Defense (the “Final decision”) (helpful from December 28, 2012)

The Decision’s software is minimal to on line own info.

Very similar to the draft PIPL, it presents that corporations and people today are prohibited from obtaining citizens’ personal digital info by theft or other unlawful strategies, or offering or illegally providing that information to other individuals.

The Choice also sets out the pursuing obligations for businesses that intend to acquire and use individual electronic details:

  • Ought to make their insurance policies for info assortment and use public
  • Must explicitly point out the applications, means, and scope of the facts collection
  • Must receive the consent of all of the information topics
  • Will have to not violate any relevant legal guidelines and regulations and
  • Should not violate any agreements or contracts with the facts topics.

B. Cross-border Transmission of Own Info

1. Principles under the draft Own Data Protection Regulation
The draft PIPL extends the reach to entities other than CIIOs. Below the draft PIPL, distinct actions will use to:

(i) individual facts processors who interact in cross-border transfer of details up to a sure threshold degree (to be specified by the Chinese governing administration immediately after the legislation is handed)
(ii) particular data processors who have interaction in cross-border transfer of facts higher than that threshold level and
(iii) CIIOs (Crucial Data Infrastructures).

Artwork. 38 provides that, up to the specified threshold (i.e. group (i) previously mentioned), own knowledge processors will be permitted to transfer particular facts out of China if they satisfy one of the pursuing three conditions possibly:

  • acquiring a individual data protection certification by way of a certification human body accredited by the Cyberspace Administration of China
  • moving into into a agreement with the abroad data receiver and supervising the recipient’s pursuits to ensure compliance with PIPL benchmarks or
  • passing a federal government stability evaluation.

Above the specified threshold (i.e. group (ii) previously mentioned) and for CIIOs, organisations will be required to pass a safety evaluation that is organised by the PRC cyberspace authorities just before they can transfer details abroad.

The draft PIPL does not lay down any course of action for undertaking these types of a protection evaluation. This is most likely to be declared in the related implementation guidelines following the law is handed.

Aside from the previously mentioned mechanisms for facts export, the draft PIPL also needs all facts exporters to:

  • notify knowledge topics of the conditions of the transfer and attain a different consent (Artwork. 39)
  • carry out a threat evaluation. The risk assessment shall deal with: regardless of whether the goal and technique of processing personalized information are genuine, justifiable and important impact on people and the degree of dangers and whether or not the safety defense measures taken are respectable, successful and ideal to the degree of risks. The possibility assessment report and processing file shall be stored for at the very least three many years (Artwork. 55) and
  • ensure that international recipients are not subject matter to the info export restriction/prohibition checklist as may possibly be declared by the Chinese governing administration (Art. 42).

2. Principles under the Cyber Stability Regulation
In phrases of the localisation of storage of own data, the CSL applies only to the operators of ‘Critical Information Infrastructure’ (“CIIO”) who are required to shop personal facts collected and developed in the course of their operations in China (Artwork. 37). Below the CSL, in which it is important for a CIIO to supply these types of knowledge to events outdoors mainland China (which includes HK and Macau) owing to small business necessities, a security evaluation shall be executed in accordance with the measures formulated by the nationwide cyberspace administration authority in live performance with the appropriate departments beneath the State Council (Art. 37).

‘Critical Info Infrastructure’ (“CII”) is outlined as infrastructure ”which—if ruined, struggling a loss of function, or dealing with leakage of data—might severely endanger nationwide safety, national welfare, the people’s livelihood, or the general public interest” (Artwork. 31). The designation of the phrase leaves a incredibly significant scope for interpretation. The CSL only delivers some illustrations of the industries in which CIIs might exist, e.g. community interaction and information services, power, communications, h2o conservation, finance, community services and e-government affairs. The Draft Critical Information and facts Infrastructure Safety Protection Regulation (the “CII Restrictions”) even further provides that the CII security really should use to:

  • authorities companies and entities in the vitality, finance, transportation, h2o conservation, health care, training, social insurance plan, environmental defense and general public utilities sector
  • info networks, these types of as telecommunication networks, broadcast television networks and the online, and entities that supply cloud computing, large facts and other huge-scale general public information and facts network services
  • exploration and manufacturing entities in sectors this kind of as science and technologies for defence, huge devices production, substances industry and food items and drug sectors and
  • press entities this sort of as broadcasting and tv stations, information businesses and other vital entities.

In theory, the localization prerequisite does not implement to organizations that do not belong to the over-described CII sectors. Nonetheless, provided the ambiguity of the definition of CII, there is usually a possibility that these kinds of localisation necessity will use. In addition, the draft PIPL outlined higher than, once handed, will likely impose a info localization necessity for all corporations, irrespective of whether or not in the CII sectors.


The earlier mentioned only supplies a short summary of the present-day authorized requirements pertaining to individual details protection less than the relevant legislation and rules in China (together with the draft regulations which may well come into impact in the around long term). There is no question that the guidelines on information defense in China will acquire at a quickly pace in the next number of yrs based on the latest legislative trend in China, and corporations in China will face major compliance difficulties as a outcome of these types of improvement. Appropriately, companies and international buyers executing business enterprise in China are prompt to keep notify of the newest developments in this regard to ensure compliance with the suitable authorized requirements.

[View source.]