A Q&A guide to data protection in China.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
There is no specific data protection legislation currently in force. However, a draft Guide for Personal Information Protection (Draft Guidelines) has been published. This will have a significant impact on the data protection legal regime when it comes into force. However, the implementation date of the Draft Guidelines is not yet known.
Constitutional law. The Chinese Constitution (Constitution):
Provides a general right to privacy.
Provides legal protection to citizens' rights to freedom of communication and privacy of communications.
Stipulates a general right of citizens to be free from infringements on their dignity, and protects citizens from defamation, false accusations and insults.
Together, these provisions lay the foundations for a general right to privacy in China. The actual enforcement of this right is primarily achieved through the General Principles of the Civil Law of the People's Republic of China (GPCL).
GPCL. The GPCL is often cited in civil actions relating to data privacy in China. However, its application is not straightforward because it does not contain any provisions specifically related to data privacy. Instead, Chinese courts treat privacy violation as similar to a violation of reputation, and rely on legal provisions protecting reputation.
Tort law. The tort law of China provides that an infringer is liable for infringing the civil rights of others, including the right of privacy.
Criminal law. Criminal liability is imposed on employees of government agencies or private organisations in the finance, telecommunications, transportation, education and medical sectors if they sell (or otherwise unlawfully provide to third parties) the personal data of any citizen obtained in the course of performing employment duties or services.
Notice of the People's Bank of China on Banking Financial Institutions Protecting Personal Financial Information (Notice). Under the Notice, financial institutions are obliged to protect individuals' personal financial information.
Consumer protection laws. Consumer protection laws do not regulate data protection or data privacy.
The Draft Guidelines will apply to Chinese nationals and people who conduct data collection, processing and transferring activities in China.
Personal financial data which can identify an individual is regulated under the Notice (see Question 11). This includes, for example:
Personal data refers to any data or information in connection with a specific individual, which can be used, separately or in combination with other data, to identify the individual (section 4, Draft Guidelines).
Data collection and processing and data transfer are regulated activities (section 4, Draft Guidelines). Disclosure and use of personal data are not currently regulated.
The Draft Guidelines will apply to Chinese nationals and people/entities carrying out regulated activities (data collection, processing and transfer) in China.
There are currently no main exemptions. However, the Draft Guidelines contain an exemption where disclosure is made for the public interest and the data owner suffers no personal harm as a result of the disclosure.
There is no requirement for registration before processing data under the Draft Guidelines. However, notification to the individual data owner is required before data collection and processing under the Draft Guidelines. Such notification must include the following:
The content of the data.
The channel for obtaining such data.
The purpose and scope of the usage.
The data protection policy or method which the data processor will implement when processing such data.
Relevant information relating to the data processors.
Whether such data will be disclosed to third parties.
The current legislation does not impose any obligations on data controllers. Under the Draft Guidelines:
The data processor can only process the data for the stated purpose and within the scope that the data controller has notified to the data subject.
The data controller should take measures to keep the personal data it collects confidential during processing and storage of the data.
If the data controller uses a third party to process the personal data, they should inform the data subject of this fact before collecting the data.
The current legislation does not impose any consent requirements and there are no special rules concerning consent by minors.
The consent of data subjects is required before processing personal data (section 19, Draft Guidelines). There are no detailed requirements regarding the form or content of such consent. Implied or inferred consent does not appear to be legally valid. If the personal data owner is a minor (under 16 years old), consent from their guardian is required.
While this is not specifically stated in the Draft Guidelines, governmental authorities have wide freedom to conduct processing activities in the public interest. Therefore, specific legislative requirements or the requirements of authorities could provide justification for processing data without consent (that is, when required for national security reasons).
Special rules apply to personal financial data. Financial institutions must protect individuals' personal financial information, which includes (section 1, Notice):
Information that can identify the individual (such as name and identity number).
Financial transaction information.
Other related information.
See Question 7.
The current legislation does not provide any specific rights to data subjects. However, under the Draft Guidelines, the data owner can choose to refuse data processing, require incorrect information to be corrected or terminate the data processing (section 15, Draft Guidelines).
The current legislation does not provide any specific rights for data subjects to request deletion of their data. Data subjects have a right to request the deletion of their data (section 37, Draft Guidelines).
Under current legislation, the Notice requires financial institutions to apply proper organisational and technical measures to protect personal financial data (section 3, Notice).
Neither the current law nor the Draft Guidelines specifies that a data processor can be liable for unauthorised access to data it holds.
Under the Draft Guidelines, data processors must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction of, or damage to, personal data (section 40, 41 and 42, Draft Guidelines).
There is no requirement to notify personal data security breaches to data subjects or the national regulator.
Under the Notice, if there are any breaches, the financial institution must report these to the People's Bank, which is the national regulator of financial institutions in China.
No additional requirements are currently imposed where a third party processes the data.
Data collectors must inform data owners that the data will be processed by a third party (section 26, Draft Guidelines). Data collectors must ensure the third party complies with the Draft Guidelines and ensure the safety of such data when they are transferred or processed.
This is not covered in the Draft Guidelines or by the current law.
This is not covered in the Draft Guidelines or by the current law.
Financial institutions cannot transfer individual financial information outside China (section 6, Notice).
Data cannot be transferred offshore without the authority's approval or relevant regulatory permissions (section 33, Draft Guidelines).
Data transfer agreements are not contemplated or in use in China.
The Ministry of Information and Industry of China is the national regulator for supervising compliance with data protection regulations (see box, The regulatory authority) and has enforcement powers across China. In practice, some of the powers are delegated to its local counterparties, but this does not exclude the national regulator's power to directly investigate any issue if it thinks this is necessary.
The national regulator does not currently impose any sanctions for non-compliance with legislation. No specific sanctions and remedies are introduced by the Draft Guidelines.
(No translated version of the website is available.)
Main area of responsibility. Supervising compliance with data protection regulations.
Qualified. China, 2004
Areas of practice. Data protection; franchising; licensing.