Privacy and data protection provisions within the Chinese legal framework are scattered across laws and regulations at different legislative levels. Data subjects’ rights to privacy and data protection are protected by the Civil Code (民法典), the Criminal Law (刑法), the Law on the Protection of Consumer Rights and Interests (Consumer Protection Law; 消费者权益保护法), the E-commerce Law (电子商务法), Several Issues Concerning the Application of Law in the Trial of Civil Cases Relating to the Use of Facial Recognition Technologies to Process Personal Information (最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定, and most importantly, the three fundamental laws (Three Fundamental Laws): the Cybersecurity Law (CSL; 网络安全法), the Data Security Law (DSL; 数据安全法) and the Personal Information Protection Law (PIPL; 个人信息保护法) . The Three Fundamental Laws have established the foundations of cybersecurity and data protection in China, which are supplemented by:

• implementing regulations, measures and rules promulgated by the Cyberspace Administration of China (CAC);
• relevant ministries, including the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS); and
• national standards issued by the National Information Security Standardisation Technical Committee (TC260).

Since data protection is a topic that impinges upon all industries, there are a wide range of law enforcement departments related to it and their duties and authorities intersect with each other. There is no centralised regulatory body. Among all these regulators, the three most important ones are the CAC, the MPS and the MIIT.

According to Article 8 of the CSL and Article 60 of the PIPL, the CAC is in charge of overall planning with regard to data protection and privacy, and co-ordinates the competent authorities. The MIIT, the MPS, the State Administration for Market Regulation (SAMR), and industry regulators are in charge of law enforcement in the respective industries.

Network operators and data handlers are obligated to co-operate with cyberspace administrators and any other regulators in their inspections and supervisions (Article 49 of the CSL, also Article 63 of the PIPL). Law enforcement activities are triggered in different ways, including:

• reporting – where users may report to the above-mentioned regulators and consumer protection organisations and investigations are launched accordingly;
• regular and irregular inspections – where special projects that last several months are launched to target specific industries or pain points in cyberspace; and
• inquiries into data leakage events.

The competent authorities, when imposing administrative punishment and enforcing the Three Fundamental Laws and relevant laws and regulations, shall abide by the Law on Administrative Penalty (行政处罚法). The competent authorities should conduct investigations to ascertain the facts of the alleged violating acts before imposing punishment on anyone (Article 36). The penalised parties should be given opportunities to state their case and defend themselves (Article 6). The penalised party is entitled to a hearing where the administrative punishment involves suspension of business, rescission of business permit or licence, or a large penalty (Article 42).

According to Article 6 of the Law on Administrative Penalty, where the penalised party refuses to accept the administrative punishment, they may first apply to the relevant administrative organ for reconsideration and, if refusing to accept the reconsideration decision, may initiate an action before the people’s courts. Unless it is required by any relevant laws to exhaust administrative reconsideration before seeking judicial review, they may also initiate an action before the people’s courts directly.

Additionally, public security departments shall abide by the special rules provided for them under the Regulations for Internet Security Supervision and Inspection by Public Security Organs (公安机关互联网安全监督检查规定). For example, there shall be at least two police officers in the event of an on-site inspection. Law enforcement officers shall keep the personal and private information, that becomes known to them during the inspection, confidential.

China signed the Regional Comprehensive Economic Partnership (RCEP) on 15 November 2020, which came into effect on 1 January 2022, and is one of 15 member countries. An emphasis on personal information (PI) protection is made under chapters on trade in services (financial services, Annex 8A) and electronic commerce (Chapter 12). In principle, the orderly cross-border transfer of information for the purpose of conducting business shall be protected by the member countries. In the interim, RCEP member countries are allowed to regulate the cross-border data transfer to safeguard public interest and national security.

The National Computer Virus Emergency Response Centre (CVERC; 国家计算机病毒应急处理中心) is a public institution in charge of tackling computer viruses. During the special project “Clearing the Network 2021” (for further details of which, please refer to 1.7 Key Developments), The CVERC conducted security checks on the internet and detected multiple apps that violated privacy protection regulations. The CVERC published the names, versions and acts of violation of the apps and required removal of such apps from the app stores.

The China Consumers Association is a social organisation established by Article 36 of the Consumer Protection Law to supervise the provision of goods and services for the purpose of protecting consumers’ legitimate rights.

Privacy and data protection provisions in China share the same goals as those of various other jurisdictions, which are to safeguard the rights of PI subjects and to punish acts of infringement. Compared with the CSL, there are far more similarities between the PIPL and the GDPR.

Similarities of the PIPL with the GDPR

Similar to the GDPR, the PIPL has an extra-territorial effect on overseas PI processing activities, when the processing is for the purpose of providing products or services to, or analysing individuals within, China.

Also similar to the GDPR, the PIPL provides for several legal bases including:

• the data subject’s consent;
• execution and performance of a contract, to which the data subject is a party;
• implementation of human resources management in accordance with the labour rules and regulations formulated according to law and the collective contract signed according to law;
• performance of legal duties or obligations;
• dealing with a public health emergency or to protect natural persons’ life, health or asset security in an emergency;
• conducting reasonable news reporting and oversight of public opinion for the protection of public interest; and
• others, as required by laws and administrative regulations.

However, it is worth noticing that the “legitimate interest” under the GDPR has not been included in the PIPL as one of the legal bases.

Other similarities include the principles for processing PI, PI subject rights, obligations of the PI handlers, restrictions on automated decisions, and restrictions on processing activities by government authorities.

Differences between the PIPL and the GDPR

A noticeable difference is between the definition of sensitive personal information under the PIPL and the definition of special categories of personal data, where the former covers a much wider range. Sensitive personal information under the PIPL refers, broadly, to the PI that may give rise to discriminatory treatment, or cause harm to personal or property security, once it is leaked or unlawfully provided, while the types of special categories of personal data are listed exhaustively under the GDPR. The requirements for processing sensitive personal information under the PIPL follow the same framework as that for PI where separate consent is required, while under the GDPR, the default rule is not to process special categories of personal data except for certain circumstances.

“Separate consent” is a new requirement introduced by the PIPL, which is not yet clearly defined and might raise the requirement on the form of consent needed.

Another difference between the PIPL and the GDPR is the rules regarding data localisation and cross-border transfer of data. The GDPR limits data flow to third-party countries and organisations by mechanisms such as standard contractual clauses, while the PIPL regulates the flow of cross-border data through security assessment, certification by a qualified agency or standard contractual clauses.

Last but not least, there is no centralised regulatory body under the Chinese privacy protection regime, as there is under the GDPR. In China, the three most important regulators are the CAC, the MPS and the MIIT. (See 1.2 Regulators for further detail.)

Key developments in legislation in the past 12 months include:

• the amended Cybersecurity Review Measures (网络安全审查办法), which was published in January and will come into effect on 15 February 2022;
• the PIPL, which was published in August and came into effect on 1 November 2021;
• the DSL, which was published in June and came into effect on 1 September 2021;
• the Regulations on the Administration of Network Data Security (Draft)(网络数据安全管理条例(征求意见稿)), which was published in November;
• the reformulated Measures for Cybersecurity Review (网络安全审查办法), which was published in December, and will enter into effect on 15 February 2022;
• the Measures for the Security Assessment of Data Cross-border Transfer (Draft) (数据出境安全评估办法(征求意见稿)), which was published in October;
• the Security Protection Regulations for Critical Information Infrastructure (关键信息基础设施安全保护条例), which was published in July and came into effect in September;
• the Provisions of the Supreme People’s Court on Several Issues concerning the Application of Law in the Trial of Civil Cases Relating to the Use of Facial Recognition Technologies to Process PI (最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定), which was published in July and came into effect in August;
• the Rules on the Scope of Necessary PI for Common Types of Mobile Internet Applications (常见类型移动互联网应用程序必要个人信息范围规定), which was published in March and came into effect in May;
• the Several Provisions on Automotive Data Security Management (for Trial Implementation) (汽车数据安全管理若干规定 (试行)), which was published in August and came into effect in October; and
• the Administrative Provisions on Algorithm Recommendation for Internet Information Services (互联网信息服务算法推荐管理规定), which was published in December, and will enter into effect in March 2022.

Major regulatory and enforcement activities that drive public attention include:

• the MPS launching a special project “Clearing the Network 2021” (净网 2021) targeting illegal acts including infringement of PI;
• the CAC launching a special project “Brightening the Network 2021” (清朗 2021) targeting illegal content in cyberspace;
• the MIIT and CAC publicly criticising apps that infringed customers’ rights and interests and requiring removal of such apps from app stores; and
• the CAC launching cybersecurity reviews on several enterprises to prevent national data security risks and protect public interests.

In the next 12 months, it is expected that the following will take place.

• The Regulations on the Administration of Network Data Security (Draft) will be reviewed by the CAC and the official version is likely to be published in 2022.
• The regulatory mechanism for the cross-border transfer of PI and Important Data will most likely be finalised along with the official version of the Measures for the Security Assessment of Cross-Border Data Transfer and Chinese Standard Contractual Clauses.
• The recognition process for the major data and compliance obligations of important data handlers under the CSL and DSL is likely to be implemented.
• The regulations on internet information services and algorithms will come in effect in 2022; the focus of data regulatory activity will accordingly move towards the regulation of algorithms.
• The number of litigation cases on PI protection will increase.

The Three Fundamental Laws form the basic legal framework of China’s data protection and privacy framework. In addition, the following regulations and national standards are crucial to understanding the legal framework in China on data protection and privacy:

• the Provisions on the Cyber Protection of Children’s PI;
• the Measures for Cybersecurity Review (amended);
• the Security Protection Regulations for Critical Information Infrastructure;
• the Administrative Provisions on Algorithm Recommendation for Internet Information Services;
• the Interpretations of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ PI (Supreme People’s Court and the Supreme People’s Procuratorate Interpretations; 最高人民法院最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释); and
• the PI Specification.

The following draft measures and national standards are important indicators of future legislation:

• the Regulations on the Administration of Network Data Security (Draft);
• the Measures for the Security Assessment of Cross-Border Data Transfer (Draft); and
• the GB/T-Information Security Technology - Important Data Identification Guidelines (Draft) (重要数据识别指南(征求意见稿)).

The CSL applies to network operators, which encompass virtually all companies involved in any kind of internet-based services. The PIPL applies to PI handlers, which refers to the person or entity that is in the position to decide the purpose and means of PI processing. The DSL applies to handlers conducting data processing activities in the mainland China. For most entities that process personal data, the Three Fundamental Laws would apply.

Data Protection Officers (DPOs)

The CSL requires network operators to appoint personnel responsible for cybersecurity. When the amount of PI processed by an entity reaches a certain level, the entity shall, according to the PIPL, appoint an officer in charge of PI protection. According to the PI Specification, if there are more than 200 personnel in an organisation and its main business involves processing PI, or if the organisation handles the PI of more than 1 million people (or the personal sensitive information of more than 100,000 people), it should establish a department with designated full-time staff in charge of PI security.

The person in charge of PI protection shall be responsible for the overall planning and implementation of the internal PI protection system, stipulating and keeping up to date the PI policy and process, organising internal training, etc.

Consent

Under the CSL, consent from the data subjects is required prior to the collection and processing of PI. According to the PIPL, there are other legal bases where no consent is needed (please refer to 1.6 System Characteristics).

Privacy by Design or Default

Currently, there is no specific provision imposing any requirements of privacy by design/default, albeit they are helpful for fulfilling the obligations imposed by the CSL and PIPL. A similar system was indicated in the PI Specification where PI controllers are recommended to comply with national standards and to consider PI protection requirements when information systems are designed, developed, tested and released.

Privacy Impact Analysis

According to the PIPL, a risk assessment should be conducted before the following PI processing activities take place:

• processing of personal sensitive information;
• use of PI to make automated decision;
• entrusted processing, sharing and public disclosure of PI;
• cross-border transfer of PI; and
• other processing activities that may have a significate impact on individuals.

The PISIA Guidance would serve as guidelines for conducting such a risk assessment. For cross-border transfer of PI, the Measures for the Security Assessment of Data Cross-border Transfer (Draft) would also provide reference for risk assessment.

Internal or External Privacy Policies

The CSL requires network operators to keep user information in strict confidence and to establish and improve the system for user information protection (Article 40). Network operators shall adopt technical measures and other necessary measures to guarantee the security of the collected PI and prevent the same from leakage, damage or loss (Article 42). In addition, the PIPL requires a management system that offers matching protection levels to data of different categories and of different levels of importance (Article 51).

External privacy policies that face PI subjects often serve as an approach for network operators to notify PI subjects as required under Article 41 of the CSL and Articles 17 of the PIPL. The internal policies shall be consistent with the external policies. What is promised to the users shall be implemented by the internal management measures and technical measures. The PI Specification also recommends that a PI controller adopt a privacy policy, as well as internal management and technical measures, to safeguard PI.

Data Subject Rights

Article 43 of the CSL entitles individuals to require a network operator to delete their PI if they find that the collection and use of such information by that operator violates the laws, administrative regulations or the agreement by and between that operator and them; and is entitled to require any network operator to make corrections if they find errors in the information collected and stored by an operator. Operators shall take measures to delete the information or correct the error.

The PIPL provides the PI subject with the right, in relation to their data, to know, decide, restrict its processing, object to its processing, access, copy, make portable, rectify, delete, withdraw their consent and account cancellation. In addition, PI subjects are also provided with related rights on automated decision-making (Article 24).

The right to data portability states that where PI subjects request to transfer their PI to another designated PI handler, such request shall be fulfilled by PI handlers when conditions stipulated by the CAC are met.

As for the right to withdrawal, the withdrawal of consent does not affect the lawfulness of processing based on that consent before its withdrawal. The right to withdrawal does not apply to PI processing activities based on a legal basis other than consent.

Anonymisation

According to Article 42 of the CSL, there shall be no disclosure of PI without the consent of the PI subject unless such information has been processed to prevent that specific person from being identified and that information from being restored. Such methods to process information include anonymisation and de-identification of PI, which are stipulated under the PI Specification. Similar regulation can be found under Article 4 of the PIPL.

Specifically, anonymisation refers to the process whereby PI is technologically processed to make PI subjects unidentifiable, and the PI cannot be restored to its previous state once processed. Once anonymised, the information is no longer considered as PI.

On the other hand, de-identification refers to the process whereby PI is technologically processed to make it impossible to identify PI subjects without the aid of additional information. In other words, it is still possible to identify an individual with the help of de-identified information and other information. Thus, de-identified information is still considered as PI.

Big Data Analysis, AI, Algorithms, etc

Profiling

The PI Specification recommends limited direct-user profiling. Direct-user profiling is when the PI of a specific natural person is directly used to create a unique model of that natural person’s characteristics. PI controllers engaging in direct profiling activities are required by the PI Specification to disclose the existence and the purposes of the direct profiling.

Microtargeting

There are no laws or regulations directly regulating microtargeting in China. The effect of microtargeting is very similar to personalised recommendation (please refer to Automated decision-making immediately below).

Automated decision-making

According to Article 24 of the PIPL, an automated decision should be transparent and fair. The PI subject is entitled to request explanation and to refuse the decision if the automated decision has a significant impact on its rights and interests. In addition, when automated decision-making is used for commercial advertising or pushing notices, an option to receive non-personalised message or a method to refuse such messages shall be given to the PI subject.

Online monitoring or tracking

Under the CSL and PIPL regime, tracking technologies such as cookies are not prohibited, cookies are usually regarded as PI, the collection of which shall comply with PI requirements.

Big data analysis

In the event of big data analysis, it is inevitable that data collected from various resources would be aggregated and used for a purpose that is normally different from the one that the data was originally collected for. In the PI Specification, such data merging shall be subject to the purpose that the data is collected for. In other words, the use of the aggregated or merged data in big data analysis shall be consistent with the purpose that has been consented to by the data subject prior to the use of the same. Furthermore, big data analysis shall not be used to discriminate against customers (please refer to Algorithms (explanations, logic, code) below).

Artificial intelligence

So far, there has been no law or regulation systematically regulating data and privacy protection when artificial intelligence (AI) is involved. Yet, there are regulations focusing on the specific application of AI technology. For example, audio and video that are generated by deep learning or other new technologies shall be identified in a noticeable way. The National New Generation AI Governance Professional Committee issued the New Generation AI Ethics Code (新一代人工智能伦理规范) on 25 September 2021. According to the work plan for building the framework of national standards on AI that was published by the Standardisation Committee of China, CAC, MIIT and other ministries in July 2020, a primary system of national standards on artificial intelligence will be completed by 2023.

Algorithms (explanations, logic, code)

Algorithm recommendation technologies have become the focus of the regulatory department. According to the Administrative Provisions on Algorithm Recommendation for Internet Information Services, “application of algorithm recommendation technologies” refers to the use of algorithmic technologies such as generation and synthesis, personalised push, sorting and selection, retrieval and filtering, scheduling decision-making, etc, to provide information to users. Algorithm recommendation service providers with public opinion attributes or social mobilisation ability shall go through the filing procedures.

In addition to algorithm recommendation technologies, misuse and monopoly of data and algorithms has also drawn the attention of government authorities. In February 2021, the Anti-monopoly Commission of the State Council published the Anti-monopoly Guide for the Platform Economy Sector (国务院反垄断委员会关于平台经济领域的反垄断指南) to address platform operators’ malpractice in eliminating or restricting market competition, such as using data and algorithms to form monopoly agreements or to provide differentiated treatment, etc.

Injury or Harm

In the event of an infringement of their privacy or legitimate rights, PI subjects may resort to the legal remedies provided by the Civil Code and the PIPL. In addition, injury or harm related to privacy and data rights could also lead to criminal liabilities where there is a serious circumstance of illegal sale or provision of PI.

A serious circumstance will have occurred where there is an illegal sale or provision of:

• 50 pieces or more of location information, communication information or property information;
• 500 pieces or more of accommodation information, health information or other information that may have an impact on citizens’ health or property security; or
• 5,000 pieces or more of other PI (Article 5 of the Supreme People’s Court and the Supreme People’s Procuratorate Interpretations).

Data that is subject to special regulations under the Chinese legal framework includes, without limitation, PI, important data, national core data, and business data from certain industry sectors.

The definition of sensitive personal information is discussed in 1.6 System Characteristics. Financial data, health data, communications data, voice telephony and text messaging, the content of electronic communications and a person’s sexual orientation are categorised as sensitive personal information. More stringent restrictions and higher protection standards are applicable to sensitive personal information.

The PI of children under 14 years old is also personal sensitive data and is subject to special protection under the Provisions on the Cyber Protection of Children’s PI. Student data is not necessarily personal sensitive data. It depends on which specific data type it is.

Employment-related data will not be deemed as sensitive personal information merely because it is employment related. But if it falls into the category of sensitive personal information because, for example, it contains the identity card number or bank account number of an employee, relevant regulations on sensitive personal information would apply.

Specific identity and political or philosophical beliefs are deemed to be sensitive personal information under the PIPL regime.

Internet, Streaming and Video Issues

Browsing data, viewing data, cookies, beacons and location data are all regarded as sensitive personal information. Tracking technology is not prohibited under Chinese law. Yet, if PI is collected and used for behavioural or targeted advertising which has not been agreed to by the data subjects (and no other legal basis exists), that collection and use of PI would be deemed illegal. There have been some discussions regarding privacy and data protection with major internet platforms such as WeChat or Tik Tok. Yet, there has been no significant law enforcement activity or administrative punishment imposed on those companies, as there has been on Google or Facebook.

According to the CSL and the Administrative Measures on Internet-based Information Services (互联网信息服务管理办法), the network service provider will be liable for any erroneous, illegal or prohibited information published on a website or other medium it provides, whether intentionally or negligently. If the provider immediately takes action to stop the wrongdoing or blocks access to such inaccurate information after receipt of notice from the affected party, its liability might be limited. Besides, the Opinions on Further Compacting the Responsibility of the Information Content Management Subject of the Website Platform(关于进一步压实网站平台信息内容管理主体责任的意见) was published in September 2021 by CAC.

Please refer to 2.3 Online Marketing for discussion of behavioural or targeted advertising.

Please refer to 2.1 Omnibus Laws and General Requirements for discussion of data subject rights, the right to be forgotten, data access and portability, the right of rectification or correction and rights to object to sale of data.

The Advertising Law (广告法) is the fundamental law that regulates advertising. The Interim Measures for Administration of Internet Advertising (互联网广告管理暂行办法) apply to online marketing. The sender shall obtain from the recipients their consent to, or request for, advertising and the sender shall also disclose their true identity, contact details and the opt-out method for advertisements distributed via electronic means.

Since online marketing, particularly behavioural and targeted advertising, is normally based on analysis of PI collected from the users, regulations on PI collection and use shall be observed. To begin with, PI shall not be collected or used for behavioural advertising if the PI subjects have not agreed to this. Pursuant to Article 24 of the PIPL, if business marketing or push-based information delivery is conducted towards an individual by means of automated decision-making, an option not targeting personal the characteristics of the individual, or an easy way to refuse to receive this, shall be provided to the individual. In addition, according to the PI Specification, it is recommended to use indirect user profiling which is generated from PI that is not from particular persons instead of direct user profiling for online marketing. Also, where a personalised display is used for online marketing, an option to turn the function off and to delete or anonymise the PI used for such a personalised display should be provided to the users.

Special Laws

Currently, there is no special law or regulation regulating workplace privacy. It is governed by the Employment Law (劳动法), the Employment Contract Law (劳动合同法), the CSL, the PIPL, and relevant laws and regulations governing PI. The PI of an employee is subject to the same PI protection regime as that of any other regular person.

Workplace Communications

Even though employees’ PI is protected in the same way as regular PI, it is a fact that the employment relationship between employees and employers has its own features, making it inevitable that employers collect and use employees’ information in the course of employee management. It is commonly understood that employers shall duly notify their employees that activities in the workplace, during working hours, and conducted with working facilities, are supervised and monitored by the employers. Employment contracts or the employee handbook usually contain clauses in this regard. Normally, the voluntary provision of PI by the employees under the employment contract would be deemed as giving authorisation to the employers to collect and use their information in accordance with the purpose of employee management.

Unions

In China, labour unions do not play the same role as those in the western world. Where there is infringement of an employees’ PI rights, instead of appealing to a labour union, the employees may report this to the competent authorities in charge of cybersecurity and PI protection.

Whistle-Blowers

Normally, corporations would adopt internal supervisory and reporting mechanisms, including whistle-blower hotlines and anonymous reporting channels. It is always an option to report malfeasance to the competent government authorities. There is no unified standard rule. It varies between corporations and industries.

E-discovery

E-discovery shall follow relevant litigation and arbitration rules. Access to employees’ PI for the purpose of e-discovery would be deemed as used in direct relation to a court trial, and thus no consent is required for the collection and use of such information. Yet, there might be situations where it is not necessarily directly related to court trials. Thus, it is advisable to plan ahead by establishing an archive system and incorporating clauses on access to an employee’s PI for the purposes of e-discovery and other reasons into the employment contract or employee handbook.

Other Issues

Network operators are required to implement technical measures and other necessary measures to guarantee the security of the collected PI and prevent the same from leakage, damage or loss. This may include the use of digital loss prevention technologies. There is no law or regulation prohibiting employers from blocking websites to secure the productivity of their employees and it is advisable to publish such measures in the employment contract, employee handbook or relevant company policies.

Legal Standards for Regulators

The CSL, the DSL, the PIPL, and the Consumer Protection Law are the four most fundamental standards used by law enforcement to regulate and punish violations of privacy or data protection laws. The PI Specification serves as a key reference as well. For law enforcement against violations by mobile applications, the Standards for Determining Unlawful Collection of Person Information by Apps (App 违法违规收集使用个人信息行为认定方法) were released in November 2019. These Standards are summaries of specific violations observed in business practice and will be used as tools for app operators to conduct self-inspection as well as for law enforcement department to determine unlawful acts.

Potential Enforcement Penalties

Depending on the violation, different sanctions and penalties may be imposed by the CSL. For instance, non-compliance with the personal-information-protection-related provisions in the CSL may, according to Article 64 of the CSL, result in orders to take rectification measures, warning, confiscation of illegal earnings, fines, or a combination thereof. The fine should be more than the illegal earnings but less than ten times of the same. In the event that there is no illegal earning, the fine shall not be more than RMB1 million. The directly responsible person may face a fine ranging from RMB10,000–100,000. In the case of a severe violation, the competent authority may order suspension of related business, winding up for rectification, shutdown of website, and the revocation of the business licence of the operator or provider.

Where there is a severe violation that could lead to criminal prosecution, the prosecution standards are stipulated by the Supreme People’s Court and the Supreme People’s Procuratorate Interpretations (see the discussion in 2.1 Omnibus Laws and General Requirements).

Under the PIPL, the penalties for violations are much higher than that under the CSL (see the discussion in 1.6 System Characteristics).

Leading Enforcement Cases

Among the law enforcement activities pursued in 2021, violations punished by the administrative authorities include failure to file for a cybersecurity review before listing abroad, failure to obtain data subjects’ consent before PI collection, failure to implement a cybersecurity or PI protection system, and failure to detect a security vulnerability in network services.

Private Litigation

In general, most cases or proceedings take the form of administrative investigation and punishment initiated and imposed by government authorities. Legal bases for an individual to initiate private litigation include the Civil Code, the Consumer Protection Law, the CSL and the PIPL.

One civil case worth noting involved an individual suing Xiecheng for exercising discriminatory pricing through big data. Unlike most cases, which end in settlement, the court ruled in favour of the plaintiff and required Xiecheng to compensate the plaintiff. Although the legal bases invoked by the court were mainly contract laws and consumer protection laws, the court also discussed whether Xiecheng collected unnecessary information without consumers’ consent.

Since the Civil Code came into effect on 1 January 2021, there have been many public interest lawsuits initiated. It is expected that there will be more private litigation on PI protection in the coming year.

For the purpose of criminal prosecution, the people’s courts, the people’s procuratorates and public security bureaus are empowered by the Criminal Procedure Law (刑事诉讼法) to collect or obtain evidence from the entities and individuals concerned. Relevant parties are obliged to co-operate and provide truthful evidence (Article 54). Evidence involving any state secret, trade secret, or private PI shall be kept confidential (Article 152). Collection of evidence by judges, prosecutors, and investigators from public security bureaus shall follow legal procedure. When a search is to be conducted, a search warrant must be presented to the person to be searched (Article 138). A search warrant could be issued by the People’s Procuratorate and public security bureaus. Any staff members of the authorities performing PI protection duties who neglect their duty, abuse their authority or commit malpractice for personal gain, without those actions constituting a crime, shall be subject to disciplinary action pursuant to the laws (Article 68 of the PIPL).

The Constitution Law (宪法) provides for the fundamental protection of privacy. The state respects and protects human rights (Article 33). The personal dignity of citizens of the People’s Republic of China is inviolable (Article 38). The freedom and privacy of correspondence of citizens of the People’s Republic of China are protected by law (Article 40). According to Article 77 of the National Security Law (国家安全法), citizens and organisations are under the general obligation to provide support and assistance for work relating to national security.

According to the Counterespionage Law (反间谍法), a national security authority may, as needed for counterespionage work, legally inspect the electronic communication tools and instruments and other equipment or facility of a relevant organisation or individual. If the national security authority discovers any circumstances compromising national security during inspection, it shall order the organisation or individual to make rectification; and may take seizure or impoundment measures if the organisation or individual in question refuses to make rectification or still fails to satisfy the relevant requirements after rectification (Article 13).

The power of the national security authorities is not unrestricted. According to Article 37 of the Counterespionage Law, where any staff member of a national security authority divulges any state secret, trade secret or piece of private individual information, in violation of the relevant provisions, which constitutes a crime, the staff member will be subject to criminal liability in accordance with the law. In addition, according to Article 35 of the DSL, where a public security organ or state security organ needs to retrieve data for the purpose of safeguarding national security or investigating crimes, it shall go through strict approval formalities in accordance with relevant provisions. The procedural requirement and protection provided by the Criminal Procedure Law, as mentioned in 3.1 Laws and Standards for Access to Data for Serious Crimes, is also applicable here.

Organisations in China cannot invoke foreign government access requests as a legitimate basis to collect and transfer personal data. On the contrary, according to Article 36 of the DSL, organisations shall not provide any foreign judicial or law enforcement body with any data stored within the territory of China without the approval of the competent authority.

Industry leaders, such as Huawei and ZTE, were accused of being manipulated by the Chinese government and secretly providing personal data to the government. There are some media voices alleging that the Counterespionage Law authorises the government to take or confiscate any property that might endanger national security. Yet, as discussed in 3.2 Laws and Standards for Access to Data for National Security Purposes, the laws and regulations do not allow the government to access personal data under any circumstances. Only for specific purposes such as criminal investigation, investigation of activities compromising national security and counterespionage work shall the government conduct investigations that may involve access to personal data. During the course of investigations, authorities must abide by strict procedures prescribed under relevant legislation. Besides, infringement of individual privacy by government authorities is regulated by both the Counterespionage Law and the Criminal Procedure Law. The PIPL also stipulates restrictions on the personal data processing activities of government authorities.

According to the CSL, PI collected by critical information infrastructure operators (CIIOs) during their operation in China shall be stored within Chinese territory. Where there is a need to transfer such information overseas, a security assessment shall be conducted. The PIPL expands the obligation to CIIOs and entities that process PI to a certain extent. A security assessment shall be passed before PI can be transferred overseas. So far, data import from overseas to China has not been the focus of the administration.

The PIPL provides for three routes for cross-border data transfer compliance: (i) security assessment organised by the authority, (ii) certification by the approved agencies, (iii) standard contracts signed with the receiving party. According to the Measures for the Security Assessment of Cross-border Data Transfer (Draft), the security assessment mainly includes the following matters.

• Legality, legitimacy and necessity of the purpose, scope and method of transmitting the data abroad.
• The impact of the policies and regulations on data security protection, and the network security environment of the country or region where the overseas recipient is located, on the security of the outbound data; and whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the People’s Republic of China and the mandatory national standards.

• The quantity, scope, type and sensitivity of the outbound data, and the risks of leakage, tampering, loss, damage, transfer, or of illegal acquisition or illegal use of such data when leaving the country or thereafter.
• Whether the data security and the rights and interests of the PI can be adequately and effectively protected.
• Whether the contract between the data processor and the overseas recipient has made sufficient provisions regarding the responsibilities and obligations of data security protection.
• Compliance with Chinese laws, administrative regulations, and departmental rules.
• Other matters that the CAC considers necessary to be assessed.

So far, there have been no officially issued standard contractual clauses nor detailed measures regarding the certification mentioned in the PIPL.

As to derogations, unlike the GDPR, the PIPL does not have leeway for situations that do not meet the three routes. However, Article 38 allows the provision of PI according to international treaties or agreements concluded or acceded to by China.

Cross-border transfer of PI and important data is regulated under the Three Fundamental Laws. CIIOs are required by the CSL to conduct security assessment prior to the cross-border transfer of PI and important data (please refer to the discussion in 5.6 Other Significant Issues on the definition of important data). For non-CIIOs to transfer PI, please refer to 4.2 Mechanisms or Derogations that Apply to International Data Transfers.

With respect to important data, data handlers are required by the DSL to abide by regulations or measures issued by certain authority, which may refer to Measures for the Security Assessment of Cross-Border Data Transfer (Draft). It is worth noting that these Measures are still drafts for comment. Market participants would be well advised to keep an eye on developments.

The first and foremost data localisation requirement is that national secrets are not allowed to be transferred overseas. Secondly, PI and important data collected by CIIOs in the course of their operations in China are required to be stored locally and a security assessment is required for cross-border data transfer. For data handlers that are not CIIOs, but process PI to a certain extent or collect important data, a security assessment is also required. Additionally, there are localisation requirements for special business data, including, without limitation, (i) credit investigation data, (ii) personal financial information, (iii) map data, (iv) essential tech equipment required for online publication services, (v) data & information related to car hailing services, (vi) health information of the population, and (vii) insurance data and fiscal data.

In principle, such data shall be stored within the Chinese territory and may not be freely transferred overseas. Where it is necessary to transfer data overseas, special requirements on each type of information shall be applied.

There is no law or regulation requiring technical details, such as software code or algorithms, to be shared with the government. The cybersecurity examination on the online products and services relevant to national security does not aim at acquiring technical details (Article 35 of the CSL). The purpose of this examination is to evaluate whether there will be a risk of massive data leakage, loss or cross-border movement; interruption of services or a risk of a CIIO being controlled by foreign entities. The purpose of the examination is not to acquire code or algorithms from market participants, sharing technical details should be a voluntary decision on the part of the relevant entities.

According to Article 36 of the DSL, organisations shall not provide any foreign judicial or law enforcement body with any data stored within the territory of China without the approval of the competent authority. With respect to internal investigations, the restrictions on data collection and cross-border data transfer mentioned above shall apply.

In addition to Article 36 of the DSL discussed in 4.6 Limitations and Considerations, the Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and Other Measures of the People’s Republic of China (the Rules) was released by the Ministry of Commerce of the People’s Republic of China (MOFCOM) on 9 January 2021 with immediate effect. According to Article 36 of the DSL, companies or individuals shall not provide data stored within the territory of China to foreign judicial or law enforcement agencies as requested, unless approved by competent authorities. The Rules is considered to be China’s blocking statute and has set up a relatively comprehensive anti-economic sanctions system to deal with long-arm jurisdictions of certain countries and regions.

Big Data

When it comes to emerging digital and technology issues, it is hard to ignore the fact that the inherent biases of algorithms may lead to the infringement of individual rights and discrimination. Until the technologies are mature, and the error rates manageable, network operators and data handlers will continue to take a cautious attitude towards the application of such technologies.

For a discussion of big data analytics, automated decision-making, profiling and artificial intelligence (including machine learning), please refer to 2.1 Omnibus Laws and General Requirements.

Network operators in the business of the internet of things (IoT) and big data analytics shall pay special attention to implementing the MLPS. According to the national standards constituting MLPS 2.0, IoT and big data applications are expressly included in the protected objects of the MLPS. Specific security requirements can be found in the corresponding national standards. Network operators of IoT and big data applications are advised to commence the grading and classification at their earliest convenience.

Automated Decision-Making

For the purpose of automated decision-making, a vast amount of data will be collected and aggregated. Taking autonomous vehicles as an example, the vehicles would be continuously collecting all location data of the users which would be used to, among other things, generate direct user profiles. The MIIT issued some regulations regarding intelligent connected vehicles and provided requirements for collecting and processing data. The CSL, the PIPL, the PI Specification, and relevant national standards would apply to the collection and processing of PI, including automated decision-making, as well as the protection of data security.

Biometric Data

The application of biometric data, including facial recognition, is increasing. Biometric data is highly sensitive personal data. It is unique to individuals and it is impossible to change one’s biometric data. Processing of biometric data shall be conducted with much higher and more stringent standards. Requirements for collecting and processing sensitive personal information are found under Section 2, Chapter 2 of the PIPL. Additionally, the GB/T 40660-2021 Information Security Technology - Basic Requirements of Biometric Data (GB/T 40660-2021 信息安全技术-生物特征识别信息保护基本要求) also provides guidance for the processing of such data.

Other Areas

Geolocation data is sensitive personal information, the collection and processing of which shall be in consistence with the applicable rules as discussed in 2.2 Sectoral and Special Issues.

Drones, which are being used for recreational purposes as well as for law enforcement, are getting smaller and cheaper while the images a drone can get are clearer and more accurate than ever. So far, only general rules on privacy and data protection are applicable to the use of drones.

Disinformation, deepfakes, and other illegal content such as inflammatory speech or erroneous content on the internet is regulated by the ecological governance of internet information content (please see discussion under 2.2 Sectoral and Special Issues). Should an individual suffer from online harm, they can resort to the Civil Code and other applicable regulations and claim damages against the wrongdoer and or platform operator (if applicable).

“Dark patterns” or online manipulation is regulated under Consumer Protection Law and the PIPL. According to Article 8 of the Consumer Protection Law, consumers shall be entitled to autonomous selection of goods or services and have the right to make comparison, identification and selection. Besides, pursuant to Article 5 of the PIPL, it is forbidden to process PI through deception, fraud and coercion.

Fiduciary duties for privacy or data protection have not been expressly defined under the current legal framework. Similar obligations might be the duties of the data protection officers (please see discussion under 2.1 Omnibus Laws and General Requirements).

To address the problems and concerns brought about by emerging technologies, TC260 is actively conducting research and has released industry study reports and, most importantly, recommended national standards to guide the application of various cutting-edge technologies. For example, TC260 published the Practice Guide to Cybersecurity Standards - Guidelines on the Code of Ethics for Artificial Intelligence (网络安全标准实践指南—人工智能伦理道德规范指引) in January 2021 to address ethics topics regarding artificial intelligence. Besides, The National New Generation AI Governance Professional Committee issued the New Generation AI Ethics Code (新一代人工智能伦理规范) in September 2021.

There are lots of special enforcement projects, such as “Clearing the Network 2021” (净网2021), launched by the MPS and implemented by provincial public security departments across the country throughout the year. This is a comprehensive investigation into violations in internet-related industries. The CSL and the PIPL has been the major legal basis for investigations and punishment. Please refer to 2.5 Enforcement and Litigation for more details. So far, there has been no administrative punishment involving significant penalties, as there have been in Europe, however, the usual punishment method following these enforcement activities, which is being criticised by the authority in public or the suspension of related business, would cause inestimable damage to the company. Most cases and legal proceedings are administrative and criminal cases. There has been no civil case with a large settlement or joint action with respect to privacy and data protection. Please refer to 2.5 Enforcement and Litigation for discussion of a remarkable civil case.

Due diligence on privacy and data protection in corporate transactions would normally start with interviews to gain an understanding of the existing situation in terms of cybersecurity protection measures and data processing at the relevant company. Then a gap analysis would be conducted to evaluate the deviation between compliance requirements and the actual situation. The last step would be offering compliance suggestions. The focus of the due diligence would usually be on the following aspects:

• management systems of the network operation security;
• information on the network products and services purchased by the company;
• collection and processing of data;
• data storage and internal management;
• data output; and
• cross-border data transfer.

According to the disclosure requirements for listed companies, investigations, criminal punishment or major administrative punishment must be disclosed.

The terms of important data and critical information infrastructure are unique concepts under the CSL, the PIPL and the DSL regime.

Important Data

According to the Important Data Identification Guidelines (Draft), important data refers to the kind of data that, if tampered, damaged, divulged, or illegally obtained or utilised, may affect national security and public interest. So far, no regulation on implementing methods of important data identification and their scope have been officially published. Yet, according to the Important Data Identification Guidelines (Draft), important data shall usually not include state secrets or PI, but statistical data and derived data based on massive amounts of PI may belong to important data. Even though such guidelines have not entered into force, there have been indications that modification of legislation regarding important data, and the law enforcement trends in the same area, are to be expected. Cross-border transfer of important data is subject to special procedures which are discussed in detail in 4.3 Government Notifications and Approvals.

Critical Information Structure (CII)

The CSL, the PIPL and the DSL provide for a special protection scheme in China on CII and the corresponding protection principles. The Security Protection Regulations for Critical Information Infrastructure came into effect in September 2021. Other regulations and national standards on CII are also at the stage of soliciting opinions. Information infrastructure – in important industries and sectors such as public communications, information service, energy, transport, water conservancy, finance, public service, e-government and the national defence science and technology industry – might fall within the scope of such regulation. The purpose of offering extra protection for critical information infrastructure is to protect national security, the national economy, people’s livelihoods and the public interest.