Data Privacy & Transfer in Investigations: China

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

China

PRC legal regime on protection of personal information

On 20 August 2021, the Standing Committee of the National People’s Congress (SCNPC) adopted the Personal Information Protection Law (the PIPL), the long-awaited and first omnibus personal data protection legislation in China. The PIPL took effect on 1 November 2021. 

The PIPL, together with the PRC Cybersecurity Law, which took effect on 1 June 2017, and the PRC Data Security Law, which took effect on 1 September 2021, are the three pillars in the PRC data protection regime that provide for a legal framework from, respectively, the PRC personal information protection, cybersecurity and data security perspectives.

Pre-PIPL provisions regulating the collection and processing of personal information are piecemeal and contained in a variety of PRC laws and regulations where there are substantial overlaps and arguable inconsistencies.

The PIPL in essence provides an omnibus rulebook for those who process the personal information of individuals located in China, regardless of whether those processors of personal information are in China themselves or are outside China.

The PIPL establishes a new comprehensive regulatory framework for personal information protection in China, significantly changing China’s current data privacy regulatory landscape. In the meantime, we observe that the Chinese regulators have recently been picking up pace in perfecting the data privacy regime and carrying forward the implementation of a number of provisions under the PIPL by publishing detailed implementation rules. Some of these implementation rules have been put into effect, and some are still in public consultation. We expect that China’s data privacy regime will continue to evolve quickly, a fact local and international business operators are now well aware of.

After the promulgation of the PIPL, other laws and regulations regulating the collection and processing of personal data in China will still be effective unless specifically repealed. However, it is expected that the interpretation and implementation of those laws and regulations will be aligned with that of the PIPL or be amended to be consistent with the latter.

General restrictions on cross-border transfer of personal information

A variety of PRC data protection laws and regulations impose restrictions on cross-border data transfers. 

The Cybersecurity Law takes a bifurcated approach to deal with data generated and collected by different types of data processors, one being the data generated and collected by network operators, and the other being data generated and collected by critical information infrastructure operators (CIIOs).

A general restriction on cross-border data transfer originally only concerns the CIIOs under the Cybersecurity Law. It provides that personal information and important data generated and collected within the territory of China by CIIOs during the course of their operations should be stored within China. If such data needs to be transferred overseas due to business necessity, such transfers should be subject to security assessments according to the relevant regulations jointly issued by the cyberspace authority and other relevant authorities.

The concept of “critical information infrastructure” is defined in the Critical Information Infrastructure Security Protection Regulations (the CII Regulations), which took effect on 1 September 2021, as “important network facilities and information systems of key industries and sectors such as public communications and information services, energy, transportation, water conservancy, finance, public services, E-government and defence technology industry, as well as those network facilities and information systems that once damaged, disabled or having suffered a data leakage, may severely threaten  national security, the national economy, people’s livelihood or public interest”.

The term “personal information”, as further clarified by the PIPL, is defined as “all kinds of information recorded electronically or through other methods related to identified or identifiable natural persons, not including information after being made anonymous”.

While the concept of “important data” was first mentioned in the PRC Cybersecurity Law in 2017, there has not been a unified definition across various legal documents. The most authoritative and relevant definition to date is in the Measures on Security Assessment for the Cross-border Transfer of Data, where important data is defined as data that “once tampered with, destroyed, leaked, or illegally acquired or used, may endanger national security, economic operations, social stability, public health and safety, etc”. This definition outlines the contours of important data but does not set up a practical guide that data processors can follow to classify and categorise their data. The PRC authorities have released several rounds of consultation drafts for a national standard specifying how to identify important data (the Identification Guide of the Important Data (Draft for Comments)). Based on these drafts, Important Data are mostly related to the following matters:

• economic operations;
• demography and health;
• natural resources and environment;
• science and technology;
• security protection (physical and cyber);
• user data and usage data for certain sensitive application services; and
• activities of governmental authorities.

Based on the latest draft of the guide released on 13 January 2022, specific categories and characteristics of Important Data relevant for particular districts and/or industries will be further elaborated on by the regulators overseeing that district and/or industry.

In terms of the “security assessment”, on 7 July 2022, the Cyberspace Administration of China (CAC) released the Measures on Security Assessment for the Cross-border Transfer of Data (the Security Assessment Measure).  The Security Assessment Measure will take effect from 1 September 2022. In short, qualified self-assessment and data transfer legal instruments are the key requirements to pass the formal CAC security assessment.

Additionally and for personal information specifically, as a significant regulatory step ahead of the PRC Cybersecurity Law, the PIPL extends the personal information localisation obligation to cover not only the CIIOs but also personal information processors who process over a certain volume of personal information processed to be further set by the state cyberspace authority (Significant Volume Processors). Significant Volume Processors also need to undergo security assessments prior to their personal information cross-border transfer activities. Under the Security Assessment Measure, the threshold of becoming a Significant Volume Processor is: (i) where a data processor processes personal information of more than one million data subjects; or (ii) where a data processor has already, cumulatively, exported personal information of more than 100,000 data subjects or sensitive personal information of more than 10,000 data subjects since 1 January of the previous year. 

The Security Assessment Measure goes a step further and requires security assessment for all exports of important data. Therefore, if the personal information contemplated to be exported constitutes important data, security assessment is necessary.

Under the PIPL and the Security Assessment Measure, the detailed regulatory requirements on cross-border transfers of personal information by all types of personal information processors are summarised in the following table:

Moreover, the PIPL specifically allows cross-border transfers of personal information in accordance with applicable international treaties and agreements China has concluded or participated in.

Specific restriction on data transfers in relation to cross-border investigations

In addition to the restrictions applicable to in general all cross-border data transfer scenarios, there are also restrictions imposed under data protection laws that are specific to data transfers in relation to cross-border investigations.

In particular, article 36 of the Data Security Law provides that:

the competent authorities shall, in accordance with the relevant laws and the international treaties and conventions which China has concluded or participated in, or on the basis of the principle of equality and mutual benefit, deal with data provision requests from foreign judicial or law enforcement agencies. Without the approval of the competent authorities, no organisation or individual within the territory of China shall provide foreign judicial or law enforcement agencies with any data stored within the territory of China.

This provision on its face provides for an omnibus restriction on cross-border transfer of all types of data stored in China to foreign judicial or law enforcement agencies, which effectively impedes the capability of data processors to provide data on a cross-border basis to assist a foreign investigation.

Article 41 of the PIPL provides for a substantively same provision specifically stipulating that the transfer of personal information to foreign judicial or law enforcement agencies should also be approved by competent authorities.

The term “foreign judicial or law enforcement agencies” is not defined by the legislator but the market view is that it should be broadly interpreted to include not only judicial branch but also industrial regulators such as US SEC.

However, two practical questions remain unanswered in terms of the implementation of these provisions. First, though the above articles stipulate the approval requirement, no clarification or guidance has been released as to how such approval may be applied for in practice. Second, it is unclear that if PRC data processors, who are not forced to provide data to foreign judicial or law enforcement agencies, but would like to volunteer such data for bringing a claim or defending their right, are still subject to the restrictions contemplated in these articles.

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

China

Banking secrecy

A number of different banking secrecy laws contain obligations regarding the processing and transfer of certain types of data.

Commercial Bank Law

According to the PRC Commercial Bank Law as amended on 29 August 2015 (the Commercial Bank Law), a commercial bank has a general obligation to keep its depositors' information confidential and will be liable for any damages incurred by a depositor if the bank violates its duty of confidentiality. In China, it is typical for people to conduct cross-border money transfer through their deposit account banks. When a bank provides money transfer services to its customer, it is likely that information of the customer may be interpreted as "depositor’s information". 

PBOC circular on IFI

The PBOC published the Circular of PBOC on the Protection of Personal Financial Information by Banking Financial Institutions (the IFI Circular) which took effect on 1 May 2011. The PBOC Shanghai branch further issued the Circular on Issues Relating to the Protection of Personal Financial Information by Banking Financial Institutions (the Shanghai Circular) on 12 May 2011. The protections under the IFI Circular and the Shanghai Circular are administrative law in nature and, therefore, cannot be waived by bank clients by consent. 

Prohibition on cross-border transfer of IFI

The IFI Circular prohibits PRC banks (including PRC subsidiaries and branches of foreign banks) from disclosing IFI to an offshore entity. IFI broadly includes personal information on identity, property, bank account details, credit and financial transactions and so on, obtained by a bank during the course of its business or while accessing the PBOC’s system.

The Shanghai Circular clarifies that IFI also includes any information regarding any individual (such as the legal representative) of a corporate client of the bank.

Exceptions

Certain exceptions to the above prohibitions are available under the Shanghai Circular:

1. Disclosure of IFI by a bank to its offshore parent or subsidiary is allowed if (i) such disclosure is necessary for the client or individual to conduct the relevant transactions and (ii) written authorisation is obtained from the individual. The PRC bank making the disclosure must ensure that its offshore parent or subsidiary keeps the IFI received confidential.
2. With respect to a branch of a foreign bank using the system of its offshore headquarter or affiliate to store, process or analyse the IFI of the bank's clients outside China, the Shanghai Circular requires the following conditions to be satisfied: (i) written authorisation is obtained from such clients; and (ii) the offshore headquarters or affiliate shall have adopted relevant security measures to safeguard the relevant IFI and the headquarters (in the name of the bank as a legal person entity) shall bear the liabilities.

However, with the promulgation of the PIPL and the Data Security Law, it is unclear if the exceptions under the Shanghai Circular remain valid. From a legal hierarchy perspective, these PBOC rules are department rules so are prevailed by the PIPL and the DSL, both being laws, if there is any conflict between them. However, banking institutions should keep in communication with PBOC and China Banking and Insurance Regulatory Commission (CBIRC) as to the validity of the above exceptions given the potential impact on their business model.  

Other than the above, we are not aware of any statutory exemptions that allow PRC banks to transfer IFI offshore (whether such transfer is in response to the request of a foreign authority). In a contentious context, group-wide internal investigations and reviews relating to foreign sanctions may not be considered "necessary for the client/individual to conduct the relevant transaction", meaning that exception (1) above would not apply in this scenario. This view is further supported by the ICJAL discussed below.

Broker secrecy

A number of different broker secrecy laws contain obligations regarding the processing and transfer of financial-related data by PRC securities companies.

General prohibition on disclosure of investor information

According to the PRC Securities Law as amended on 1 March 2020 (the Securities Law), a securities company has a general obligation to keep the information of securities market investors confidential and will be liable for any damages incurred by an investor if the securities company violates its duty of confidentiality.

By the same token, according to the Measures for the Information Technology Management of Securities and Fund Operating Institutions promulgated by the CSRC on 15 January 2021 (the 2021 CSRC Rule),  except as otherwise provided by laws and regulations or ordered by the CSRC, securities service providers (including securities companies) are prohibited from allowing or cooperating with other institutions or individuals to intercept or retain customer information, or providing customer information to other institutions or individuals in any manner.

Specific prohibition on cross-border transfer of securities business-related information to overseas regulators

Article 177 of the Securities Law also specifically provides that no overseas securities regulator is permitted to directly conduct investigations or perform evidence-collection activities within the PRC, and no entity or individual in China is permitted to provide documentation or information relating to securities business activities to an overseas regulator, without the approval from competent PRC authorities.

Prohibition on cross-border transfer of work paper related information pursuant to the Overseas Listing Rule

According to the Provisions of the China Securities Regulatory Commission, the State Secrecy Administration, and the State Archives Administration on Strengthening the Confidentiality and File Management Work Related to the Issuance and Listing of Securities Overseas promulgated in 2009, it is stipulated that in the process of overseas issuance and listing of securities, the domestic work papers and other files formed by securities companies and securities service institutions that provide relevant securities services shall be stored in China.

The working papers mentioned in the preceding paragraph shall not be carried, shipped or transferred to overseas institutions or individuals through any means such as information technology without the approval of the competent authorities.

Exceptions

We are not aware of any cross-border data transfer exceptions specifically applicable to securities companies.

Judicial Assistance on Criminal Matters

On 26 October 2018, the National People’s Congress of the PRC promulgated the International Criminal Judicial Assistance Law (the ICJAL). The ICJAL applies only to criminal matters, not to civil or administrative matters.

The ICJAL sets out the relevant requirements on the processes of obtaining assistance and evidence in criminal matters on a cross-border basis. More specifically, the ICJAL applies in the case where entities and individuals outside of China seek assistance from those in China, or China-based entities and individuals seek assistance from those in other countries, including service of documents, evidence collection, witness testimony, freezing, seizure and confiscation of assets, and transfer of convicted persons.

The ICJAL requires that all such assistance in criminal proceedings be routed through a “competent authority” of the assisting state pursuant to the provisions of the ICJAL, or, if there is already in place a judicial assistance treaty on criminal proceedings between China and the relevant state (eg, the China-US Agreement on Mutual Assistance in Criminal Matters signed between China and the United States in 2000), pursuant to the requirements under such treaty.

Five authorities are designated as the “competent authorities” according to article 6 of the ICJAL, namely the National Supervisory Commission, the Supreme People's Court, the Supreme People's Procuratorate, the Ministry of Public Security and the Ministry of State Security.

The purpose of the ICJAL is partially to serve as a gap-filler for countries that China does not have a judicial assistance treaty with on criminal proceedings. In addition, according to the official report of the drafting commission of ICJAL and the press conference at which the ICJAL was made public, one of the main purposes of the ICJAL is to “effectively restrict foreign countries from exercising ‘long-arm jurisdiction’, particularly where foreign criminal enforcement authorities request information directly from China-based organisations and institutions”.

The ICJAL applies to individuals and entities located in China, and activities of evidence production taking place in China.

Article 4 of the ICJAL provides, among other things, that unless approved by relevant competent authorities, no foreign entities, organisations or individual may carry out any activities for the purpose of foreign criminal proceedings within the territory of China, and no entities, organisations or individuals located in China may provide evidential materials or assistance to any person in foreign countries. This seems to suggest that a Chinese entity is prohibited from providing evidence, testimony or other forms of assistance in criminal proceedings initiated outside China without approval of Chinese competent authorities. The wording is sufficiently broad to include the situation where a China-based subsidiary of a multinational company provides any of such assistance to its offshore parent, including but not limited to an internal investigation scenario, if such assistance is related to any foreign criminal proceedings.

The ICJAL does not contain penalties for violations. However, in practice, it is possible that the PRC regulators may frame the violation under the existing regimes including those relating to data privacy or state secrecy and therefore impose the relevant penalties thereunder.

As the ICJAL is still at an infant stage, there is no precedent yet to provide more insight on how the PRC regulators will enforce against any violation. It is also not clear for example whether the ICJAL may imply a duty to inquire if a China-based entity or individual provides assistance to a foreign investigation without knowing that the investigation involves or may involve a criminal aspect.

State secrecy

The restrictions contained in the PRC laws and regulations on state secrecy would be triggered to the extent that the relevant personal information constitutes state secrets.

Under the PRC Law on Protection of State Secrets (the State Secrets Law) as amended on 29 April 2010, the term "state secret" is broadly defined to mean matters that are related to national security and interest, determined in accordance with legal procedures, and may only be disclosed to limited persons within a certain period of time.

The State Secrets Law provides a list of matters and information that can be classified as state secrets. Such matters and information, if disclosed, may impact China’s security and interest in key areas such as politics, economy, defence and foreign affairs. 

The National Administration for the Protection of State Secrets (the NAPSS) and the relevant government agencies have the power to determine and classify state secrets related to specific areas. NAPSS and the relevant governmental agencies may authorise non-governmental agencies such as state-owned enterprises (SOEs) to determine and classify state secrets generated from, received or possessed by such enterprises.

State secrets, if so determined, can be classified as "top secret", "secret" or “confidential”.

According to article 16 of the State Secrets Law, no state secrets should be disclosed to any person unless the disclosure is necessary for carrying out the relevant activity and has been approved by the Relevant Authority in charge (ie, the NAPSS or the relevant governmental agencies) (the Relevant Authorities).

According to article 30 of the State Secrets Law, if an entity needs to disclose state secrets in its communication or cooperation with foreign entities, or any foreigners engaged by the entity who needs to know state secrets, such entity shall apply to the Relevant Authority for approval of the proposed disclosure, and sign confidentiality agreements with the recipient of the information.

According to articles 21 and 25 of the State Secrets Law, the preparation, receipt, delivery, use and reproduction of state secrecy carriers (eg, paper, optical and magnetic media) should comply with the relevant regulations on the protection of state secrets. No persons may carry or transmit any state secret carriers out of China without the approval of the Relevant Authority.

Under the Implementation Provisions of PRC Law on Protection of State Secrets issued by the State Council on 14 January 2014, an entity procuring services involving state secrets must determine the class of the confidential information in accordance with PRC laws, regulations and standards, and request the service provider to keep state secrets confidential and sign a confidentiality agreement with the service provider.

Under normal circumstances, however, state secrets are highly unlikely to be involved during the course of ordinary business. Though, the risk may increase where the data subject is a Chinese government agency or SOE, especially in certain industries sensitive to Chinese national security or national interests. Such sensitive industries may include infrastructure, energy and resources (including nuclear power), transportation, iron and steel, banking, export credit, technology and major equipment manufacturing.

The restrictions under the State Secrets Law cannot be waived by consent other than the approvals of the relevant authorities described above.

Anti-terrorism

According to the Interim Administrative Measures on Seizures over Assets relating to Terrorism Activities issued jointly by the PBOC, the Ministry of Public Security, and the Ministry of State Security on 10 January 2014, where a foreign authority intends to request client identity data or transaction data from certain financial institutions or designated non-financial institutions in the PRC, for reasons of anti-terrorism investigation, the relevant institutions must advise the foreign authority to make the request through diplomatic or judicial assistance channels. The institutions concerned must not provide the data to the foreign authority unless this requirement is complied with.

3. What constitutes personal data for the purposes of data protection laws?

China

The term “personal information” is defined in the PIPL as “all kinds of information recorded electronically or through other methods related to identified or identifiable natural persons, not including information after being made anonymous”. Other data protection laws may have definitions different from the one under the PIPL but we except that they should be interpreted in accordance with the PIPL to be consistent with the upper-level law.

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

China

As a significant difference between the PRC’s Cybersecurity Law and the recently adopted Data Security Law, the PIPL expressly provides for exterritorial jurisdiction on data processing activities outside the territory of China (excluding natural persons processing personal information for personal or household affairs), if such activities are:

• for the purpose of providing products or services to natural persons in the territory of China;
• for analysing or evaluating the behaviour of natural persons in the territory of China; or
• other circumstances stipulated by laws and administrative regulations.

As a result, these activities as well as persons carrying out these activities will be subject to the PIPL, even if they are outside China.

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

China

Please refer to sections 1(a) and (b) above for detailed discussions. In a nutshell, data transfer in the context of assisting a foreign investigation is not a general ground for exemption of any general data protection requirements. In fact, depending on the specific circumstances, it may entail further scrutiny from data protection and regulatory supervision perspective. 

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

China

The discussions in questions 1, 2 and 3 equally apply here. In a nutshell, data transfer in the context of assisting a foreign investigation is not a general ground for exemption of any general data protection requirements. In fact, depending on the specific circumstances, it may entail further scrutiny from data protection and regulatory supervision perspective.

With the data protection rules and the various blocking statutes mentioned in the above sections, it is unclear and yet to be tested about whether a cross-border transfer of information for internal investigation purposes may be captured by the restrictions (eg, necessary for a clearance by the competent authorities). This may very well depend on whether there is reasonable foreseeability, at the time of the transfer, that the internal investigation may be escalated so the relevant information may be subject to the jurisdiction of any foreign judicial or law enforcement agencies that is specifically contemplated and restricted by the PRC legislator. 

Such a principle equally applies to a transfer of such data to a foreign party assisting with an investigation.

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

China

Other than with the consent of the individual data subject, the PIPL extends the scope of the legal basis for processing personal information to include the following circumstances (under which consent is no longer required):

1. as necessary for the conclusion or performance of a contract to which the data subject is a party;
2. as necessary to implement human resources management pursuant to the employment policies formulated in accordance with the law and any collective labour contract lawfully entered into;
3. as necessary to perform legal duties and obligations;
4. as necessary to deal with public health emergencies and protect the safety of life, health and property of natural persons in an emergency;
5. within reasonable scope, in order to conduct news reports, public opinion supervision and other acts in the public interest;
6. to process, within reasonable scope, the personal information that is already made public by the data subject him/herself or other personal information that is already made public in accordance with the law; and
7. other circumstances provided by laws and regulations.

Therefore, whether a consent from the data subject is mandatorily required for the relevant investigation depends on the specific purpose for the use of such information and whether it falls within the above exceptions. However, specifically for the “legal duties and obligations” exception in (3) above, please note that there is no interpretation or guidance as to whether the performance of a foreign legal duty falls within the above exception and in any event, regardless of consent from the data subject is necessary or not, they are subject to the restrictions for cross-border provision of information for investigation purpose discussed in question 6. In a nutshell, data transfer in the context of assisting a foreign investigation is not a general ground for exemption of any general data protection requirements. In fact, depending on the specific circumstances, it may entail further scrutiny from data protection and regulatory supervision perspective.

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

China

If the contemplated processing activity does not fall within any of the exemptions referred to in question 7, a consent must be obtained. If the ground for the exemption is subject to doubt, a consent from the data subject is also strongly recommended.

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

China

Yes, provided that the requirements under question 10 below are satisfied. In particular, the purpose of the personal information processing, ie, for investigation, shall be communicated to and agreed by the employee.

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

China

Consent may be given through general terms and conditions or by the use of a website, as long as this is executed by the data subject, and sufficiently generic and comprehensive to include the relevant data handling. In order to obtain valid consent, at least the processing purpose, processing approach and the types of processed personal information should be made clear to the data subject. 

There are different consent related terms used in the PIPL such as a general “consent”, a “separate consent” and a “written consent”. In particular, “separate consent” is required where:

• where sensitive personal information is to be processed;
• those processing personal information plan to publish the personal information;
• those processing personal information plan to use personal images and identification information collected through image collection and personal identification equipment in public places for purposes other than maintaining public safety; and
• providing processed information to third parties:

1. • separate consent from data subject is required for providing processed information to others processing personal information . The recipient shall process personal information within the scope of the above-mentioned purpose, method, and types of personal information, any change thereof requires recipient to re-obtain personal consent; and
   • separate consent from data subject is required for cross-border provision of handled personal information to overseas recipients.

The PIPL does not provide the definition of or the method to obtain “separate consent”. However according to the description in the Information Security Technology Personal Information Notification Consent Guidelines (Draft for Comment), it can be achieved by making an "enhanced notification", "instant reminder" or other similar methods, so that individual information subjects are notified of the purpose of the personal information processing, method and scope, storage time, security measures and other information, and expressly agrees (ie, take affirmative action to agree) to such proposal.

It is possible (and actually required) to obtain the data subject’s consent to processing in advance. However, the data subject is entitled to withdraw its consent at any time. Processing activities carried out prior to the withdrawal of consent are not affected by the withdrawal.

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

China

Under the PIPL, the PRC Civil Code and the PRC Cyber Security Law, an individual has the right to request that the network operator erase his personal information if they discover that the network operator collects or uses their personal information in breach of laws, regulations or any agreement the two have made. An individual may also ask the network operator to correct their personal information if it contains any mistakes. The network operator should remove or correct erroneous personal information at the data subject’s request. 

The PIPL also provides for other rights of data subjects. For example, if consent is required and given, the data subject may withdraw the consent although the withdrawal would not have a retrospective effect. The data subject does have the right to access, verify or delete their personal data. 

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

China

The answer to this question depends on whether the third party is a “personal information processor” or a “third-party service provider”. The former equates to a data controller as in GDPR, which decides the purpose and method of the data processing by itself. The latter equates to a data processor in GDPR, which does not decide the purpose or method of processing but only follows the instructions of the personal information processor who engages it.

If the third party is a personal information processor

When a personal information processor works with another personal information processor to jointly decide the purpose and method to process the information, they are jointly and severally liable to the data subject for any infringement of the data subject’s rights and interests, regardless of the agreements between those processing personal information. 

Where a personal information processor provides the personal information processed by it to other personal information processors, it shall inform the individual of the recipient's name or name, contact information, processing purpose, processing method and type of personal information, and obtain the individual's individual consent. The recipient shall process personal information within the scope of the above-mentioned processing purposes, processing methods and types of personal information. If the receiving party changes the original processing purpose or processing method, it shall obtain personal consent again in accordance with the provisions of this Law.

If the third party is a third-party service provider

Where a personal information processor (the principal) entrusts a third-party service provider (the trustee) to process the personal information, the principal shall agree with the trustee on the purpose, time scope, processing method, types of personal information to be processed, and the security measures to be taken to protect the personal information. The principal shall also supervise the handling of the trustee, who shall process the personal information in accordance with the agreement, without going beyond the agreed purpose, method, etc.

If the entrustment contract becomes invalid, revoked or terminated, the trustee shall return the personal information to the principal or delete them immediately. The trustee is prohibited from further delegating the processing of personal information to others without the consent of the principal.

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

China

PRC laws do not differentiate sharing personal information with, on the one hand, law firms for legal advice, or on the other hand, trustees or joint processors. Depending on the role of the law firm, our answer in question 12 equally applies here.

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

China

PRC laws do not differentiate sharing personal information with, on the one hand, law firms for legal advice, or on the other hand, trustees or joint processors.

If the law firm serves as a personal information processor (on its own or jointly with the client), it shall take the corresponding responsibilities should there be any infringement. 

The PIPL has not made it clear whether a third-party service provider acting strictly under instructions of the personal information processor shall be held liable for personal information violations. If the law firm only serves as a third-party service provider without deciding the purpose and method of the processing, the risk of it being held liable can be lower. 

15. What is the position and status of legal process outsourcing firms under data protection laws?

China

PRC laws do not differentiate sharing personal information with legal process outsourcing firms or other trustees or joint processors. Our answer in question 14 equally applies here.

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

China

We are unaware of any additional legislation regulating the disclosure of data to third parties in the PRC for this specific purpose.

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

China

Our discussions above apply equally to cross-border transfers of data to third parties.

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

China

According to article 41 of the PIPL, competent authorities of the People's Republic of China, according to relevant laws and treaties or international agreements that the People's Republic of China has concluded or acceded to, or according to the principle of equality and mutual benefit, are to handle foreign judicial or law enforcement authorities' requests regarding the provision of personal information stored domestically.

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

China

If the transfer of personal data is to Chinese regulators or enforcement authorities and pursuant to specific laws or regulations, this is specifically allowed under article 13 of the PIPL, without the need to obtain consent from the data subject. 

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

China

According to article 41 of the PIPL, competent authorities of the People's Republic of China, according to relevant laws and treaties or international agreements that the People's Republic of China has concluded or acceded to, or according to the principle of equality and mutual benefit, are to handle foreign judicial or law enforcement authorities' requests regarding the provision of personal information stored domestically. Without the approval of the competent authorities of the People's Republic of China, those processing personal information may not provide personal information stored within the mainland territory of the People's Republic of China to foreign judicial or law enforcement agencies.

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

China

For non-criminal related matters, one view is that the consent of the data subject should be sufficiently generic to include data transfer to regulators. Anonymisation is considered significant mitigation measure as this may have the effect of disqualifying the relevant information as “personal information” and accordingly reduce sensitivity. However, it should be noted that the Data Security Law restricts the provision of all types of data, not just personal information, to foreign judicial or law enforcement agencies.

In addition, for a data request from a foreign regulator, the local regulator should be consulted with and prior approval is likely to be needed before any transfer of data or provision of information to such foreign regulator can be made. 

For criminal-related matters and if the request was from a foreign authority, then in addition to the above considerations, the specific requirements under the ICJAL and/or any applicable judicial assistance treaty on criminal proceedings should be followed depending on the specific assistance that is sought by the foreign authority.

On top of the above and taking into consideration the likely sensitive nature of the relevant data, those with knowledge of the data should be kept to a minimum and should sign confidentiality undertakings, as should the relevant service providers. Facilities for the storing, processing and transferring of relevant data should be secure to safeguard such data from damage, loss or leakage.

22. What are the sanctions and penalties for non-compliance with data protection laws?

China

Criminal liability

A breach of the data protection laws in the collection, use or transfer of personal information may incur criminal liability if the breach constitutes a criminal offense stipulated in the PRC Criminal Law. For example, article 253 of the PRC Criminal Law provides that for a breach of the relevant regulations of the state by selling or providing citizens’ personal information to others, and the circumstances are particularly grievous, the maximum penalty is imprisonment for up to seven years together with fine.

Further, unlawful collection, disclosure and cross-border transfer of state secrets may result in criminal sanctions. Article 111 of the PRC Criminal Law provides that it is a criminal offence to steal, secretly gather, purchase or illegally provide state secrets or intelligence for an organisation, institution or person outside China. Any person who committed the aforementioned activities may be subject to a maximum penalty of life imprisonment if the circumstances are particularly grievous. 

According to article 398 of the PRC Criminal Law, if a person is in serious breach of the State Secrecy Law by deliberately or negligently disclosing state secrets, such a person is subject to no more than three years’ imprisonment and, if the breach is severe, subject to imprisonment of three to seven years.

Administrative liability

PIPL

The maximum administrative fine for egregious cases of unlawful processing of personal information and failure to comply with personal information protection obligations under the PIPL is up to RMB 50 million or 5 per cent of the business revenue of the violator in the preceding year. This is much higher than that set out in the current Chinese data privacy and cybersecurity laws. As most data privacy rights and obligations scattered in current Chinese laws and regulations are restated in the PIPL, this means the maximum fine applicable to non-compliance will be substantially increased after 1 November 2021.

Other than imposing administrative fines, the regulator under the PIPL may also:

• order corrections;
• issue warnings;
• confiscate illegal income;
• order the suspension or termination of the services provided by the app that unlawfully processes personal information;
• order the suspension of relevant business activities or cessation of business for rectification; 
• report to the relevant competent department for cancellation of corresponding professional licences or business permits;
• record the non-compliance in a credit system in accordance with the law; and
• blacklist overseas organisations or individuals who engage in personal information processing activities that infringe the personal information rights and interests of citizens of China, or endanger the national security or public interest of China, and adopt measures such as restricting or prohibiting the provision of personal information to them.

Moreover, for non-compliant legal entities, the regulator may impose an administrative fine of up to 1 million yuan on the relevant directly responsible person(s) in charge and other directly responsible person(s), and prohibit them from acting as directors, supervisors, senior management and personal information protection officer during the designated period.

Cyber Security Law

Breach of the Cyber Security Law can lead to correction orders, the confiscation of unlawful gains, fines, or the suspension or revocation of a business licence.

Data Security Law

Breach of the Data Security Law can lead to correction orders, warning, fines, suspension of business, suspension or revocation of a business licence, sanctions on the person directly in charge and other directly liable persons of a state organisation.

Banking secrecy

The Commercial Bank Law does not expressly provide penalties specifically for the breach of banking secrecy. In practice, breach of the Commercial Bank Law generally results only in an order from the CBRC (currently the CBIRC, China Banking and Insurance Regulatory Committee) to rectify the breach. Article 89 generally provides that where a bank violates the provisions of the Commercial Bank Law (without further specifying the acts of violation), the CBIRC has broad power to:

• temporarily or permanently disqualify the directors or senior management personnel directly responsible for the violation from their positions; or
• prohibit the directors or senior management personnel and any other persons directly responsible for the violation from holding their post for a certain period of time; or even permanently ban them from undertaking banking work (in specific circumstances).

Where the violation does not constitute a criminal offence, the directors or senior management personnel and any other persons directly responsible for the violation may be given warnings or issued a fine of up to 500,000 yuan. 

According to article 10 of the IFI Circular, the PBOC may take the following measures in the event of any violation of the IFI Circular or Shanghai Circular or any other failure by a bank to fulfil the obligation to protect IFI:

• request an explanation of the violation from the senior management of the bank;
• if possible, order the rectification of the violation by the bank;
• publicise the non-compliance within the financial sector;
• recommend that the bank punish the senior management or other personnel directly responsible for the violation; or
• submit the violation to the courts if a crime is committed.  

Under article 11 of the IFI Circular, if the violation is conducted by using the relevant credit information system, payment system and other systems of the PBOC and the relevant bank refuses to rectify, the PBOC may suspend the bank from using or prohibit its newly-established branch from accessing the above systems. 

Broker secrecy

According to the 2021 CSRC Rule, where securities service providers (including securities companies) violate the provisions therein, including the restrictions on data transfer, the CSRC is entitled to take administrative supervision measures such as ordering corrections, suspension of business, issuing warning letters, ordering periodic reports, ordering increased compliance inspections, public condemnation, etc.; for directly responsible persons in charge and other responsible persons, the CSRC may adopt administrative supervision measures such as ordering corrections, supervising talks, issuing warning letters, and publicly condemnation.

State secrecy

Breach of State Secrecy Law may give rise to administrative disciplinary penalties that are imposed on governmental agencies and their officials. However, we are unaware of legislation providing any administrative sanctions applicable to private entities and their staff members, but there may be some other relevant rules that are not available to the public. Therefore, it would be difficult to draw a conclusion that administrative sanctions will not be imposed on private entities and their staff members in breach in any event although the common position under the key legislation seems to be such.

Breach of the State Secrets Law will give rise to disciplinary actions that are primarily imposed on the relevant government agencies or the officials in breach. In the absence of express provision under the State Secrets Law, such actions should not be applicable to private entities or their staff members. 

Civil liability

A civil claim can be made by a data subject who has suffered harm as a result of unlawful handling. Damages and injunctive relief are both available.

The PIPL specially provides for a public interest litigation regime. The consumer organisations specified by law and the organisations determined by the CAC may bring a lawsuit to a people's court on behalf of the natural persons whose rights and interests are infringed by those who process personal information. In addition to that, the presumption of fault principle is applicable in the alleged infringement of personal information rights and interests, which ease the burden of natural persons to seek remedy for such infringement.

(Apart from the above, please note that the ICJAL does not contain penalties for violations. However, in practice, it is possible that the PRC regulators may frame the ICJAL violation under other existing regimes including as data protection or state secrecy and accordingly impose the relevant penalties thereunder.)

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

China

We are unaware of any additional materials on these topics other than the legislation set out in the questions above.