1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data?
There is no specific data protection legislation in the People’s Republic of China (the PRC or China, for the purpose of this article, excluding Hong Kong, Taiwan and Macau). There are a number of different laws that govern different aspects of the collection and use of personal information:
According to the PRC Civil Code issued by the National People’s Congress on 28 May 2020 which will take effect on 1 January 2021 and the General Principle Rules of Civil Law issued by the National People’s Congress on 15 March 2017 and took effect on 1 October 2017, PRC laws protect the personal information of natural persons. Any entity or individual that needs to obtain personal information of others should do so in accordance with PRC laws and ensure its security. They should also be prohibited from illegally collecting, using, processing or transmitting personal information of others, or illegally trading, providing or disclosing personal information of others.
Under the PRC Tort Liability Law issued by the Standing Committee of the National People's Congress (the SCNPC) in December 2009, "civil rights and interests" are broadly defined to include the right to one’s name, reputation, honour, image and privacy. It is likely that a customer’s personal information would be interpreted as concerning such "civil rights", which are to be protected by the law.
According to the PRC Law on Protection of Consumer Rights and Interests (as amended in October 2013, the Consumer Protection Law), business operators, during the course of collecting and using customers’ personal information, are obligated to keep such information strictly confidential, and shall not disclose it to third parties.
According to the Decision on Protecting Internet Information issued by the SCNPC on 28 December 2012 (the Decision), electronic information that can identify individuals or involve individual privacies (Electronic Personal Information) is protected by law. No individual or entity may steal, obtain, sell or disclose such information in an illegal way. Network service providers and other entities should not collect or use electronic personal information in breach of relevant laws, regulations or consents by the information owners. Network service providers, other entities and their staff members should keep electronic personal information collected during the course of business strictly confidential, and should not disclose, modify, destroy or sell the information or illegally provide it to third parties.
The TMT and Internet Personal Information Protection Rules issued by the Ministry of Industry and Information Technology (MIIT) on 16 July 2013 (the TMT and Internet Information Protection Rules), which implement the Decision, provide, among others, that TMT business operators and internet information service providers should not collect or use personal information of users without the latter’s consents. No personal information may be collected beyond the scope necessary for the provision of services, or used for purposes irrelevant to the services. No personal information may be collected or used by cheating, disguising or coercing the users, or in a way in breach of laws, regulations or agreements with users. The rule has also repeated the restrictions in the Decision described in the above paragraph on storing, using and disclosing personal information of users by TMT business operators and internet information services providers.
The Provisions on the Cyber Protection of Children's Personal Information issued by the Cyberspace Administration of China on 22 August 2019 and took effect on 1 October 2019 provide that, before collecting, using, transmitting or disclosing any personal information of a child below the age of 14, a network operator shall inform the child's guardian of such collection, use, transmission or disclosure in a conspicuous and clear manner, and shall obtain the consent of the child's guardian.
Apart from the above, the PRC Cyber Security Law issued by the SCNPC on 7 November 2016 provides two forms of data protections, one addressed to data generated and collected by network operators (defined in the next paragraph), and the other addressed to data generated and collected by CIIs (defined below).
The network operators referred to above are broadly defined as including network owners or managers and network service providers. The term “network” means systems built on computers or other information terminals and relevant facilities to collect, store, transmit, exchange or process information according to certain rules and procedures.
The PRC Cyber Security Law provides that network operators should keep user information collected strictly confidential and set up comprehensive and robust information protection systems. No personal information may be used, processed or destroyed in breach of the agreements between network operators and users. All personal information should be processed and stored according to the relevant laws, regulations and agreements with users. No personal information may be disclosed without the user’s consent, unless such information has been processed to effect that no specific individual can be identified and the original information may no longer be recovered.
Further, personal information and important data generated and collected within the territory of China by operators of critical information infrastructures (CIIs) during the course of their operations should be stored within China. If such data needs to be transferred overseas due to business necessity, such transfers should be subject to security assessments according to the relevant regulations (the Data Cross-Border Transfer Rules) jointly issued by the Cyberspace Administration of China (the CAC) and other relevant authorities. The CIIs include, among others: public communications and information service systems; systems of energy, transportation, hydro (water) systems, finance, public service sectors and areas; electronic government service platforms; and other significant industries and areas. The category also includes important information infrastructure facilities that, if destroyed, disabled or subject to data leakage, may cause significant damage to national security, national economy, people’s livelihoods or public interest.
As of the date of this chapter, various consultation drafts of rules implementing the PRC Cyber Security Law have been circulated for comments but the market is still waiting for the release of the official implementation rules to clarify those equivocal requirements in the PRC Cyber Security Law such as the requirement on cross-border data transfer assessment. That said, since the PRC Cyber Security Law took effect in 2017, various national standards have been released to guide the market the “best practice” on data protection that could be expected by the regulators. For example, on 6 March 2020, the recommended national standard named Information Security Technology - Personal Information Security Specification (GB/T 35273-2020, the Personal Information Security Specification) was released, which set out the principles and security requirements on the collection, storage, processing, share, transfer and disclosure of personal data. On 10 April 2019, the Ministry of Public Security issued the Guidelines for Internet Personal Information Security Protection (the Personal Information Security Guideline), which sets out the guidelines for reference by Internet service providers on collection, storage, processing, deletion and disclosure of personal data. On 13 February 2020, the People’s Bank of China (the PBOC) issued the Personal Financial Information Protection Technical Specification, which sets out the guidelines for reference by financial institutions on collection, transmission, storage and use of individual financial information (IFI). These standards, although not mandatory, partially fills the gap while those official implementation rules to the PRC Cyber Security Law are still in draft form. Compliance with the principles set out in those guidelines and standards may be useful in evidencing an entity’s compliance with the relevant requirements in the PRC Cyber Security Law.
 According to the PRC Civil Code, the General Principle Rules of Civil Law will be abolished on 1 January 2021 when the PRC Civil Code becomes effective.
 According to the PRC Civil Code, the PRC Tort Liability Law will be abolished on 1 January 2021 when the PRC Civil Code becomes effective. However, “civil rights and interests” are protected by both and enjoy the same definition.
2. What other laws and regulations may prevent data sharing in the context of an investigation?
A number of different banking secrecy laws contain obligations regarding the processing and transfer of certain types of data.
- Commercial Bank Law
According to the PRC Commercial Bank Law as amended on 29 August 2015 (the Commercial Bank Law), a commercial bank has a general obligation to keep its depositors' information confidential and will be liable for any damages incurred by a depositor if the bank violates its duty of confidentiality. In China, it is typical for people to conduct cross-border money transfer through their deposit account banks. When a bank provides money transfer services to its customer, it is likely that information of the customer may be interpreted as "depositor’s information".
- PBOC circular on IFI
The PBOC published the Circular of PBOC on the Protection of Personal Financial Information by Banking Financial Institutions (the IFI Circular) on 1 May 2011. The PBOC Shanghai branch further issued the Circular on Issues Relating to the Protection of Personal Financial Information by Banking Financial Institutions (the Shanghai Circular) on 18 May 2011. The protections under the IFI Circular and the Shanghai Circular are administrative law in nature and, therefore, cannot be waived by bank clients by consent.
- Prohibition on cross-border transfer of IFI
The IFI Circular prohibits PRC banks (including PRC subsidiaries and branches of foreign banks) from disclosing IFI to an offshore entity. IFI broadly includes personal information on identity, property, bank account details, credit and financial transactions and so on, obtained by a bank during the course of its business or while accessing the PBOC’s system.
The Shanghai Circular clarifies that IFI also includes any information regarding any individual (such as the legal representative) of a corporate client of the bank.
Certain exceptions to the above prohibitions are available under the Shanghai Circular:
A Disclosure of IFI by a bank to its offshore parent or subsidiary is allowed if (i) such disclosure is necessary for the client or individual to conduct the relevant transactions and (ii) written authorisation is obtained from the individual. The PRC bank making the disclosure must ensure that its offshore parent or subsidiary keeps the IFI received confidential.
B With respect to a branch of a foreign bank using the system of its offshore headquarter or affiliate to store, process or analyse the IFI of the bank's clients outside China, the Shanghai Circular requires the following conditions to be satisfied: (1i) written authorisation is obtained from such clients; and (ii) the offshore headquarters or affiliate shall have adopted relevant security measures to safeguard the relevant IFI and the headquarters (in the name of the bank as a legal person entity) shall bear the liabilities.
Other than the above, we are not aware of any statutory exemptions that allow PRC banks to transfer IFI offshore (whether such transfer is in response to the request of a foreign authority). In a contentious context, group-wide internal investigations and reviews relating to foreign sanctions may not be considered "necessary for the client/individual to conduct the relevant transaction", meaning that exception (A) above would not apply in this scenario. This view is further supported by the ICJAL discussed below.
Judicial Assistance on Criminal Matters
On 26 October 2018, the National People’s Congress of the PRC promulgated the International Criminal Judicial Assistance Law (the ICJAL). The ICJAL applies only to criminal matters, not to civil or administrative matters.
The ICJAL sets out the relevant requirements on the processes of obtaining assistance and evidence in criminal matters on a cross-border basis. More specifically, the ICJAL applies in the case where entities and individuals outside of China seek assistances from those in China, or China-based entities and individuals seek assistances from those in other countries, including service of documents, evidence collection, witness testimony, freezing, seizure and confiscation of assets, and transfer of convicted persons.
The ICJAL requires that all such assistance in criminal proceedings be routed through a “competent authority” of the assisting state pursuant to the provisions of the ICJAL, or, if there is already in place a judicial assistance treaty on criminal proceedings between China and the relevant state (eg, the China-US Agreement on Mutual Assistance in Criminal Matters signed between China and the United States in 2000), pursuant to the requirements under such treaty.
The purpose of the ICJAL is partially to serve as a gap-filler for countries that China does not have a judicial assistance treaty on criminal proceedings. In addition, according to the official report of the drafting commission of ICJAL and the press conference at which the ICJAL was made public, one of the main purposes of the ICJAL is to “effectively restrict foreign countries from exercising ‘long-arm jurisdiction’, particularly where foreign criminal enforcement authorities request information directly from China-based organisations and institutions”.
The ICJAL applies to individuals and entities located in China, and activities of evidence production taking place in China.
Article 4 of the ICJAL provides among others that unless approved by relevant competent authorities, no foreign entities, organisations or individual may carry out any activities for the purpose of foreign criminal proceedings within the territory of China, and no entities, organisations or individuals located in China may provide evidential materials or assistance to any person in foreign countries.
This seems to suggest that a Chinese entity is prohibited from providing evidence, testimony or other forms of assistance in criminal proceedings initiated outside China without approval of Chinese competent authorities. The wording is sufficiently broad to include the situation where a China-based subsidiary of a multinational company provides any of such assistance to its offshore parent, including but not limited to an internal investigation scenario, if such assistance is related to any foreign criminal proceedings.
The ICJAL does not contain penalties for violations. However practically, it is possible that the PRC regulators may frame the violation under the existing regimes including such as data privacy or state secrecy and therefore impose the relevant penalties thereunder.
As the ICJAL is still at an infant stage, there is no precedent yet to provide more insight on how the PRC regulators will enforce against any violation. It is also not clear for example whether the ICJAL may imply a duty to inquire if a PRC based entity or individual provides assistance to a foreign investigation without knowing that the investigation involves or may involve criminal aspect.
The restrictions contained in the PRC laws and regulations on state secrecy would be triggered to the extent that the relevant personal information constitutes state secrets.
Under the PRC Law on Protection of State Secrets (the State Secrets Law) as amended on 29 April 2010, the term "state secret" is broadly defined to mean matters which are related to national security and interest, determined in accordance with legal procedures, and may only be disclosed to limited persons within a certain period of time.
The State Secrets Law provides a list of matters and information that can be classified as state secrets. Such matters and information, if disclosed, may impact China’s security and interest in key areas such as politics, economy, defence and foreign affairs.
The National Administration for the Protection of State Secrets (the NAPSS) and the relevant government agencies have the power to determine and classify state secrets related to specific areas. NAPSS and the relevant governmental agencies may authorise non-governmental agencies such as state-owned enterprises (SOEs) to determine and classify state secrets generated from, received or possessed by such enterprises.
State secrets, if so determined, can be classified as "top secret", "secret" or “confidential”.
According to article 16 of the State Secrets Law, no state secrets should be disclosed to any person unless the disclosure is necessary for carrying out the relevant activity and has been approved by the Relevant Authority in charge (ie, the NAPSS or the relevant governmental agencies) (the Relevant Authorities).
According to article 30 of the State Secrets Law, if an entity needs to disclose state secrets in its communication or cooperation with foreign entities, or any foreigners engaged by the entity need to know state secrets, such entity shall apply to the Relevant Authority for approval of the proposed disclosure, and sign confidentiality agreements with the recipient of the information.
According to articles 21 and 25 of the State Secrets Law, the preparation, receipt, delivery, use and reproduction of state secrecy carriers (eg, paper, optical and magnetic media) should comply with the relevant regulations on protection of state secrets. No persons may carry or transmit any state secret carriers out of China without the approval of the Relevant Authority.
Under the Implementation Provisions of PRC Law on Protection of State Secrets issued by the State Council on 14 January 2014, an entity procuring services involving state secrets must determine the class of the confidential information in accordance with PRC laws, regulations and standards, and request the service provider to keep state secrets confidential and sign a confidentiality agreement with the service provider.
Under normal circumstances, however, state secrets are highly unlikely to be involved during the course of ordinary business. However, the risk may increase where the data subject is a Chinese government agency or SOE, especially in certain industries sensitive to Chinese national security or national interests. Such sensitive industries may include infrastructure, energy and resources (including nuclear power), transportation, iron and steel, banking, export credit, technology and major equipment manufacturing.
The restrictions under the State Secrets Law cannot be waived by consent other than the approvals of the relevant authorities described above.
According to the Interim Administrative Measures on Seizures over Assets relating to Terrorism Activities issued jointly by the PBOC, the Ministry of Public Security, and the Ministry of State Security on 10 January 2014 (the PBOC 2014 Notice), where a foreign authority intends to request client identity data or transaction data from certain financial institutions or designated non-financial institutions in the PRC, for reasons of anti-terrorism investigation, the relevant institutions must advise the foreign authority to make the request through diplomatic or judicial assistance channels. The institutions concerned must not provide the data to the foreign authority unless this requirement is complied with.
 In the case of China, five authorities are designated as the “competent authorities” according to article 6 of the ICJAL, namely the National Supervisory Commission, the Supreme People's Court, the Supreme People's Procuratorate, the Ministry of Public Security and the Ministry of State Security.
3. What can constitute personal data for the purposes of data protection laws?
There is no single definition of personal data in the PRC. The type of information that the various legislative provisions apply to depends on the nature of the activity in question.
The General Principle Rules of Civil Law does not provide a definition of "personal information".
The Consumer Protection Law applies to information collected by a business operator in the course of providing products and/or services to a consumer. This includes their name, gender, occupation, date of birth, ID number, residence address, contact information, income and assets, health situation, expenses and such other information that may make the consumer identifiable, either individually or in combination with other information.
The PRC Cyber Security Law and the PRC Civil Code define "personal information" as information recorded in electronic or other forms that, either alone or in combination with other information, may identify an individual. Such information includes an individual’s name, date of birth, ID number, address, phone number, account number, passcode, and so on.
The Decision protects Electronic Personal Information as defined above. Under the Provisions on Application of Laws in Hearing Disputes relating to Tortious Activities Damaging Rights and Interests of Individuals by Using Information Networks issued by the Supreme People’s Court on 21 August 2014 (the Judicial Interpretations), personal information protected under the Decision includes personal privacy of an individual such as genetic information, medical history, physical history, criminal record, residence address, private activities and other personal information.
The TMT and Internet Information Protection Rules apply to the information of users collected by service providers during the course of providing the relevant services. This includes information that may identify the user or the timing and location of their access to the relevant services, either alone or in combination with other information. This information would include the individual’s name, date of birth, ID number, address, phone number, account number, passcode.
The IFI Circulars and the Shanghai Circular protect IFIs, as defined at question 2.
4. Does personal data protection relate only to natural persons or also legal persons?
The term “personal information” is defined to refer only to information relating to natural persons (individuals). As such, to the extent that a provision refers to personal information, such reference is addressed to information relating only to natural persons (individuals). However, whether a specific provision only covers personal information or extends to information of entities should be assessed against the exact wording of such a provision. For example, the protection of the information generated and collected by CIIs under the PRC Cyber Security Law also covers other “important data”; the protection under the Commercial Bank Law covers information of “depositors”, which include corporate clients of banks; the protection under the State Secrets Law and related legislations covers both individual and entity information. It is also notable that certain personal information includes personal information of individuals relating to entities, such as the IFI protected under the IFI Circular.
5. To whom do data protection laws apply?
The Consumer Protection Law applies to "business operators" that transfer personal information. A business operator is not defined in the statute, but one view is that, in practice, the relevant companies are limited to those based onshore in the PRC. However, if any offshore business operator is deemed as carrying out business in China, it would be subject to the PRC licensing regime and may also fall within the framework of the Consumer Protection Law. This is a separate topic that we will not further address here.
The PRC Cyber Security Law applies to CII operators and network operators for the relevant purposes described in question 1. Please note that for the security assessment required by Article 37 of the PRC Cyber Security Law on cross-border transfer of personal information or important data, various draft measures have been published for comments on this issue and some have extended the security assessment requirement to cover not only CIIs but also network operators in general. It is unclear whether the official rules to be promulgated will actually expand the application of this requirement.
The Decision applies to network service providers and other businesses that collect or use individual electronic information in the course of their business.
The TMT and Internet Information Protection Rules apply to "service providers". This term is defined broadly as any telecommunication or internet information service provider approved by the regulator to provide telecommunication or internet information services and that may receive personal information from customers when providing these services.
The Commercial Bank Law and the IFI Circular apply to PRC incorporated banks or foreign bank branches set up in China.
No distinction is made in any of the above provisions between data controllers and data processors.
6. What acts or operations on personal data are regulated by data protection laws?
There is no specific definition of the acts regulated in the relevant laws. They regulate all aspects of the collection and use of personal information.
7. What are the principal obligations on data controllers to ensure the proper processing of personal data?
The obligations on the person controlling the data vary depending on the circumstances and the particular law that applies as a result.
Under the PRC Civil Code, the data processor’s obligations are as follows:
- unless otherwise provided by applicable PRC laws and administrative regulations, it must obtain the consent of the data subject or his or her guardian with respect to a proposed processing of personal data;
- it must make the processing rules public;
- it must expressly inform a data subject of the purposes, methods and scope of the personal information processing;
- it must not breach applicable PRC laws or administrative regulations or the terms of any agreement with the data subject;
- it must not divulge or distort the personal information collected or stored by it or illegally provide it to other persons;
- it must adopt technical measures and other necessary measures to ensure the security of the personal information collected and stored by it;
- it must adopt remedial measures in a timely manner where the information is, or may be, divulged, damaged or lost.
Under the Consumer Protection Law, the business operator’s obligations are as follows:
- it must expressly inform a consumer of the purposes, methods and scope of the collection and use of their personal information;
- it must be genuinely necessary to collect or use the personal information;
- the business operator must obtain the data subject’s consent and must not breach the terms of any agreement by which it obtains such consent;
- the business operator and its employees must keep the consumers’ personal information strictly confidential and must not transfer it to others; and
- mitigating measures must be taken immediately where confidence is broken or the personal information is damaged or lost.
The obligations of network operators to ensure the proper processing of personal information under the PRC Cyber Security Law are substantially the same as those under the Consumer Protection Law described above.
To comply with the Decision, network service providers must:
- provide the user with information on the objective, methods and scope of the collection of their data and its use, including making collection and use rules public;
- obtain the consent of the data subject to the use and collection of the information and not breach the terms of any agreement on this subject;
- ensure that all staff strictly protect the private information of the users collected in the course of their business activities and do not divulge, distort or damage the information, or illegally provide it to other persons; and
- adopt remedial measures immediately where the information is divulged, damaged or lost.
The Judicial Interpretations supporting the Decision provide that if an information network user or service provider uses the information network to disclose personal information of an individual and this use causes damage, a claim for damages should be supported by the Chinese court, unless one of the following applies to the disclosure:
(a) The individual has given written consent and the disclosure is within the agreed scope;
(b) To promote the public interest and it is within the necessary extent;
(c) For the purposes based on public interest of academic research or statistics by schools and research institutions, consented by the individual in written form, and the way of disclosure is not sufficient to identify the specific individuals;
(d) The information self-disclosed by the individual or other personal information that has been lawfully disclosed on the internet;
(e) The personal information obtained by lawful channels; and
(f) As otherwise provided by law or administrative regulations.
If personal information referred to in item (d) or (e) above is disclosed in a way that breaches public interests or morality or if it would damage the significant interests of an individual, the court should support any request from an individual that the service provider be held liable.
To comply with the TMT and Internet Information Protection Rules, a TMT business operator or internet information service provider must generally follow the principles of legality, legitimacy and necessity. It is liable for information security, where it collects or uses personal information in the delivery of the service.
Additionally, a TMT business operator or internet information service provider must:
- establish policies in relation to the collection and use of users’ personal information and publish these policies on the internet and in its business locations;
- obtain the user’s prior consent to the collection and use of their personal information and inform the user of the purpose, method and scope for the collection of their information, including the consequences if the user does not provide the information;
- avoid collecting personal information that is not necessary for their services or use personal information in a way that is irrelevant to their services;
- avoid collecting personal information by disguise, cheating or coercion, or in a way in that breaches laws, regulations or any agreements with the users;
- stop the collection and use of personal information from the relevant users when its provision of the service ends and allow the users to revoke their records;
- supervise any outsourcing that involves an individuals’ private information to ensure that a service provider complies with these requirements; and
- ensure that all personal information is kept confidential.
One view is that any business conducting any kind of electronic service should behave as if the TMT and Internet Personal Information Protection Rules apply to it.
The obligations of banks to ensure bank confidentiality and the obligations for relevant entities to protect state secrets have been described in question 2.
Under the Provisions on the Cyber Protection of Children's Personal Information, the network operator’s obligations are as follows:
it must have special rules and user agreements for the protection of children's personal information and designate a person responsible for the protection of children's personal information; when seeking for a consent of a guardian, it must provide an option to reject issuing such a consent and expressly disclose the matters related to personal information processing including (i) purposes, methods and scope of collecting, storing, using, transmitting and disclosing children's personal information, (ii) location and duration of storage of children's personal information and processing of children’s personal information after such duration, (iii) security measures for children’s personal information, (iv) consequence of rejection, (v) channels and methods of complaints and reports, (vi) ways and methods of correcting and deleting children's personal information, and (vii) other matters which should be disclosed, and where there is any substantial change in any of the above items (i) to (vii), a separate consent of the guardian should be obtained; and it must neither collect children’s personal information unrelated to the services provided by it nor breach applicable PRC laws or administrative regulations or the terms of any agreement with the data subject.