Global Investigations Review - The law and practice of international investigations

Data Privacy & Transfer in Investigations

Last verified on Friday 16th August 2019

China

Jane Jiang, Jason Song, Tiantian Wang and Aubrey Tang
Allen & Overy LLP
  1. 1.

    What laws and regulations in your jurisdiction regulate the collection and processing of personal data?

  2. There is no specific data protection legislation in the People’s Republic of China (the PRC or China, for the purpose of this article, excluding Hong Kong, Taiwan and Macau). There are a number of different laws that govern different aspects of the collection and use of personal information:

    According to the General Principle Rules of Civil Law issued by the National People’s Congress on 15 March 2017 and took effect on 1 October 2017, PRC laws protect the personal information of natural persons. Any entity or individual that needs to obtain personal information of others should do so in accordance with PRC laws and ensure its security. They should also be prohibited from illegally collecting, using, processing or transmitting personal information of others, or illegally trading, providing or disclosing personal information of others.

    Under the PRC Tort Liability Law issued by the Standing Committee of the National People's Congress (the SCNPC) in December 2009, "civil rights and interests" are broadly defined to include the right to one’s name, reputation, honour, image and privacy. It is likely that a customer’s personal information would be interpreted as concerning such "civil rights", which are to be protected by the law. 

    According to the PRC Law on Protection of Consumer Rights and Interests (as amended in October 2013, the Consumer Protection Law), business operators, during the course of collecting and using customers’ personal information, are obligated to keep such information strictly confidential, and shall not disclose it to third parties.

    According to the Decision on Protecting Internet Information issued by the SCNPC on 28 December 2012 (the Decision), electronic information that can identify individuals or involve individual privacies (Electronic Personal Information) is protected by law. No individual or entity may steal, obtain, sell or disclose such information in an illegal way. Network service providers and other entities should not collect or use electronic personal information in breach of relevant laws, regulations or consents by the information owners. Network service providers, other entities and their staff members should keep electronic personal information collected during the course of business strictly confidential, and should not disclose, modify, destroy or sell the information or illegally provide it to third parties.

    The TMT and Internet Personal Information Protection Rules issued by the Ministry of Industry and Information Technology (MIIT) on 16 July 2013 (the TMT and Internet Information Protection Rules), which implement the Decision, provide, among others, that TMT business operators and internet information service providers should not collect or use personal information of users without the latter’s consents. No personal information may be collected beyond the scope necessary for the provision of services, or used for purposes irrelevant to the services. No personal information may be collected or used by cheating, disguising or coercing the users, or in a way in breach of laws, regulations or agreements with users. The rule has also repeated the restrictions in the Decision described in the above paragraph on storing, using and disclosing personal information of users by TMT business operators and internet information services providers.

    Apart from the above, the PRC Cyber Security Law issued by the SCNPC on 7 November 2016 provides two forms of data protections, one addressed to data generated and collected by network operators (defined in the next paragraph), and the other addressed to data generated and collected by CIIs (defined below).

    The network operators referred to above are broadly defined as including network owners or managers and network service providers. The term “network” means systems built on computers or other information terminals and relevant facilities to collect, store, transmit, exchange or process information according to certain rules and procedures.

    The PRC Cyber Security Law provides that network operators should keep user information collected strictly confidential and set up comprehensive and robust information protection systems. No personal information may be used, processed or destroyed in breach of the agreements between network operators and users. All personal information should be processed and stored according to the relevant laws, regulations and agreements with users. No personal information may be disclosed without the user’s consent, unless such information has been processed to effect that no specific individual can be identified and the original information may no longer be recovered.

    Further, personal information and important data generated and collected within the territory of China by operators of critical information infrastructures (CIIs) during the course of their operations should be stored within China. If such data needs to be transferred overseas due to business necessity, such transfers should be subject to security assessments according to the relevant regulations (the Data Cross-Border Transfer Rules) jointly issued by the Cyberspace Administration of China (the CAC) and other relevant authorities. The CIIs include, among others: public communications and information service systems; systems of energy, transportation, hydro (water) systems, finance, public service sectors and areas; electronic government service platforms; and other significant industries and areas. The category also includes important information infrastructure facilities that, if destroyed, disabled or subject to data leakage, may cause significant damage to national security, national economy, people’s livelihoods or public interest.

    As of the date of this article, various consultation drafts of rules implementing the PRC Cyber Security Law have been circulated for comments but the market is still waiting for the release of the official implementation rules to clarify those equivocal requirements in the PRC Cyber Security Law such as the requirement on cross-border data transfer assessment. That said, since the PRC Cyber Security Law took effect in 2017, various national standards have been released to guide the market the “best practice” on data protection that could be expected by the regulators. For example, on 1 May 2018, the recommended national standard named Information Security Technology — Personal Information Security Specification (GB/T 35273—2017, the Personal Information Security Specification) was released, which set out the principles and security requirements on the collection, storage, processing, share, transfer and disclosure of personal data. On 10 April 2019, the Ministry of Public Security issued the Guidelines for Internet Personal Information Security Protection (the Personal Information Security Guideline), which sets out the guidelines for reference by Internet service providers on collection, storage, processing, deletion and disclosure of personal data. These standards, although not mandatory, partially fills the gap while those official implementation rules to the PRC Cyber Security Law are still in draft form. Compliance with the principles set out in those guidelines and standards may be useful in evidencing an entity’s compliance with the relevant requirements in the PRC Cyber Security Law.

  3. 2.

    What other laws and regulations may prevent data sharing in the context of an investigation?

  4. Banking secrecy

    A number of different banking secrecy laws contain obligations regarding the processing and transfer of certain types of data.

    1. Commercial Bank Law

    According to the PRC Commercial Bank Law as amended on 29 August 2015 (the Commercial Bank Law), a commercial bank has a general obligation to keep its depositors' information confidential and will be liable for any damages incurred by a depositor if the bank violates its duty of confidentiality. In China, it is typical for people to conduct cross-border money transfer through their deposit account banks. When a bank provides money transfer services to its customer, it is likely that information of the customer may be interpreted as "depositor’s information". 

    1. PBOC circular on IFI

    The People’s Bank of China (the PBOC) published the Circular of PBOC on the Protection of Personal Financial Information by Banking Financial Institutions (the IFI Circular) on 1 May 2011. The PBOC Shanghai branch further issued the Circular on Issues Relating to the Protection of Personal Financial Information by Banking Financial Institutions (the Shanghai Circular) on 18 May 2011. The protections under the IFI Circular and the Shanghai Circular are administrative law in nature and, therefore, cannot be waived by bank clients by consent. 

    1. Prohibition on cross-border transfer of IFI

    The IFI Circular prohibits PRC banks (including PRC subsidiaries and branches of foreign banks) from disclosing individual financial information (IFI) to an offshore entity. IFI broadly includes personal information on identity, property, bank account details, credit and financial transactions and so on, obtained by a bank during the course of its business or while accessing the PBOC’s system.

    The Shanghai Circular clarifies that IFI also includes any information regarding any individual (such as the legal representative) of a corporate client of the bank.

    1. Exceptions

    Certain exceptions to the above prohibitions are available under the Shanghai Circular:

    A Disclosure of IFI by a bank to its offshore parent or subsidiary is allowed if (i) such disclosure is necessary for the client or individual to conduct the relevant transactions and (ii) written authorisation is obtained from the individual. The PRC bank making the disclosure must ensure that its offshore parent or subsidiary keeps the IFI received confidential.

    B With respect to a branch of a foreign bank using the system of its offshore headquarter or affiliate to store, process or analyse the IFI of the bank's clients outside China, the Shanghai Circular requires the following conditions to be satisfied: (1i) written authorisation is obtained from such clients; and (ii) the offshore headquarters or affiliate shall have adopted relevant security measures to safeguard the relevant IFI and the headquarters (in the name of the bank as a legal person entity) shall bear the liabilities.

    Other than the above, we are not aware of any statutory exemptions that allow PRC banks to transfer IFI offshore (whether such transfer is in response to the request of a foreign authority). In a contentious context, group-wide internal investigations and reviews relating to foreign sanctions may not be considered "necessary for the client/individual to conduct the relevant transaction", meaning that exception (A) above would not apply in this scenario. This view is further supported by the ICJAL discussed below.

    Judicial Assistance on Criminal Matters

    On 26 October 2018, the National People’s Congress of the PRC promulgated the International Criminal Judicial Assistance Law (the ICJAL). The ICJAL applies only to criminal matters, not to civil or administrative matters.

    The ICJAL sets out the relevant requirements on the processes of obtaining assistance and evidence in criminal matters on a cross-border basis. More specifically, the ICJAL applies in the case where entities and individuals outside of China seek assistances from those in China, or China-based entities and individuals seek assistances from those in other countries, including service of documents, evidence collection, witness testimony, freezing, seizure and confiscation of assets, and transfer of convicted persons.

    The ICJAL requires that all such assistance in criminal proceedings be routed through a “competent authority” of the assisting state pursuant to the provisions of the ICJAL[1], or, if there is already in place a judicial assistance treaty on criminal proceedings between China and the relevant state (eg, the China-US Agreement on Mutual Assistance in Criminal Matters signed between China and the United States in 2000), pursuant to the requirements under such treaty.

    The purpose of the ICJAL is partially to serve as a gap-filler for countries that China does not have a judicial assistance treaty on criminal proceedings. In addition, according to the official report of the drafting commission of ICJAL and the press conference at which the ICJAL was made public, one of the main purposes of the ICJAL is to “effectively restrict foreign countries from exercising ‘long-arm jurisdiction’, particularly where foreign criminal enforcement authorities request information directly from China-based organisations and institutions”.

    The ICJAL applies to individuals and entities located in China, and activities of evidence production taking place in China.

    Article 4 of the ICJAL provides among others that unless approved by relevant competent authorities, no foreign entities, organisations or individual may carry out any activities for the purpose of foreign criminal proceedings within the territory of China, and no entities, organisations or individuals located in China may provide evidential materials or assistance to any person in foreign countries.

    This seems to suggest that a Chinese entity is prohibited from providing evidence, testimony or other forms of assistance in criminal proceedings initiated outside China without approval of Chinese competent authorities. The wording is sufficiently broad to include the situation where a China-based subsidiary of a multinational company provides any of such assistance to its offshore parent, including but not limited to an internal investigation scenario, if such assistance is related to any foreign criminal proceedings.

    The ICJAL does not contain penalties for violations. However practically, it is possible that the PRC regulators may frame the violation under the existing regimes including such as data privacy or state secrecy and therefore impose the relevant penalties thereunder.

    As the ICJAL is still at an infant stage, there is no precedent yet to provide more insight on how the PRC regulators will enforce against any violation. It is also not clear for example whether the ICJAL may imply a duty to inquire if a PRC based entity or individual provides assistance to a foreign investigation without knowing that the investigation involves or may involve criminal aspect.

    State secrecy

    The restrictions contained in the PRC laws and regulations on state secrecy would be triggered to the extent that the relevant personal information constitutes state secrets.

    Under the PRC Law on Protection of State Secrets (the State Secrets Law) as amended on 29 April 2010, the term "state secret" is broadly defined to mean matters which are related to national security and interest, determined in accordance with legal procedures, and may only be disclosed to limited persons within a certain period of time.

    The State Secrets Law provides a list of matters and information that can be classified as state secrets. Such matters and information, if disclosed, may impact China’s security and interest in key areas such as politics, economy, defence and foreign affairs. 

    The National Administration for the Protection of State Secrets (the NAPSS) and the relevant government agencies have the power to determine and classify state secrets related to specific areas. NAPSS and the relevant governmental agencies may authorise non-governmental agencies such as state-owned enterprises (SOEs) to determine and classify state secrets generated from, received or possessed by such enterprises.

    State secrets, if so determined, can be classified as "top secret", "secret" or “confidential”.

    According to article 16 of the State Secrets Law, no state secrets should be disclosed to any person unless the disclosure is necessary for carrying out the relevant activity and has been approved by the Relevant Authority in charge (ie, the NAPSS or the relevant governmental agencies) (the Relevant Authorities).

    According to article 30 of the State Secrets Law, if an entity needs to disclose state secrets in its communication or cooperation with foreign entities, or any foreigners engaged by the entity need to know state secrets, such entity shall apply to the Relevant Authority for approval of the proposed disclosure, and sign confidentiality agreements with the recipient of the information.

    According to articles 21 and 25 of the State Secrets Law, the preparation, receipt, delivery, use and reproduction of state secrecy carriers (eg, paper, optical and magnetic media) should comply with the relevant regulations on protection of state secrets. No persons may carry or transmit any state secret carriers out of China without the approval of the Relevant Authority.

    Under the Implementation Provisions of PRC Law on Protection of State Secrets issued by the State Council on 14 January 2014, an entity procuring services involving state secrets must determine the class of the confidential information in accordance with PRC laws, regulations and standards, and request the service provider to keep state secrets confidential and sign a confidentiality agreement with the service provider.

    Under normal circumstances, however, state secrets are highly unlikely to be involved during the course of ordinary business. However, the risk may increase where the data subject is a Chinese government agency or SOE, especially in certain industries sensitive to Chinese national security or national interests. Such sensitive industries may include infrastructure, energy and resources (including nuclear power), transportation, iron and steel, banking, export credit, technology and major equipment manufacturing.

    Please note that the restrictions under the State Secrets Law cannot be waived by consent other than the approvals of the relevant authorities described above.

    Blocking statute

    According to the Interim Administrative Measures on Seizures over Assets relating to Terrorism Activities issued jointly by the PBOC, the Ministry of Public Security, and the Ministry of State Security on 10 January 2014 (the PBOC 2014 Notice), where a foreign authority intends to request client identity data or transaction data from certain financial institutions or designated non-financial institutions in the PRC, for reasons of anti-terrorism investigation, the relevant institutions must advise the foreign authority to make the request through diplomatic or judicial assistance channels. The institutions concerned must not provide the data to the foreign authority unless this requirement is complied with.



    [1] In the case of China, five authorities are designated as the “competent authorities” according to article 6 of the ICJAL, namely the National Supervisory Commission, the Supreme People's Court, the Supreme People's Procuratorate, the Ministry of Public Security and the Ministry of State Security.

  5. 3.

    What can constitute personal data for the purposes of data protection laws?

  6. There is no single definition of personal data in the PRC. The type of information that the various legislative provisions apply to depends on the nature of the activity in question.

    The General Principle Rules of Civil Law does not provide a definition of ‘personal information’.

    The Consumer Protection Law applies to information collected by a business operator in the course of providing products and/or services to a consumer. This includes their name, gender, occupation, date of birth, ID number, residence address, contact information, income and assets, health situation, expenses and such other information that may make the consumer identifiable, either individually or in combination with other information.

    The PRC Cyber Security Law defines “personal information” as information recorded in electronic or other forms that, either alone or in combination with other information, may identify an individual. Such information includes an individual’s name, date of birth, ID number, address, phone number, account number, passcode, and so on. 

    The Decision protects Electronic Personal Information as defined above. Under the Provisions on Application of Laws in Hearing Disputes relating to Tortious Activities Damaging Rights and Interests of Individuals by Using Information Networks issued by the Supreme People’s Court on 21 August 2014 (the Judicial Interpretations), personal information protected under the Decision includes personal privacy of an individual such as genetic information, medical history, physical history, criminal record, residence address, private activities and other personal information.

    The TMT and Internet Information Protection Rules apply to the information of users collected by service providers during the course of providing the relevant services. This includes information that may identify the user or the timing and location of their access to the relevant services, either alone or in combination with other information. This information would include the individual’s name, date of birth, ID number, address, phone number, account number, passcode.

    The IFI Circulars and the Shanghai Circular protect IFIs, as defined at question 2.

  7. 4.

    Does personal data protection relate only to natural persons or also legal persons?

  8. The term “personal information” is defined to refer only to information relating to natural persons (individuals). As such, to the extent that a provision refers to personal information, such reference is addressed to information relating only to natural persons (individuals). However, whether a specific provision only covers personal information or extends to information of entities should be assessed against the exact wording of such a provision. For example, the protection of the information generated and collected by CIIs under the PRC Cyber Security Law also covers other “important data”; the protection under the Commercial Bank Law covers information of “depositors”, which include corporate clients of banks; the protection under the State Secrets Law and related legislations covers both individual and entity information. It is also notable that certain personal information includes personal information of individuals relating to entities, such as the IFI protected under the IFI Circular.

  9. 5.

    To whom do data protection laws apply?

  10. The Consumer Protection Law applies to "business operators" that transfer personal information. A business operator is not defined in the statute, but one view is that, in practice, the relevant companies are limited to those based onshore in the PRC. However, if any offshore business operator is deemed as carrying out business in China, it would be subject to the PRC licensing regime and may also fall within the framework of the Consumer Protection Law. This is a separate topic that we will not further address here.

    The PRC Cyber Security Law applies to CII operators and network operators for the relevant purposes described in question 1. Please note that for the security assessment required by Article 37 of the PRC Cyber Security Law on cross-border transfer of personal information or important data, various draft measures have been published for comments on this issue and some have extended the security assessment requirement to cover not only CIIs but also network operators in general. It is unclear whether the official rules to be promulgated will actually expand the application of this requirement.  

    The Decision applies to network service providers and other businesses that collect or use individual electronic information in the course of their business. 

    The TMT and Internet Information Protection Rules apply to "service providers". This term is defined broadly as any telecommunication or internet information service provider approved by the regulator to provide telecommunication or internet information services and that may receive personal information from customers when providing these services.

    The Commercial Bank Law and the IFI Circular apply to PRC incorporated banks or foreign bank branches set up in China.

    No distinction is made in any of the above provisions between data controllers and data processors.

  11. 6.

    What acts or operations on personal data are regulated by data protection laws?

  12. There is no specific definition of the acts regulated in the relevant laws. They regulate all aspects of the collection and use of personal information.

  13. 7.

    What are the principal obligations on data controllers to ensure the proper processing of personal data?

  14. The obligations on the person controlling the data vary depending on the circumstances and the particular law that applies as a result.

    Under the Consumer Protection Law, the business operator’s obligations are as follows:

    • it must expressly inform a consumer of the purposes, methods and scope of the collection and use of their personal information;
    • it must be genuinely necessary to collect or use the personal information;
    • the business operator must obtain the data subject’s consent and must not breach the terms of any agreement by which it obtains such consent;
    • the business operator and its employees must keep the consumers’ personal information strictly confidential and must not transfer it to others; and
    • mitigating measures must be taken immediately where confidence is broken or the personal information is damaged or lost.

    The obligations of network operators to ensure the proper processing of personal information under the PRC Cyber Security Law are substantially the same as those under the Consumer Protection Law described above.

    To comply with the Decision, network service providers must:

    • provide the user with information on the objective, methods and scope of the collection of their data and its use, including making collection and use rules public;
    • obtain the consent of the data subject to the use and collection of the information and not breach the terms of any agreement on this subject;
    • ensure that all staff strictly protect the private information of the users collected in the course of their business activities and do not divulge, distort or damage the information, or illegally provide it to other persons; and
    • adopt remedial measures immediately where the information is divulged, damaged or lost.

    The Judicial Interpretations supporting the Decision provide that if an information network user or service provider uses the information network to disclose personal information of an individual and this use causes damage, a claim for damages should be supported by the Chinese court, unless one of the following applies to the disclosure:

    (a) The individual has given written consent and the disclosure is within the agreed scope;

    (b) To promote the public interest and it is within the necessary extent;

    (c) For the purposes based on public interest of academic research or statistics by schools and research institutions, consented by the individual in written form, and the way of disclosure is not sufficient to identify the specific individuals;

    (d) The information self-disclosed by the individual or other personal information that has been lawfully disclosed on the internet;

    (e) The personal information obtained by lawful channels; and

    (f) As otherwise provided by law or administrative regulations.

    If personal information referred to in item (d) or (e) above is disclosed in a way that breaches public interests or morality or if it would damage the significant interests of an individual, the court should support any request from an individual that the service provider be held liable. 

    To comply with the TMT and Internet Information Protection Rules, a TMT business operator or internet information service provider must generally follow the principles of legality, legitimacy and necessity. It is liable for information security, where it collects or uses personal information in the delivery of the service.

    Additionally, a TMT business operator or internet information service provider must:

    • establish policies in relation to the collection and use of users’ personal information and publish these policies on the internet and in its business locations;
    • obtain the user’s prior consent to the collection and use of their personal information and inform the user of the purpose, method and scope for the collection of their information, including the consequences if the user does not provide the information;
    • avoid collecting personal information that is not necessary for their services or use personal information in a way that is irrelevant to their services;
    • avoid collecting personal information by disguise, cheating or coercion, or in a way in that breaches laws, regulations or any agreements with the users;
    • stop the collection and use of personal information from the relevant users when its provision of the service ends and allow the users to revoke their records;
    • supervise any outsourcing that involves an individuals’ private information to ensure that a service provider complies with these requirements; and
    • ensure that all personal information is kept confidential.

    One view is that any business conducting any kind of electronic service should behave as if the TMT and Internet Personal Information Protection Rules apply to it.

    The obligations of banks to ensure bank confidentiality and the obligations for relevant entities to protect state secrets have been described in question 2.

    DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

  15. 8.

    Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?

  16. We are unaware of any PRC laws or regulations providing guidance on the collection of non-locally generated data to or within China. Since the Chinese data protection regime is sourced from a complex web of different legislation (as explained at question 1) each aspect of a company’s the data protection obligations should be assessed separately.

    1. The General Principle Rules of Civil Law and PRC Tort Liability Law

    The right to the protection of personal information under the General Principle Rules of Civil Law and PRC Tort Liability Law is considered a personality right in PRC law. According to the PRC Law on Choice of Law for Foreign-related Civil Relationships issued by the SCNPC on 28 October 2010, the applicable laws on an individual’s personality rights should be the laws of the ordinary residence of the individual. To the extent that the data subject’s ordinary residence is outside China, the protections of personal information under the General Principle Rules of Civil Law and the PRC Tort Liability Law should not apply. However, if the data subject’s ordinary residence is in China, since the right of personal information under the General Principle Rules of Civil Law and the PRC Tort Liability Law is considered a civil law right in nature, such right may be waived by the data subject by consent.

    1. The Consumer Protection Law, the PRC Cyber Security Law (in respect of personal information collected by network operators), the Decision and the TMT and Internet Information Protection Rules, and the Commercial Bank Law 

    Despite the absence of an explicit exception, it is generally believed that data generated outside China is not intended to be the focus of the protections under these rules.

    1. The PRC Cyber Security Law (in respect of personal information collected by CII operators), the IFI Circular and the Shanghai Circular, and the PBOC 2014 Notice

    For other rules regulating or restricting cross-border transfer of information from China to offshore as discussed in questions 1 and 2, the relevant provisions under these rules are aimed to regulate cross-border transfer of PRC locally generated data offshore, they should be irrelevant to collecting and transferring non-locally generated data to or within China.

    1. The State Secrets Law

    The State Secrets Law also applies to those state secrets generated outside China. In the case that any such information needs to be collected and transferred to and within China, the requirements described in question 1 should be satisfied. This means that the collection and transfer are (i) necessary for carrying out the relevant missions, (ii) have been approved by the Relevant Authority, and (iii) assured that the carriers of state secrets complies with the requirements under the State Secrets Law.

  17. 9.

    Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?

  18. Under the TMT and Internet Information Protection Rules, TMT business operators or internet information service providers engaging third parties to conduct marketing, technology services or other direct client fronting services involving collecting or using personal information of users should supervise and manage the safeguards of such personal information by third party service providers. No service providers that fail to satisfy the personal information safeguard requirements under the rules should be used.

    In addition, certain outsourcing related legislation may apply where third parties are involved in data processing. Chinese outsourcing laws are outside the scope of this questionnaire.

  19. 10.

    Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?

  20. It is essential to obtain the consent of the data subject to the processing of their data. However, for any personal information collected by network operators under the PRC Cyber Security Law, redactions may be adopted as alternative solutions provided that the original information may no longer be recovered and the information can no longer identify the data subject. 

    Under the Consumer Protection Law, the PRC Cyber Security Law, the Decision and the TMT and Internet Information Protection Rules, for consent to be sufficiently informed, the data subject must be informed of the purpose, method and scope of information collected and the policies that relate to data collection and usage. There is otherwise no prescribed form for the data subject’s consent. 

    Under the IFI Circular, for consent to be sufficiently informed, the data subject must be informed of the scope of information and the circumstances under which the data processing or transfer may occur. The bank should also highlight the implications of such authorisations in noticeable places and remind clients of such alerts when the relevant contracts are entered into.

    For the avoidance of doubt, the following restrictions cannot be waived by data subjects by consent: the restrictions under the PRC Cyber Security Law in respect of cross-border transfer of personal information generated and collected by CII operators, the restrictions under the IFI Circular and the Shanghai Circular in relation to cross-border transfer of IFI, the restriction on providing cross-border assistance to a foreign criminal matter under the ICJAL and the restrictions on disclosing state secrets under the State Secrets Law.

    One view is that the consent of the data subject or the fact that the transfer is required by a foreign authority or for internal or external investigation purposes is not sufficient for the relevant information to be transferred to another jurisdiction. This is supported by the ICJAL in terms of foreign criminal matters. That said, for non-criminal related matters, PRC regulators may be willing to take a relatively pragmatic view in terms of the difficulties encountered by CII operators or banks in investigations on a case-by-case basis, therefore it is advisable to consult with the relevant regulators where cross-border transfer of data is necessary for the investigation. 

  21. 11.

    If not mandatory, should consent still be considered when planning and carrying out an investigation?

  22. The consent of the data subject is usually mandatory when planning an investigation (see question 10).

  23. 12.

    Is it possible for data subjects to give their consent to such processing in advance?

  24. Consent may be given through general terms and conditions or by the use of a website, as long as this is executed by the data subject, and sufficiently generic to include the relevant data processing.

  25. 13.

    What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

  26. Under the PRC Cyber Security Law, an individual has the right to request that the network operator erase his personal information if they discover that the network operator collects or uses their personal information in breach of laws, regulations or any agreement the two have made. An individual may also ask the network operator to correct their personal information if it contains any mistakes. The network operator should remove or correct mistaken personal information at the data subject’s request. 

    The PRC Cyber Security Law also requires that network operators establish policies and systems to handle cyber security related complaints, and publish details of how to complain and how complaints will be received and handled in a timely manner. 

    Under the TMT and Internet Information Protection Rules, the channels for searching or correcting personal information, among others, should be notified to users of TMT business operators or internet information service providers for the purpose of obtaining consent by users for the collection and use of their personal information. TMT business operators and internet information service providers should also establish policies and systems to handle complaints by users, provide effective contacts for such purpose, and reply within 15 days from receipt of a complaint.

    TRANSFER FOR LEGAL REVIEW AND ANALYSIS

  27. 14.

    How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?

  28. We are unaware of any PRC legislation providing any guidance on how law firms and legal process outsourcing firms are generally characterised under Chinese law. In general PRC legislation does not distinguish between data controllers and data processors.

    Disclosure to professional advisors is not explicitly set out as an exception to the data protections described above. One view is that disclosure to professional advisors, especially those based in China and subject to an obligation of confidentiality, may not breach data protection rules. Certain additional risk mitigation measures, such as anonymisation, may also be helpful when information is disclosed to professional advisers.

    A separate analysis would be needed taking specific factual patterns into account in an unusual case where state secrets were involved.

  29. 15.

    Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

  30. We are unaware of any additional legislation regulating the disclosure of data to third parties in the PRC for this purpose.

  31. 16.

    What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

  32. Our discussions above apply equally to cross-border transfers of data to third parties.

    TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

  33. 17.

    Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

  34. The PRC Cyber Security Law, the Decision and the TMT and Internet Information Protection Rules generally require that network operators, network service providers or TMT business operators or internet information service providers (as the case may be) co-operate with any investigation or inspection by regulators of the TMT and cyber security sectors. Regulations in various specific industries, such as financial services, may contain similar requirements. That said, we are unaware of any generic exception on transferring personal data to PRC regulators or enforcement authorities. Such a transfer may be an implicit exception, though for prudence, one view is that consent of the data subject should be drafted in a way that is sufficiently generic to include such disclosures. A separate analysis would be needed taking specific factual patterns into account in an unusual case where state secrets are involved.

  35. 18.

    Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

  36. Please refer to our comments in question 10 and our discussion of the ICJAL and blocking statute in question 2.

  37. 19.

    What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

  38. For non-criminal related matters, one view is that the consent of the data subject should be sufficiently generic to include data transfer to regulators. Anonymisation and pseudonymisation are considered significant mitigation measures. The local regulator and the regulator requesting the data transfer should be consulted, to the extent reasonably practicable. Those with knowledge of the data should be kept to a minimum and should sign confidentiality undertakings, as should the relevant service providers. Facilities for the storing, processing and transferring of relevant data should be secure to safeguard such data from damage, loss or leakage.

    For criminal related matters and if the request was from a foreign authority, then in addition to the above considerations, the specific requirements under the ICJAL and/or any applicable judicial assistance treaty on criminal proceedings should be followed depending on the specific assistance that is sought by the foreign authority.

  39. 20.

    What are the sanctions and penalties for non-compliance with data protection laws?

  40. Criminal liability

    Any collection, use or transfer of personal information in breach of the PRC Cyber Security Law, the Decision or the TMT and Internet Information Protection Rules, the Commercial Bank Law and the IFI Circular and the Shanghai Circular may constitute a criminal offence. The maximum penalty is imprisonment for up to seven years or a fine. Offences that would attract a severe penalty include selling, stealing or illegally obtaining the personal information of Chinese citizens.

    There is no criminal liability for breach of the Consumer Protection Law to the extent that the breach itself is not considered a crime elsewhere in Chinese criminal law.

    Unlawful collection, disclosure and cross-border transfer of state secrets may result in criminal sanctions. Article 111 of the PRC Criminal Law provides that it is a criminal offence to steal, secretly gather, purchase or illegally provide state secrets or intelligence for an organisation, institution or person outside China. Any person committed the aforementioned activities may be sentenced to between five and 10 years’ imprisonment. If the offence is severe in nature, such person may be sentenced up to a life sentence. If the offence is less severe in nature, such person may be sentenced to less than five years’ imprisonment, criminal detention or public surveillance. 

    According to article 398 of the PRC Criminal Law, if a person is in serious breach of the State Secrecy Law by deliberately or negligently disclosing state secrets, such a person is subject to no more than three years’ imprisonment and, if the breach is severe, subject to imprisonment of three to seven years.

    Administrative liability

    Breach of the Cyber Security Law or the Consumer Protection Law can lead to correction orders, the confiscation of unlawful gains, fines, or the suspension or revocation of a business licence. Breach of the Decision or the TMT and Internet Information Protection Rules could lead to warnings, fines, the confiscation of unlawful gains, cancellation of permits, closure of websites and prohibitions on any personnel held to be liable.

    The Commercial Bank Law does not expressly provide penalties specifically for the breach of banking secrecy. In practice, breach of the Commercial Bank Law generally results only in an order from the CBRC (currently the CBIRC, China Banking and Insurance Regulatory Committee) to rectify the breach. Article 89 generally provides that where a bank violates the provisions of the Commercial Bank Law (without further specifying the acts of violation), the CBIRC has a broad power to:

      • temporarily or permanently disqualify the directors or senior management personnel directly responsible for the violation from their positions; or
      • prohibit the directors or senior management personnel and any other persons directly responsible for the violation from holding their post for a certain period of time; or even permanently ban them from undertaking banking work (in specific circumstances).

    Where the violation does not constitute a criminal offence, the directors or senior management personnel and any other persons directly responsible for the violation may be given warnings or issued with a fine of up to 500,000 yuan. 

    According to article 10 of the IFI Circular, the PBOC may take the following measures in the event of any violation of the IFI Circular or Shanghai Circular or any other failure by a bank to fulfill the obligation to protect IFI:

      • request an explanation of the violation from the senior management of the bank;
      • if possible, order the rectification of the violation by the bank;
      • publicise the non-compliance within the financial sector;
      • recommend that the bank punish the senior management or other personnel directly responsible for the violation; or
      • submit the violation to the courts if a crime is committed.  

    Under article 11 of the IFI Circular, if the violation is conducted by using the relevant credit information system, payment system and other system of the PBOC and the relevant bank refuses to rectify, the PBOC may suspend the bank from using or prohibit its newly-established branch from accessing the above systems. 

    Breach of State Secrecy Law may give rise to administrative disciplinary penalties which are imposed on governmental agencies and their officials. However, we are unaware of legislation providing any administrative sanctions applicable to private entities and their staff members, but there may be some other relevant rules that are not available to the public. Therefore, it would be difficult to draw a conclusion that administrative sanctions will not be imposed on private entities and their staff members in breach in any event although the common position under the key legislation seems to be such.

    Breach of the State Secrets Law will give rise to disciplinary actions which are primarily imposed on the relevant governmental agencies or the officials in breach. In the absence of express provision under the State Secrets Law, such actions should not be applicable to private entities or their staff members. 

    Civil liability

    A civil claim can be made by a data subject who has suffered harm as a result of unlawful processing. Damages and injunctive relief are both available.

    The ICJAL does not contain penalties for violations. However practically, it is possible that the PRC regulators may frame the violation under the existing regimes including such as data privacy or state secrecy and therefore impose the relevant penalties thereunder.

    CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

  41. 21.

    What are the continuing obligations on the original data controller that apply in an investigation?

  42. The discussions above apply equally to the continuing obligations of the original data controller.

  43. 22.

    What are the continuing obligations on any intervening data controller that apply in an investigation?

  44. The discussions above apply equally to the continuing obligations of the intervening data controller.

    RELEVANT MATERIALS

  45. 23.

    Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

  46. We are unaware of any additional materials on these topics other than the legislation set out in the questions above.  

Interested in contributing to this Know-how?

E-mail our Insight Manager


Questions

  1. 1.

    What laws and regulations in your jurisdiction regulate the collection and processing of personal data?


  2. 2.

    What other laws and regulations may prevent data sharing in the context of an investigation?


  3. 3.

    What can constitute personal data for the purposes of data protection laws?


  4. 4.

    Does personal data protection relate only to natural persons or also legal persons?


  5. 5.

    To whom do data protection laws apply?


  6. 6.

    What acts or operations on personal data are regulated by data protection laws?


  7. 7.

    What are the principal obligations on data controllers to ensure the proper processing of personal data?


  8. DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

  9. 8.

    Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?


  10. 9.

    Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?


  11. 10.

    Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?


  12. 11.

    If not mandatory, should consent still be considered when planning and carrying out an investigation?


  13. 12.

    Is it possible for data subjects to give their consent to such processing in advance?


  14. 13.

    What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?


  15. TRANSFER FOR LEGAL REVIEW AND ANALYSIS

  16. 14.

    How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?


  17. 15.

    Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?


  18. 16.

    What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?


  19. TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

  20. 17.

    Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?


  21. 18.

    Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?


  22. 19.

    What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?


  23. 20.

    What are the sanctions and penalties for non-compliance with data protection laws?


  24. CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

  25. 21.

    What are the continuing obligations on the original data controller that apply in an investigation?


  26. 22.

    What are the continuing obligations on any intervening data controller that apply in an investigation?


  27. RELEVANT MATERIALS

  28. 23.

    Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.