Primary laws and regulations
China began establishing its comprehensive legal regime in regard to privacy, data protection and cybersecurity in 2016, when the Cybersecurity Law (CSL) was promulgated. The legal regime was principally established in 2021 when the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) came into effect. The PIPL, DSL and CSL constitute ‘Three Pillars’ of legislation, and each has a different focus.
- The PIPL, effective from 1 November 2021, introduced robust and comprehensive rules concerning the processing and protection of personal information. The PIPL adopted many legal principles and rules that resemble those in the EU’s GDPR, but also contains various rules and requirements that are quite different from the GDPR. Therefore, multinational companies with operations in China may not solely rely on GDPR-compliant policies and measures for compliance with the PIPL.
- The DSL, effective from 1 September 2021, applies to processing of all kinds of records of information, but focuses on important data and state core data that have a significant bearing on national security, social stability and public interests.
- The CSL, effective from 1 June 2017, primarily regulates the construction, maintenance, operation and use of connected networks and ensures cybersecurity.
As omnibus laws, the PIPL, DSL and CSL contain rather broad and general rules and requirements with few specific implementation details. The Chinese regulators are in the course of deliberating and enacting implementation regulations and measures to provide the parameters and details of the relevant rules.
Aside from the general rules applicable to business operators in all sectors, there are industry-specific regulations and standards issued by various industrial regulators that provide for more detailed rules and/or heightened requirements for companies operating in particular lines of business, especially in those heavily regulated sectors such as financial services (including banking, securities and insurance), medical and healthcare, automobile, online platforms, etc. Business operators in these special industries should also beware of additional, sector-oriented data protection requirements.
In addition, there are national or sector-specific standards, specifications or guidelines that lay out the best practices for business operators to follow in their data processing activities in China. While those guidelines are recommendations that do not have force of law, it is commonly acknowledged that the Chinese regulators will refer to them in assessing a company’s compliance with data protection requirements. Those guidelines, therefore, also warrant attention.
There is currently no single designated data protection authority in China. The Cyberspace Administration of China (CAC) is in charge of the overall planning and co-ordination and relevant regulatory affairs, and takes the lead in formulating the implementation regulations and measures of the PIPL, DSL and CSL. Alongside the CAC, various ministries and industrial regulators are and will continue to be responsible for overseeing and enforcing various requirements in relation to privacy and data protection within their respective purview. The main ministries include the Ministry of Industry and Information Technology (overseeing telecommunications and internet business activities (such as websites and mobile applications) as well as the automotive industry), the Ministry of Public Security (the police department with regulatory focus on enforcement of multi-level cybersecurity protection pursuant to the CSL), and the Administration of Market Regulation (primarily taking charge of protection of consumers’ personal information).
While the CSL, DSL and PIPL are primarily applicable to data processing activities conducted within China, China expanded the geographic scope of application of its privacy and data protection regulatory regimes through the PIPL and DSL to overseas organisations and data processing activities.
The PIPL applies to processing activities conducted outside of China involving the personal information of individuals resident in China, where the processing activities: (i) are for the purpose of offering products or services to individuals in China; (ii) analyse and evaluate the behaviour of individuals in China; or (iii) meet other circumstances stipulated in law. A foreign PIP (as defined below) that is subject to extraterritorial application of the PIPL should establish a dedicated local organisation or representative in China, and report its/their name and contact details to the competent regulators.
The DSL applies to data processing activities conducted outside of China that impair the national security of China, public interests, or legitimate rights and interests of organisations and individuals in China.
Requirements applicable to cross-border data transfers and data localisation
Pursuant to the PIPL, the transfer of personal information abroad must be for genuine business needs, and an exporting controller should ensure that the processing of data by the foreign recipient meets the level of data protection standard provided under the PIPL, and at least one (or more) of the following conditions has to be satisfied (to the extent applicable):
- (i) Critical information infrastructure operators (CIIO) and (ii) controllers processing an aggregate volume of personal information that exceeds certain thresholds (which is anticipated to be set at personal information of more than one million individuals) are subject to the requirement to store and process personal information and (where applicable) important data within China, and are generally required to undergo and pass (as clearance) the CAC-administered security assessment as a prerequisite to export personal information or important data overseas.
- A controller exporting personal information may need to obtain a personal information protection certification from an eligible institution in accordance with the CAC regulations (to be issued). Details of the circumstances triggering certification, the certification requirements, and the scope of qualified certification institutions are currently unclear and require further clarification.
- An exporting controller would need to enter into a legally compliant contract with the foreign recipient concerning the export of personal information in accordance with standard contract to be issued by the CAC. This is likely to be a default requirement.
Penalties for breach
Similar to the GDPR, the PIPL imposes significant penalties for serious breaches that are measured in proportion to the yearly turnover of the institutional offender. For a severe violation of the law or in the absence of required data security measures, fines can be up to the greater of: (i) RMB50m; and (ii) 5% of the offending entity’s annual turnover in the preceding year. Additional administrative sanctions may also be imposed.
An institutional offender may further face civil claims brought by the impaired individuals or public interest litigation brought by the people’s procuratorate or other competent institutions if the offender infringes upon the rights and interests of many individuals. In civil proceedings, burden of proof is shifted to the PIP in proving that it has no misconduct.
Criminal liabilities may be triggered in case of malicious acts (such as the illegal sales of personal information) with severe consequence of the breach.
The PIPL, DSL and CSL jointly form the framework of the Chinese privacy and data protection regulatory regimes and have brought it to a new age. With that said, many of the detailed rules thereunder are still under deliberation by the Chinese regulators, and it can be anticipated that a string of implementation implementations and measures will be announced and implemented in the foreseeable future. Multinational companies with operations in China are advised to keep close track of the relevant developments to ensure compliance in a timely manner.