Where are we now with data protection law in China? (Updated September 2019)

Until recently, China’s data privacy framework was similarly splintered across rules found in various laws, measures and sector-specific regulations. The Cyber Security Law, effective from 1 June 2017, has for the first time introduced a framework for comprehensive regulation of the privacy of electronically stored data. Despite this, the Cyber Security Law has only added further complexity to the system, and other sources of law also remain in effect. As with many significant Chinese laws, the Cyber Security Law sets up a multi-layered pyramid of implementing regulations and measures, guidance notices, national and technical standards, narrowing to highly granular rules at the top. As of the date of this post, much of this interlocking matrix remains in draft form, with substantial changes still being made between versions.

The Cyber Security Law included for the first time a comprehensive set of data protection provisions in the form of national-level legislation. The law is of general application to personal data collected over information networks. Numerous draft regulations, guidelines and other subsidiary measures have since been promulgated, most of which have still to be finalised.

Since the start of 2019, further draft amendments have been published, some of which represent a significant shift from the previous versions. In general these draft amendments propose a greater degree of regulatory oversight in the key areas, including with regards to the transfer of personal data (and other forms of data) out of China. In the meantime, the government is reported to be worked on a new omnibus data privacy law, but details remain scarce at this time.

Meanwhile, a detailed national standard known as the Personal Information Security Specification (the PI Security Specification) entered into effect on 1 May 2018. This non-binding guideline contains detailed requirements on data handling and data protection. No direct penalties apply for a contravention of the PI Security Specification. However, Chinese government agencies are known to apply the Specification as an important measure of compliance with China’s formally binding data protection rules, including those contained in the Cyber Security Law. Two drafts of proposed revisions to the PI Security Specification were issued in January and June of 2019.

This briefing summarises the most important personal data privacy provisions now in effect or published in draft.

Data protection obligations under the Cyber Security Law

The Cyber Security Law imposes data privacy obligations on network operators. The term ‘network operator’ includes both owners and administrators of a network as well as network service providers.

A ‘network’ is defined as any system that consists of computers or other information terminals, and related equipment for collecting, storing, transmitting, exchanging and processing information.

Accordingly, the data privacy provisions in the Cyber Security Law apply to all organisations in China that provide services over the internet or another information network. The prudent view is that internal networks and systems, such as company HR systems, are caught as well.

Definition of personal data

The Cyber Security Law defines personal data as information that identifies a natural person either by itself or in combination with other information. The term includes a person’s name, address, telephone number, date of birth, identity card number and biometric identifiers.

Data collection and processing

Network operators are prohibited from collecting personal data that is not relevant to the services they offer.

Before collecting personal data from an individual (the data subject), a network operator is required to explicitly inform the individual of the purpose, means and scope of the collection and use of their data, and obtain their consent for collection. Any processing of personal data must be done in accordance within the scope of those consents. The purpose limitations under the Cyber Security Law are thus entirely consent-based.

It is unclear whether the same standards are intended to apply to employee information. Various references within the data privacy provisions of the law to the provision of ‘services’ and the making of collection statements ‘public’ indicate that the law may not be intended to capture internal systems. However, the definition of a ‘network’ is certainly wide enough to include internal systems. The policy intent of the law also seems equally applicable to data held on internal systems.

In any event, the Provisions of the Employment Service and Employment Management (in effect since 2008) impose a general obligation on employers to keep employees’ personal data confidential and to obtain written consent before disclosing their personal data to third parties.

Storage and security

The Cyber Security Law requires network operators to keep users’ personal data in strict confidence. This includes an obligation to implement technical measures to monitor and record the operational status of their networks and the occurrence of cyber security incidents.

There is no legal requirement to encrypt personal data collected in China. The PI Security Specification does, however, require organisations to employ enhanced security measures, such as encryption, when storing sensitive personal data.

Draft Ministry of Public Security (MPS) Regulations on the Graded Protection of Cyber Security (the MPS Regulation) issued in June 2018 will require businesses to obtain certification from the MPS if the disruption of their network would result in serious harm or worse to individual rights and interests or harm to public interests or national security. The security classification (on a scale of 1 - 5) will be based on criteria such as the function of the network, the nature of the service offered, the types of data being processed and the potential damage of a security incident, in particular the impact on national and economic security interests.

Networks that the MPS has graded 3 or above (a risk of extremely serious harm to individual rights and interests or serious harm to public interests or national security) will be subject to additional security obligations. These include an obligation to take pro-active measures to monitor and detect cyber threats, develop a specific cyber security protection management platform and incident response plan, report incidents to the MPS and to conduct regular cyber security emergency response drills. The MPS will conduct an audit of every network graded 3 or above at least once per year.

Breach notifications

The Cyber Security Law imposes a mandatory obligation to promptly inform data subjects of a data breach or other loss of personal data. A network operator is also required to report the incident to the relevant sector regulator and to take immediate remedial action.

The MPS Regulations require network operators to report cyber incidents to the local branch of the MPS within 24 hours. There is no de minimis threshold, and the draft Regulations do not specify what the substance of the report ought to be.

The PI Security Specification states that an incident notification must explain:

• the nature and impact of the incident
• the measures taken or to be taken in response
• the practical recommendations for data subjects to minimise the impact of the incident
• the data subjects’ rights and remedies.

The general regulations around cyber security incident reporting will also be applicable. Under the National Contingency Plans for Cyber Security Incidents, which came into effect in January 2017, cyber security incidents will have to be reported to the Cyber Security Coordination Office of the CAC if they relate to:

• important network and information systems that suffer severe system losses, which result in long-term disruption or partial collapse of systems and have a significant impact on the business processing capabilities <!--[if !supportLineBreakNewLine]-->
• the loss or alteration of state secrets , important sensitive information or key data, to the extent that this poses a serious threat to national security or social stability <!--[if !supportLineBreakNewLine]-->
• cyber security incidents that pose a serious threat to or have a serious impact on national security, social order, economic development or the public interest.

Designated personnel

The Cyber Security Law requires network operators to allocate persons responsible for network security as part of their internal security management systems. But the law falls short of requiring organisations to appoint a specific data protection officer. The PI Security Specification does however provide that organisations are expected to designate a person or agent to manage personal data.

Under the PI Security Specification, if an organisation has more than 200 personnel and its main business involves processing personal data, or if the organisation is expected to handle the personal data of more than 1,000,000 people over the next 12 months, then it should establish a department with dedicated staff to handle personal data security.

Responsible persons may have direct personal liability for breaches of the core data privacy provisions under the law.

Transfer of data 

Consent requirement

Under the Cyber Security Law, it is necessary to obtain the informed consent of data subjects to transfer or disclose any of their personal data to a third party (whether within or outside of China).

The latest version of the draft Security Assessment Measures states only that the network operator must inform the data subject of:

• the type of personal data being transferred
• the purpose of the transfer (which presumably implicates also explaining to the data subject who the recipient of the data transfer is and what country they are located in)
• the retention period.

The consent requirement in the Cyber Security Law is, however, overriding. Nevertheless, the lack of detailed requirements for this consent leaves uncertainty as to the nature of the consent that will qualify.

Under the non-binding Guidelines for Cross-Border Data Transfer Security Assessment (the Guidelines for Cross-Border Data Transfer) released by the National Information Security Standardisation Technical Committee (TC260) in August 2017, consent to an overseas data transfer may be implied by an individual’s actions, such as when making international telephone calls, sending international emails or instant messages, and conducting international transactions over the internet. This is extended to other ‘proactive’ (i.e. voluntary) personal actions that indicate that the data subject has consented to the data export. No further examples are given.

The Guidelines for Cross-Border Data Transfer state that transfers of data within an internal cross-border network constitute a data transfer for the purposes of the draft Security Assessment Measures.

Approval needed from the provincial Cyber Security Administration

The latest draft of the draft Security Assessment Measures issued by the Cyber Security Administration (the CAC) marks a significant departure from the previous versions, which had only required operators of ‘critical information infrastructure’ to obtain regulatory approval for transfers of personal data outside of China (except for certain high volume transfers). In contrast, the latest revisions in the draft Security Assessment Measures will require all network operators to obtain approval for all cross-border transfers.

This is a hugely more cumbersome requirement than the self-assessment procedure under the previous drafts and would have wide-ranging implications for international companies.

The data localisation measures for operators of ‘critical information infrastructure’ provided for in the Cyber Security Law’ are discussed below. (Those provisions are already in force.)

What is a data transfer?

While the draft Security Assessment Measures themselves do not define what constitutes a cross-border transfer, under the Guidelines for Cross-Border Data Transfer, a cross-border transfer means any movement of personal data (and other restricted classes of data) outside of China. The Guidelines are explicit that remote access from overseas constitutes a data transfer - even if the data is accessible only in an encrypted environment subject to access restrictions.

When must regulatory approval be obtained?

If the Measure is implemented in the form of the current draft, network operators would need to obtain regulatory approval for each transfer of personal data to a different data recipient. The approving body will be the relevant provincial branch of the CAC.

Separate approval would not be required for repeat (or continuous) transfers of personal data to the same recipient, unless there is a change to the type of data being transferred, the purpose for the transfer or the permitted retention period, which will need to be approved separately. The transferring party will also need to re-apply for approval every two years as a matter of routine.

What should be included in the security assessment application?

When applying for approval, a network operator will be required to submit a self-generated report of the security risks of the proposed cross-border data transfer and detailing the security measures it is taking.

The report will need to explain:

• the business and other relevant details of the network operator and proposed data recipient, and their respective network security capabilities
• the nature of the proposed transfer, such as the number of data subjects and the type of data involved, and whether there will be any onward transfer by the proposed data recipient to any third party
• the risks involved in the transfer and the measures to be taken to secure the data and protect the rights and interests of the individuals involved.

In contrast to the previous drafts, the new draft Security Assessment Measures does not mandate any specific internal governance process for preparing the application.

Data transfer agreement

Additionally, the latest draft of the Security Assessment Measures provides that network operators must enter into a written data transfer agreement with the data recipient, and sets out a number of mandatory terms for the contract. The executed agreement will need to be submitted together with the application for approval of the cross-border transfer.

The agreement will need to set down:

• the purpose and scope of the transfer
• the recipient and the country to which the data will be transferred
• the permitted purposes of use of the transferred data, and impose a maximum retention period.

The agreement will also need to grant the relevant data subject(s) the rights to obtain compensation from the network operator or data recipient (or both) if there is a breach of his or her legitimate rights or interests. The network operator will be responsible for compensating individuals affected by the actions of the data recipient if they are unable to obtain compensation from the data recipient.

The draft Security Assessment Measures require data subjects to be given enforceable rights under the agreement. Although this requirement is not expressly elaborated on, other provisions of the Measures stipulate that the data recipient should be required to:

• comply with data subjects’ exercise of their individual rights (e.g. rights of access, correction and deletion)
• comply with the purpose limitations and maximum data retention periods stipulated in the contract
• destroy personal data on request.

Those obligations must also be set down in the agreement, and the network operator/ transferor must provide a copy of the contract to a data subject on request.

Review by the provincial CAC

Upon receiving an application, the provincial CAC will be required to complete the security assessment within 15 working days, but this can be extended.

In conducting the security assessment, the provincial CAC will be required to take into account:

• whether the contract adequately safeguards the rights and interests of the individuals whose data is being transferred
• if the parties have been involved in any major cyber security incident or other privacy violation
• whether the network operator obtained the personal data in a legal and proper way (see above in relation to the consent requirement).

The provincial CAC will also be entitled to take into account considerations of national security and the public interest. An unsuccessful applicant will be entitled make an appeal to the national-level CAC.

It remains to be seen how the draft Security Assessment Measures will be implemented in practice and whether any consistent practice emerges for withholding or granting approval, and how the provincial CACs will manage the process of evaluating potentially huge numbers of applications especially at the outset.

Further requirements of recording and reporting

Under the latest revised draft Security Assessment Measures, a record of a transfer of personal data overseas must be kept available for inspection for five years. A network operator will be required to make a report of its cross border data transfers to its provincial CACs by 31 December each year.

What if the personal data has been anonymised before transfer?

For personal data, where the data has been fully anonymised (i.e. processed to irreversibly prevent a specific person from being identified and to prevent the personal data from being restored), no approval will be required for cross-border transfers and no security impact assessment will be required.

Suspension powers

The draft Security Assessment Measures allow the CAC to suspend the transfer of personal data following any “large-scale data leakage or data abuse”.

Further data localisation obligation for operators of ‘critical information infrastructure’ 

Operators of ‘critical information infrastructure’ (CIIOs) are already required under the Cyber Security Law to store in China all personal data of Chinese citizens collected over a network. This data localisation provisions has been in force since the law came into effect in 2017.

The Cyber Security Law itself does not contain a definition of ‘critical information infrastructure’. The CAC’s Cyberspace Security Strategy, released on 27 December 2016, defines ‘critical information infrastructure’ as “information infrastructure that affects national security, the national economy and people’s livelihoods, such that, if data is leaked, damaged or loses its functionality, national security and public interests may be seriously harmed”.

The most useful scoping document for ‘critical information infrastructure’ is the CAC’s draft Regulations on the Protection of Critical Information Infrastructure published in July 2017. The following sectors and business areas are deemed to constitute ‘critical information infrastructure’, depending on the degree of impact of a cyber breach:

• energy, finance, transportation, water management, sanitation and healthcare, education, social security, environmental protection and public utilities, etc
• information networks, such as telecommunications, radio and television, the Internet as well as businesses providing cloud computing, big data and other large-scale public information network services
• scientific research and production in fields such as national defence, industrial equipment, industrial chemicals, food and drugs
• radio stations, television stations and other news agencies
• other key operations.

The intention does not appear to be to include every operator within these sectors as CIIOs. Rather, the Regulations also look at the potential impact of a data leak or other cyber attack, such that it is only where the incident “may gravely harm national security, the national economy, the people’s livelihood and the public interest” that the relevant information network is deemed to be critical infrastructure. The open nature of several of the categories also indicates that this list is not intended to be exhaustive, and in practice a very high degree of discretion is preserved for the authorities.

For example, the draft National Security Check Operation Guide issued by the Cyber Security Coordination Bureau of the CAC, effective 1 June 2016, parses the information systems or industrial control systems that support critical business operations within these sectors. The Guide specifies that the following systems could be ‘critical information infrastructure’ within the relevant sectors:

• Websites with more than a million average daily visitors
• Websites where a cyber incident may, for example (i) affect more than a million people or their personal data, (ii) affect more than 30% of the population in a single municipal administrative district, or (iii) result in disclosure of the sensitive information of a large number of institutions or businesses
• Online platforms with (i) more than 10 million registered users or more than one million active daily users, or (ii) a daily average transaction order amount of more than RMB 10 million
• Online platforms where a cyber incident may, for example (i) directly cause economic losses of more than RMB 10 million, (ii) directly affect more than 10 million people or the personal data of more than a million people, or (iii) result in the disclosure of the sensitive information of a large number of institutions or businesses
• Data centres comprising more than 1500 standard racks
• Production businesses where a ‘safety’ incident may (i) affect more than 30% of the population in a single municipal administrative district, (ii) disrupt the access of more than 100,000 people to utilities or transportation, (iii) cause the deaths of more than five persons or more than 50 serious injuries, (iv) directly cause economic losses of more than RMB 50 million, (v) directly affect the personal data of more than a million people, or (vi) result in the disclosure of the sensitive information of a large number of institutions and enterprises.

The data localisation requirement applies to all types of data collected on ‘critical information infrastructure’ and not only to personal data. (CIIOs are also required to obtain informed consent for personal data transfers notwithstanding that they have received regulatory approval.)

Similar requirements exist in relation to overseas transfers of so-called ‘important data’. Important data is data the leakage of which may directly impact national security, economic security, social stability or public health and security, such as non-public government information and information on population, genetic health, geography and mineral resources (per draft Measures on the Management of Data Security issued on 28 May 2019). Important data is outside the scope of this briefing note.

Data localisation requirements in other laws

Data localisation is not a new concept in China. Existing data localisation provisions are contained in sectoral regulations in the banking, insurance and healthcare industries:

• Under a Notice of the People’s Bank of China (the PBoC) effective 21 January 2011, financial personal data relating to Chinese citizens collected within China is required to be stored, processed and analysed within China. Banks in China are not permitted to transfer the personal financial information of Chinese citizens to any other country without the approval of the PBoC except if permitted by separate rules or regulations. The Shanghai branch of the PBoC issued implementing rules (18 May 2011) that clarify that PRC branches of foreign banks may transfer client information to their overseas headquarters, parent bank and subsidiaries for storage, processing and analysis if certain criteria are satisfied.
• The China Insurance Regulatory Commission has issued various regulations requiring business and financial data of insurance companies to be stored within China. Insurance companies are also required to have independent data storage systems and remote backup facilities in China.
• The National Health and Family Planning Commission’s Administrative Measures on Management of Population Health Information (5 May 2014) prohibit the export of personal data by health and family planning institutions in China. These institutions are also prohibited from storing medical information on servers outside of China.

In addition, the recently released draft Measures for the Information Technology Management of Securities and Funds Operators (effective 5 May 2017) propose data localisation obligations applicable to securities and funds operators.

Data protection obligations under the PI Security Specification 

The PI Security Specification lays down non-binding guidelines and does not impose penalties for breach. It is nevertheless a highly regarded source of rules and a reliable means to demonstrate compliance with all of China’s various data protection rules. It was acknowledged that the Specification was drafted with reference to the European General Data Protection Regulation (GDPR).

While many of the provisions in the PI Security Specification are limited to elaborating on basic principles for processing personal data, such as principles of accountability, clarity, consent, data minimisation and proportionality, etc, this note will highlight some of the more concrete provisions that either extend or clarify enforceable obligations in underlying law and regulation.

The draft amendments to the PI Security Specification provide further elaboration on the principle of effective consent, prohibiting ‘bundled consents’ and ‘forced consents’ and requiring a greater level of transparency on targeted advertising. These requirements are also elaborated upon below.

Elaboration of the consent requirement

The PI Security Specification states that an individual’s express consent is required to collect sensitive personal data. The consent must be recorded in writing or through other affirmative action.

On the other hand, Chinese law is effectively silent on the nature of the consent required for the collection and use of personal data that is not sensitive personal data. We are, however, aware that officials have expressed a preference for consent to be given by means of an active expression of intent on the part of the relevant data subject in all circumstances.

The PI Security Specification provides that: “[a]ffirmative action includes the personal data subject, on his or her initiative, making a statement (in electronic form or on paper), checking a box, or clicking “agree”, “sign up”, “send”, “dial”, etc.”

Impact assessments

The PI Security Specification requires entities that process personal data to conduct an impact assessment at least once a year or in conjunction with any major change in their operating model, information systems or following a data security incident. This requirement is more limited than under the GDPR, where impact assessments are generally required for each large-scale data processing project.

The impact assessment should consider, among other things, whether the organisation’s data processing activities have an adverse impact on the lawful rights and interests of individuals, including harm to personal security or reputation, or could lead to discriminatory treatment. Other matters to be reviewed include the effectiveness of information security measures, the risk that a concentration of anonymised and de-sensitised personal data might lead to re-identification and the adverse impact of transfers of personal data.

Sensitive personal data

The PI Security Specification distinguishes between general and ‘sensitive’ personal data. Sensitive personal data is defined as personal data that, if disclosed or illegally processed might endanger personal and property security, damage personal reputation, or physical or psychological health, or lead to discriminatory treatment, etc. Sensitive personal data may include personal ID card numbers, biometric data, bank account numbers, personal communications, credit records, geolocation data and health data, as well as the personal data of children under the age of 14 years.

An individual’s express consent in writing or through other affirmative action is required to collect sensitive personal data (i.e. opt-in). Consent must be fully informed and involve a clear and definitive expression of intent. However, tacit consent is sufficient when collecting personal data that is not sensitive (i.e. non-objection by the individual).

Organisations are not permitted to collect the sensitive personal data of children (under 14 years old) without the express consent of the child’s parents or other legal guardians.

The PI Security Specification also lays down specific requirements for the design of information systems that collect or hold sensitive personal data. Systems should be designed to automatically track the usage of sensitive personal data and provide for encryption.

Data collection and processing

The PI Security Specification requires organisations to make available a detailed and complete privacy policy. The policy should set out the types of personal data collected, the means, frequency and purposes of collection, cookie policy, transfer and disclosure policies, security measures adopted and data subject rights, etc). The statement of purpose must be easily accessible through the use of clear and plain language. Appendix D of the PI Security Specification contains a model privacy policy framework. Appendix C contains a model privacy notice. Their use is not mandatory, but is recommended.

Prohibition of ‘bundled consents’ and ‘forced consents’

The draft amendments to the PI Security Specification require organisations that provide multiple products/ services to obtain individual consents before the start of each service. Where an individual user only chooses to use part of those products/ services being offered, it will not be permissible to seek a ‘bundled’ consent in a single data collection request.

The draft amendments also prohibit the use of other means to obtain a ‘forced consent’ (in the language of the PI Security Specification), such as frequently sending requests (defined as more than once every 24 hours), or refusing to provide the product/ service or lowering its quality after an individual has declined a data collection request.

When providing a product/ service which has more than one ‘function’ (such as map navigation, car booking, instant messaging, social networking, online payment, etc.), the consent interface should categorise between ‘primary functions’ and ‘extended functions’ (to be determined with reference to the provider’s promotional materials and descriptions of its products and services). The provider of the service will need to obtain consent from a user in relation to primary functions and extended functions. The practical implication is that a single tick box covering all features and functionality of a service will usually be non-compliant.

• Separate consent will need to be obtained for newly added primary functions or functions which have been re-categorised as primary functions.
• Before providing extended functions to a user, businesses must notify the user of the extended functions it proposes to provide and the types of personal data that needs to be collected for each. A separate consent should be obtained for each extended function.

Exemptions to the consent requirement

Certain exemptions are made to the consent requirement, such as where the use of the personal data is directly related to criminal investigations and law enforcement. Additionally, unlike in some systems of law, personal data that an individual has voluntarily made public, or which has been legally disclosed to the public (e.g. news reports, data published by the government) is no longer protected.

On the other hand, the most recent draft amendments to the PI Security Specification propose to remove the existing exemption permitting personal data to be collected and used where necessary of fulfil a contractual arrangement with that individual.

New rights of Data Subjects

In addition to the data access and correction rights granted under various laws and regulations, the PI Security Specification has introduced various new rights comparable to the individual rights under the GDPR.

Right of erasure

Data subjects have the right to ask the controller of the personal data to cease all use and to erase personal data if the entity has breached its legal obligations or an agreement with the data subject (comparable to the GDPR’s right to be forgotten). The same right extends to information in the possession of data processors.

Personal data should also be deleted or anonymised when users close down accounts.

Right of data portability

Data subjects also have the right to have personal data ported to a third party if technically feasible to do so (comparable to the GDPR’s ‘right of data portability’). This right is of more limited scope than under the GDPR, applying only to (i) basic personal data and personal identity information, (ii) health and physiological information, and (iii) education and employment information.

The PI Security Specification sets an expectation of 30 days for a response to an access, correction, erasure or data portability request as standard. In contrast, the time limit under the GDPR can be as long as three months, taking into account the complexity and number of requests.

Automated decision making

An appeal mechanism must be provided in relation to automated decisions that directly impact an individual’s rights and interests, including a manual review of the disputed automated decision (a variation on the approach taken under the GDPR with the right not to be subject to automated decision making). The examples given are automated credit rating decisions and screenings of job applicants.

Additionally, an entity processing personal data should:

• conduct personal data security impact assessments during the planning and design phase of any process that is reliant on automated decision making
• conduct personal data security impact assessments at least once a year.

Data processors

Entities that collect personal data are required to conduct a risk impact assessment before engaging a third party data processor, to ensure that the data processor is able to ensure data security. Entities are required to conduct oversight of the processor, including by auditing the processor’s activities.

Processors also have a number of direct obligations under the PI Security Specification. These includes obligations to strictly follow the data controller’s instructions, obtain its authorisation before engaging a sub-processor and to delete all personal data at the end of the engagement.

Incident handling

Organisations should formulate a contingency plan for data incidents and organise incident response training and contingency drills at least once a year.

Data protection obligations under other PRC laws and regulations 

Telecommunications and internet information service providers 

Telecommunications and internet companies are subject to additional personal data protection obligations under the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (effective 16 July 2013).

Telecommunications and internet companies are required to establish a user complaint mechanism and reply to complaints concerning personal data protection within 15 days. They are also required to inform users about the channels through which they may consult and make corrections to their personal data.

Where telecommunications and internet companies transfer personal data to direct user-facing third parties (e.g. for their marketing or technical services), they must supervise the transferee to ensure the protection of the transferred personal data. They must stop collecting users’ data after they have discontinued the service, and provide users with deregistration services.

App providers 

Under the Administrative Provisions on Information Services of Mobile Internet Application Programs (effective 28 June 2016), app providers must clearly indicate to customers if they are collecting geolocation data, accessing address books on their smartphones, or making use of cameras or activating audio recording or other functions, and obtain the user’s consent. The Provisions also prohibit the activation of functions that are unrelated to the service.

On 25 January 2019, the CAC, Ministry of Industry and Information Technology (MIIT), MPS and State Administration for Industry and Commerce (SAIC) jointly issued a Notice on Launching Special Regulations on the Collection and Use of Personal Information for App Violations and Regulations (the Special Regulations Notice). The notice lays down principles requiring app providers to:

• not collect personal data that is not related to the services provided
• display rules for the collection and use of personal data in an easy-to-understand manner
• avoid forced consents in the form of default consents, bundling and interrupting installation, etc.

Building on the Special Regulations Notice, the App Special Governance Working Group issued a draft Behaviour Identification Notice on Apps (the draft Behaviour Identification Notice) on 5 May 2019. Below are some examples that the draft Behaviour Identification Notice put forward of what would be considered unlawful collection and/ or use of personal data by apps:

• having no privacy policy or user agreement, or having a privacy policy or user agreement which does not contain relevant rules for collecting and using personal data
• the privacy policy(s) is obscure, lengthy and cumbersome
• it takes more than four clicks or slides for the user to access the privacy policy from the main function interface
• the types of sensitive personal data being collected are not individually enumerated
• personal data is collected only for the purpose of improving programme functions, improving user experience and directional push (this will not be considered necessary data collection)
• using user information and algorithms to push news, ads, etc., without providing the option for the user to terminate the directional push
• background transfers of personal data when the app is not opened or used
• changing user-set permissions without the user’s consent
• not providing functions to correct and delete personal data, or to cancel the user account
• collecting personal data of minors under the age of 14 without the consent of a parent or guardian, or using that personal data to push personalised ads without such consent.

These requirements are additional to the guidance in the PI Security Specifications.

Most recently, on 8 August 2019, the TC260 published a draft Basic Specification for Collecting Personal Information in Mobile Internet Applications. The key provisions are that apps should:

• not refuse to provide services on the basis that the user refuses to provide personal data other than the minimum data necessary to ensure the normal operation of the service
• not collect non-changeable device unique identifiers (e.g. IMEI numbers, MAC addresses) except for operational security purposes
• obtain explicit consent in relation to the collection of personal data to the extent that they are not necessary to ensure the normal operation of a service
• when users exit the service, cease collecting personal data and delete or anonymise the personal data collected for the service.

Again, these requirements should be treated as additional to those in other measures.

E-Commerce Law

Under the new E-Commerce Law, which came into effect on 1 January 2019, e-commerce operators are required to delete a user’s personal data if they cancel their account unless the terms and conditions of the site allow retention for a longer period.

In addition to the obligations on all network operators under the Cyber Security Law, e-commerce providers must also implement specific technical measures to ensure the security and normal operation of an e-commerce network and to respond effectively to cyber incidents. They must also prepare emergency response plans to manage incidents and report the incidents to the competent authority.

Direct marketing

The Consumer Protection Law (revised with effect on 25 March 2014) prohibits businesses from sending commercial information to consumers that they have not requested or consented to receiving, or if they have expressly objected to receiving the direct marketing.

The Measures for the Administration of Email Services (effective 30 March 2006) prohibit the sending of any email containing commercial advertisements without (i) the recipient’s clear consent, and (ii) including the word ‘Ad’ or the Chinese word for ‘advertisement’ in the email subject. If a recipient subsequently opts out from receiving commercial advertisements, the sender must cease sending them.

In conjunction with the E-Commerce Law, the draft amendments to the PI Security Specification will require E-commerce providers to clearly mark their targeted advertising content as ‘personalised display’ (i.e. personalised content or search results based on analysis of the individual users’ browsing history, interests, transaction records and/ or behaviour pattern) and provide an ‘opt-out’ mechanism for users.

Penalties under the Cyber Security Law

Penalties for infringements of the core data protection provisions of the Cyber Security Law may include a fine of up to 10 times the amount of unlawful gains or a fine of up to RMB 1,000,000. Persons in charge of data protection compliance within an organisation, and other responsible individuals, may be separately subject to a fine of between RMB 10,000 and 100,000, or between RMB 50,000 and 500,000 for serious cases.

The Interpretations of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ Personal Information (effective 1 June 2018) set out certain circumstances in which the unauthorised collection, transfer or receipt of personal data will constitute a criminal offence under the PRC Criminal Law, and the associated penalties.

For example, the establishment of websites or communication groups for obtaining, selling or transferring personal data can be punished upon conviction by a fine of up to five times the illegal proceeds, and imprisonment for up to three years. A person convicted of illegally obtaining personal data concerning communication records, health information or credit or asset information can be punished by a fine of up to five times the illegal proceeds and imprisonment for up to seven years.

Enforcement landscape 

The enforcement landscape under the Cyber Security Law is still emerging. But in general, enforcement by the central regulatory authorities has been primarily campaign-based, rather than incident-based up to now.

For example, in one of the first regulatory actions in 2017, the CAC, MIIT, MPS and TC260 reviewed the privacy policies of 10 of the largest tech companies in China, and issued several with remediation notices. The CAC called in more than 100 domestic providers of WiFi services in May 2018 for face-to-face meetings at which it set out its expectations for the transparency of data collection and use practices.

In November 2018, the MIIT ordered the removal of all mobile apps that illegal collected personal data after conducting a nationwide investigation. It also ordered 12 companies to disclose their privacy policies and other rules on the collection and use of personal data after conducting a random investigation of 65 different online services and another seven companies (including several tech giants) to establish internal policies on data collection, sharing and destruction.

In a similar fashion, the current regulatory focus on apps has culminated in an inspection of hundreds of popular apps as well as 50 major internet companies and the three national telcos between July and October 2019.