Data Protection Regulation in China

The priority for safety of private information was a major concern long before the digital age. More often than not, governments prefer to limit their citizens’ privacy by justifying their actions with counter terrorism practices and dangers of war, or simply because the country’s regime allows such restrictions. IDM is a next step in data protection; powered by its own patented data protection technology called SIZE, we are preparing to launch a global decentralised ecosystem that connects users who want to store information safely and miners who provide memory on their devices to generate income. In this series of articles, we will introduce you to the development of data security through the ages. This week’s feature is — data protection in China.

Currently, there is not a comprehensive data protection law in the People’s Republic of China (‘PRC’). Instead, rules relating to personal data protection are found across various laws and regulations. Generally speaking, provisions found in laws such as the General Principles of Civil Law and the Tort Liability Law may be used to interpret data protection rights as a right of reputation or right of privacy. However, such interpretation is not explicit.

2017 was a ground-breaking year for cybersecurity and data privacy for the PRC. The PRC Cybersecurity Law (promulgated and effective from 1 June 2017) adopted by the Standing Committee of the National People’s Congress has become the first national-level law that addresses cybersecurity and data privacy protection.

Further to the Cybersecurity Law, the following form the backbone of general data protection rules currently in the PRC:

  • The Decision on Strengthening Online Information Protection (Promulgated and effective on 28 December 2012; the ‘Decision’) adopted by the Standing Committee of the National People’s Congress;
  • National Standard of Information Security Technology — Guideline for Personal Information Protection within Information System for Public and Commercial Services (promulgated 05 Nov 2012 and effective on 01 February 2013, GB/Z 28828–2012; the ‘Guideline’) as published by General Administration of Quality Supervision, Inspection and Quarantine of China and Standardization Administration of China.

The purpose of the Decision is to protect online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. The Decision has the same legal effect as a law. While the Guideline is only a technical guide and thus not legally binding, it is considered important because its scope extends to any “processing of personal information through information systems” (not necessarily connected to the Internet), and because of the fact that it covers in detail key issues such as data exports, sensitive data, data subject access and the right to rectification. Given the lack of binding laws and regulations which provide detailed guidance on data processing, the Guideline can be a good reference. Therefore, compliance with the Guideline is recommended as good practice.

In addition to the General Data Protection Law, provisions contained in other laws and regulations may be applicable depending on the industry or type of information at issue (for example, personal information obtained by financial institutions, e-commerce businesses, certain healthcare providers, or telecom or Internet service/content providers is subject to special regulation). For example (this is not an exhaustive list):

  • The Criminal Law of the People’s Republic of China prohibits sale or illegal provision of, or illegal access (such as theft) to citizens’ personal information;
  • Provisions of the Supreme People’s Court on Several Questions relating to the Applicable Law of Civil Disputes Concerning the Use of Informational Network to Harm Personal Rights and Interests (promulgated on 21 August 2014, and effective on 10 October 2014), which are applicable to Internet users and Internet service providers who use information networks to infringe the privacy rights of a third party;
  • The Provisions on Telecommunication and Internet User Personal Information Protection (promulgated on 19 July 2013 and effective on 1 September 2013), which are applicable to telecom and Internet service providers;
  • The Guidelines for the Supervision of Information Technology Outsourcing Risks of Banking Financial Institutions, which would be applicable to banks who are outsourcing information technology services;
  • The Consumer Rights Protection Law of the People’s Republic of China (promulgated 25 October 2013 and effective on 15 Mar 2014; the ‘Consumer Protection Law’) contains data protection obligations which are applicable to most if not all types of businesses that deals with consumers. The Consumer Protection Law was supplemented by the Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (promulgated in January 2015) (‘Consumer Protection Measures’). Further, the draft Implementation Regulations for the Consumer Protection Law of the People’s Republic of China (Draft for Review) (‘Draft Consumer Protection Regulations’) were formulated and published for consultation in 2016 by the State Administration for Industry and Commerce and reiterate and clarify some of the data protection obligations as regards consumers’ personal data.

A significant recent development is the Information Security Techniques — Personal Information Security Specification, which was issued on 29 December 2017 and comes into force on 1 May 2018 (the “PI National Standards”). While the formal text of these standards have not been made available to the public, the draft versions indicate that they set out key data protection concepts and principles which until now remain elusive and have not been properly developed or explained in key laws and regulations, including the Cybersecurity Law. The PI National Standards may not necessarily replace the Guideline issued in 2012 in theory, but they are expected to be the new national standards on personal data protection in China.

Please note that our discussion here only includes the General Data Protection Law and the drafts of the PI National Standards that are available currently (not the final version) as such laws will have the most direct, general and broad application to most if not all types of businesses in the PRC. Applicability of other laws or regulations will invariably depend on the factual context of each case and further independent analysis is recommended, (for example, businesses in the banking, healthcare or securities sectors will be subject to industry-specific data protection regulations; and employee personal data attracts some protections under employment laws).

Even in China, where blockchain technology is so developed, data protection is far from ideal. Don’t rely on someone else to protect you, come and join IDM!