Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
Developing a unique culture, which blends traditional client care with modern technology and working practices since 1851.
Stay up to date on the latest news and legal insights.
News & Insights
The Cybersecurity Law, which will come into effect on 1 June 2017, will bring significant development to the data privacy protection regime. It regulates data privacy protection in the internet space.
In the PRC, data privacy protection requirements are embedded in various laws, industry-specific administrative regulations and judicial explanations. To date, there is not a consolidated piece of legislation dedicated to data privacy protection. Data privacy protection has been offered in industries such as banking, telecommunications and the consumer sector. However, many businesses are still enjoying an excessive amount of “freedom” in collecting, using and transferring personal data.
The Cybersecurity Law sets a high level of standard for internet operators in dealing with personal data. Essentially, if you maintain a website in China or collect personal data through an app or other internet social media in China:
Personal data is also widely defined in the Cybersecurity Law. It covers information recorded in electronic or other forms, which is capable of identifying a natural person’s identity, including but not limited to his name, date of birth, identity certificate number, biologically identified personal information, address and telephone number.
“Critical information infrastructure operators” are restricted from transferring personal data outside of China unless they pass the security assessment conducted by the authorities. The Cybersecurity Law does not specify precisely which organisations are regarded as critical information infrastructure operators but provides that they generally cover operators in public communications and information services, energy, transport, water conservancy, finance, public services and e-government affairs.
The consequence for violation of these data privacy protection provisions can be serious. Depending on the seriousness of the violation, the authorities may issue warnings or confiscate illegal income. The authorities may also impose penalty ranging from 1 – 10 times of the illegal income obtained as a result of such violation; or if no illegal income is obtained, the penalty is up to one million RMB. For serious violations, the authorities may order the shutdown of the internet operations or websites, and cancel the relevant permits and licenses. The responsible persons and directors may also be exposed to personal liability and payment of penalty. Violations may also result in further civil and criminal liabilities.
The language of the Cybersecurity Law is still fairly broad. We expect further precise regulations and rules regarding data privacy protection would be promulgated. The Cybersecurity Law demonstrates the PRC government’s desire to roll out data privacy protection to the general public. This is a significant step taken towards a nationwide protection regime on data privacy in the PRC. We will watch this out for you. It is also time to start formulating a data protection privacy policy for your China operations if you have not already done so.
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.
Media Contact
For media enquiries please contact us at media.relations@deacons.com.
Tel: +852 2825 9211