Further Development of Data Privacy Law in China

The Cybersecurity Law, which will come into effect on 1 June 2017, will bring significant development to the data privacy protection regime. It regulates data privacy protection in the internet space.

In the PRC, data privacy protection requirements are embedded in various laws, industry-specific administrative regulations and judicial explanations. To date, there is not a consolidated piece of legislation dedicated to data privacy protection. Data privacy protection has been offered in industries such as banking, telecommunications and the consumer sector. However, many businesses are still enjoying an excessive amount of “freedom” in collecting, using and transferring personal data.

The Cybersecurity Law sets a high level of standard for internet operators in dealing with personal data. Essentially, if you maintain a website in China or collect personal data through an app or other internet social media in China:

-          A Personal Data Collection Policy will need to be adopted and published online

-          You will need to require data subject’s consent to collect his personal data online

-          The scope of personal data collection should not be excessive

-          Transfer of personal data to third parties will require consent from the data subject

-          You shall not divulge, tamper with or damage personal data collected from them

-          You shall take necessary measures to protect data privacy

-          You shall not sell or disclose personal data to third parties illegally

-          You shall allow data subject to require correction or deletion of personal data

Personal data is also widely defined in the Cybersecurity Law. It covers information recorded in electronic or other forms, which is capable of identifying a natural person’s identity, including but not limited to his name, date of birth, identity certificate number, biologically identified personal information, address and telephone number.

“Critical information infrastructure operators” are restricted from transferring personal data outside of China unless they pass the security assessment conducted by the authorities. The Cybersecurity Law does not specify precisely which organisations are regarded as critical information infrastructure operators but provides that they generally cover operators in public communications and information services, energy, transport, water conservancy, finance, public services and e-government affairs. 

The consequence for violation of these data privacy protection provisions can be serious. Depending on the seriousness of the violation, the authorities may issue warnings or confiscate illegal income. The authorities may also impose penalty ranging from 1 – 10 times of the illegal income obtained as a result of such violation; or if no illegal income is obtained, the penalty is up to one million RMB. For serious violations, the authorities may order the shutdown of the internet operations or websites, and cancel the relevant permits and licenses. The responsible persons and directors may also be exposed to personal liability and payment of penalty.  Violations may also result in further civil and criminal liabilities.

The language of the Cybersecurity Law is still fairly broad. We expect further precise regulations and rules regarding data privacy protection would be promulgated. The Cybersecurity Law demonstrates the PRC government’s desire to roll out data privacy protection to the general public. This is a significant step taken towards a nationwide protection regime on data privacy in the PRC. We will watch this out for you. It is also time to start formulating a data protection privacy policy for your China operations if you have not already done so.