In recent years, the Chinese government has published and implemented numerous significant laws and regulations governing the collection, processing, transferring and storing of data in order to “protect national security interests and personal information rights”. China currently does not have a single comprehensive data protection law. The existing legal framework consists of several new acts, guidance, and regulations published by different ministries at different times, which makes the regulatory landscape of data protection scattered, fractional, constantly evolving and sometimes confusing.
There are three pillars in the regulatory landscape for the data protection legal framework in China:
- Data security and protection requirements for data processors handling data in different categories based on the relevance to the national security;
- Detailed guidelines and requirements on personal information collection, usage, processing and transfer; and
- Special requirements and safety clearance mechanisms for cross-border data transfer.
Depending on the nature and scale of the data and the data operators’ processing methods, data operators may be required to:
- Notify the government and obtain approvals before the data is transferred
- Retain a certified third-party firm to assess and update the data security system used by the operator
- Store the data within China and disclose to and secure consents from the individuals on the personal information collection, storage, transfer and processing
This FAQ aims to provide a general overview of the regulatory compliance requirements for foreign-invested businesses currently collecting, storing and processing personal information in China, especially if that information is to be accessed by parties overseas.
Frequently Asked Questions
- What is personal information, and what is sensitive personal information under Personal Information Protection Law of the People’s Republic of China (“PIPL”)?
- What is the difference between core data and important data?
- What is the territorial scope of the PIPL?
- Under which circumstances is a company in China required to store data domestically?
- Are we required to secure consent if we are about to collect personal information? Under which circumstances is consent not required?
- What rights do individuals have under PRC data protection laws?
- Do we need a company-wide China privacy statement and related policies?
- What are the requirements if a foreign company needs to transfer personal information from China to its headquarters offshore?
- Under which circumstances is a personal information protection impact assessment required?
- If the Chinese subsidiary of a foreign company stores the data collected and processed in China on a domestic PRC server that is available to its foreign parent entity, will this be deemed as a cross-border transfer of personal information?
- If personal data is transferred to Hong Kong, Macao, or Taiwan, would it be considered as cross-border data transfer?
- If we store processed personal information with a third-party vendor, such as Google or Microsoft, is it the vendor’s responsibility to formulate a proper information protection plan that complies with the PIPL?
- Is the appointment of a Data Protection Officer (DPO) mandatory under the PIPL?
- Does the PIPL require any kind of record-keeping?
- What penalties might be imposed in case of a violation of PIPL?
1. What is personal information, and what is sensitive personal information under Personal Information Protection Law of the People’s Republic of China (“PIPL”)?
Personal information refers to all kinds of information relating to identified or identifiable natural persons recorded electronically or by other means, excluding information after anonymization.
Sensitive personal information refers to personal information that, once leaked or illegally used, is likely to lead to the violation of the personal dignity of natural persons or harm to personal and property safety, including biometric identification, religious belief, specific identity, medical and health care, financial accounts, whereabouts and track, as well as the personal information of minors under 14 years of age.
2. What is the difference between core data and important data?
PRC data protection laws and regulations classify data into “ordinary”, “important”, and “core” categories, and require companies to take different kinds of protective measures when collecting, processing, transferring, and disposing of data.
- Ordinary Data refers to data with a minimal ability to impact society at large, or that will affect a small number of individuals or enterprises.
- Important Data refers to data that may endanger national security and public interest once it is tampered with, damaged, leaked, or illegally obtained or used.
- Core Data refers to data that poses a “serious threat” to China’s national security, the lifeblood of the national economy, people’s livelihoods and public interest.
According to PRC Data Security Law, all regions and departments shall, in accordance with the data classification and protection system, determine the specific catalogues of important data of their respective regions. The above mentioned specific catalogues are currently being developed by relevant government departments and we will have a clearer understanding of protection requirements on important data and core data when relevant government departments release those catalogues.
3. What is the territorial scope of the PIPL?
The PIPL applies to personal information processing activities within the PRC. However any processing of personal information outside China will also trigger PIPL’s application where one of the following circumstances occurs:
- The purpose of the processing is to provide products or services to natural persons located within the PRC.
- The processing is for analyzing or assessing the behaviors of natural persons located within the PRC.
- Other circumstances provided by laws and regulations arise.
4. Under which circumstances is a company in China required to store data domestically?
The PIPL provides the following scenarios that require personal information processors to store the personal information they process within the PRC:
- Personal information processed by state organizations;
- Personal information collected or generated within the PRC by critical information infrastructure operators (CIIOs). CIIOs refer to the companies engaged in “important industries or fields”, including:
- Public communication and information services;
- Public services;
- E-government services;
- National defense; and
- Any other important network facilities or information systems that may seriously harm national security, the national economy, people’s livelihoods or public interest in the event of incapacitation, damage, or data leaks.
- Personal information collected or generated within the PRC by personal information processors who have processed personal information reaching the below threshold:
- Process personal information of more than 1 million individuals;
- Since January 1 of the previous year, 100,000 personal information has been provided overseas;
- Since January 1 of the previous year, 10,000 sensitive personal information has been provided overseas.
For the above scenarios, if the personal information processors are able to show a real need to transfer the personal information overseas, they shall first pass a security assessment organized by the national cyberspace administration.
5. Are we required to secure consent if we are about to collect personal information? Under which circumstances is consent not required?
Yes. Personal information processors must obtain each individual’s consent before processing any personal information. Where personal information is processed based on an individual’s consent, such consent shall be given voluntarily and explicitly by the individual on a fully informed basis.
PIPL also requires personal information processors to secure “separate consent” under following circumstances:
- When transferring personal information to another personal information processor;
- When processing personal information collected by public surveillance devices for purposes other than public security;
- When processing sensitive personal information;
- When transferring personal information outside the PRC.
6. What rights do individuals have under PRC data protection laws?
Individuals have the following rights under PRC data protection laws:
- Individuals shall have the right to know and the right to decide on the processing of their personal information, and have the right to restrict or refuse the processing of their personal information by others, except as otherwise provided by any law or administrative regulation.
- Individuals shall have the right to consult and duplicate their personal information from personal information processors unless prohibited by law. Where individuals request the transfer of personal information to their designated personal information processors, if the conditions specified by the national cyberspace administration are met, personal information processors shall provide the channels for transfer.
- Where individuals discover that their personal information is incorrect or incomplete, they shall have the right to request personal information processors to correct or supplement relevant information.
- Where individuals request the correction or supplementation of their personal information, personal information processors shall verify the personal information, and correct or supplement relevant information in a timely manner.
- Under any of the following circumstances, a personal information processor shall voluntarily delete an individual’s personal information; and, if the personal information processor fails to delete such information, the individual shall have the right to request it or him to do so:
- The processing purpose has been achieved or cannot be achieved, or it is no longer necessary to achieve the processing purpose;
- The personal information processor ceases the provision of products or services, or the retention period has expired;
- The individual withdraws consent;
- The personal information processor processes personal information in violation of any law or administrative regulation or the agreement; and
- Other circumstances as provided by laws and administrative regulations.
- Where the retention period provided by any law or administrative regulation has not expired, or it is difficult to realize the deletion of personal information technically, the personal information processor shall cease the processing of personal information other than storing and taking necessary security protection measures for such information; and
- Individuals shall have the right to request personal information processors to explain their personal information processing rules.
7. Do we need a company-wide China privacy statement and related policies?
Yes. Per PIPL, a personal information processor shall, before processing personal information, truthfully, accurately and completely notify individuals of the following matters in a conspicuous way and in clear and easily understood language:
- The name and contact information of the personal information processor;
- Purposes and methods of processing of personal information, categories of personal information to be processed, and the retention periods;
- Methods and procedures for individuals to exercise the rights provided in the PIPL; and
- Other matters that should be notified as provided by laws and administrative regulations.
Where any matter as set forth in the preceding paragraph changes, the individuals shall be notified of the change.
Where the personal information processor notifies the matters as set forth above in the manner of developing personal information processing rules, the processing rules shall be disclosed and easy to consult and preserve and a company privacy statement will work as such processing rules for all employees.
8. What are the requirements if a foreign company needs to transfer personal information from China to its headquarters offshore?
Depending on the scale of the data processing by a foreign invested company in China, the PRC government may require prior approvals before the cross-border transfer.
Foreign companies processing personal information that meet ALL the criteria below are not required to obtain previous approval:
- Operator of non-critical information infrastructure;
- Dealing with personal information of fewer than 1 million individuals;
- Providing personal information of fewer than 100,000 people abroad in total as of January 1 of the previous year;
- Providing sensitive personal information of fewer than 10,000 people outside China since January 1 of the previous year.
Companies that meet all the criteria above, should follow the below procedure in order to conduct cross-border data transfer:
- Seek employees’ consents in writing for the transfer of the personal information offshore;
- Conduct a personal information protection impact assessment;
- Enter into a standard contract for personal information cross-border transfer with offshore headquarter; and
- File the personal information protection impact assessment report and standard contract with the cyberspace administration.
If a company fails to meet ANY of the criteria listed above, it will be required to pass a security assessment organized by the national cyberspace administration and secure a prior approval before any data cross border data transfers.
9. Under which circumstances is a personal information protection impact assessment required?
In accordance with PIPL, under any of the following circumstances, personal information processors shall conduct personal information protection impact assessment in advance, and record the processing information:
- Processing sensitive personal information;
- Using personal information to conduct automated decision-making;
- Commissioning personal information processing, providing personal information to other personal information processors, or disclosing personal information;
- Providing personal information to an overseas recipient; and
- Other personal information processing activities which have major impacts on individuals’ rights and interests.
10. If the Chinese subsidiary of a foreign company stores the data collected and processed in China on a domestic PRC server that is available to its foreign parent entity, will this be deemed as a cross-border transfer of personal information?
Yes, this will be deemed as cross-border transfer under PIPL.
11. If personal data is transferred to Hong Kong, Macao, or Taiwan, would it be considered as cross-border data transfer?
Yes, it would be treated as cross-border data transfer as these regions all have different legal frameworks
12. If we store processed personal information with a third-party vendor, such as Google or Microsoft, is it the vendor’s responsibility to formulate a proper information protection plan that complies with the PIPL?
No. It is ultimately your obligation as the actual collector and controller of the personal information to ensure compliance with PIPL. If the data is stored with a third party vendor which is located outside of China, the actual controller shall file the service contract with the third party storage service provider with the PRC authority together with the self-assessment report regarding the protection of the personal information including safety, necessity, and reasonableness.
13. Is the appointment of a Data Protection Officer (DPO) mandatory under the PIPL?
No. Per PIPL, only a personal information processor that meets the threshold specified by the national cyberspace administration (see question 8 above) shall appoint a DPO to be responsible for overseeing personal information processing activities as well as the protection measures taken, among others.
However, please note, an employee of the company must be listed as the contact window when filing Standard Contracts for the Outbound Transfer of Personal Information with the cyberspace administration. It is obviously preferable that this person understands the legal landscape and is capable of preparing the requisite paperwork and liaise with the authorities if/when needed.
14. Does the PIPL require any kind of record-keeping?
Yes, if a company handles sensitive personal information, uses the collected personal information for algorithmic decision making, contracts a third party for the processing of personal information or transfer the personal information abroad, it shall keep appropriate records for at least three years.
15. What penalties might be imposed in case of a violation of PIPL?
In case of a minor violation, authorities may impose:
- An order requiring correction, confiscation of illegal gains, or provisional suspension or termination of improper practices.
- A fine of up to CNY 1 million against wrongdoers who refuse to correct their behaviors.
- A fine of between CNY 10,000 and CNY 100,000 against a directly responsible person.
In the case of a serious violation, provincial or higher-level authorities may impose:
- An order requiring correction, confiscation of illegal gains, suspension or closure of the relevant business, or revocation of the business license.
- A fine of up to CNY 50 million or 5% of the turnover in the previous year.
- A fine of between CNY 100,000 and CNY 1 million against a directly responsible person.
- A prohibition against directly responsible persons from holding senior management positions and roles for a certain period.
In both cases, such illegal acts will be included in credit records and be publicly disclosed.