What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
There is no overarching law with respect to employee privacy in China. Rather, employers are subject to a patchwork of laws, depending on the type of information and particular context as described. The following regulations form the backbone of China's Data Protection laws:
- The Cybersecurity Law of the People's Republic of China (网络安全法) promulgated on November 7, 2016 by the Standing Committee of the National People's Congress (“SCNPC”) and effective on June 1, 2017 (the “Cybersecurity Law”). The Cybersecurity Law applies to all “network operators,” which is defined broadly to include “owners and administrators of computer information networks as well as network service providers.” The Cybersecurity Law contains certain provisions devoted to personal data protection, which restate the personal data protection requirements already in place governing the telecommunications sector and consumer protection. For example, the network operators are required to strictly keep the personal data collected confidential, and establish and improve information protection policy.
- The Decision on Strengthening Online Information Protection (全国人大常委会关于加强网络信息保护的决定), adopted by the SCNPC and effective on December 28, 2012 (the “2012 Decision”).
- National Standard of Information Security Technology – Guideline for Personal Information Protection within Information System for Public and Commercial Services (信息安全技术公共及商用服务信息系统个人信息保护指南, GB/Z 28828-2012), promulgated by the Ministry of Industry and Information Technology of China ("MIIT") on November 5, 2012 and effective on February 1, 2013 (the "Guideline"). Note that the Guideline is not law or regulation and is not legally binding.
- National Standard of Information Technology – Personal Information Security Specification (个人信息安全规范, GB/T 35273-2017) (the “Specification”), promulgated by the National Information Security Standardization Technical Committee effective May 1, 2018. This new Standard sets the guidelines businesses should follow relating to personal data. Note that the Specification is not law or regulation.
- Technology Requirement for Personal Information Protection of Smart Mobile Terminal, promulgated by the National Information Security Standardization Technical Committee, effective on May 1, 2018. This Requirement sets the personal information protection guideline and technology requirements of mobile terminals. Note that the Requirement is not law or regulation.
The jurisdictional scope of the rules does not include Hong Kong, Macau and Taiwan.
China does not have a single central data protection authority charged with enforcing privacy laws. The major regulators involved with possible issues regarding privacy laws include the:
- Ministry of Industry and Information Technology (MIIT) – regulates personal data collected and used in telecom and internet sectors
- Ministry of Public Security (MOS) – regulates internet security management and violations of personal information management
- Office of the Central Cyberspace Affairs Committee (OCCAC) and Cyberspace Administration of China (CAC) – regulates internet content monitor
- National Health and Family Planning Commission (NHFPC) – regulates medical records and population health information
- State Post Bureau (SPB) – regulates personal data collected and used in mailing and courier services
- State Administration for Industry and Commerce (SAIC) – regulates consumer personal information, except in areas or sectors where a specific authority has been given responsibility