What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
There is no overarching law with respect to employee privacy in China. Rather, employers are subject to a patchwork of laws, depending on the type of information and particular context as described. The following regulations form the backbone of China's Data Protection laws:
- The Cybersecurity Law of the People's Republic of China (网络安全法) promulgated on November 7, 2016 by the Standing Committee of the National People's Congress (“SCNPC”) and effective on June 1, 2017 (the “Cybersecurity Law”). The Cybersecurity Law applies to all “network operators,” which is defined broadly to include “owners and administrators of computer information networks as well as network service providers.” The Cybersecurity Law contains certain provisions devoted to personal data protection, which restate the personal data protection requirements already in place governing the telecommunications sector and consumer protection. For example, the network operators are required to strictly keep the personal data collected confidential, and establish and improve information protection policy.
- The Decision on Strengthening Online Information Protection (全国人大常委会关于加强网络信息保护的决定), adopted by the SCNPC and effective on December 28, 2012 (the “2012 Decision”).
- National Standard of Information Security Technology – Guideline for Personal Information Protection within Information System for Public and Commercial Services (信息安全技术公共及商用服务信息系统个人信息保护指南, GB/Z 28828-2012), promulgated by the Ministry of Industry and Information Technology of China ("MIIT") on November 5, 2012 and effective on February 1, 2013 (the "Guideline"). Basic Requirements for Network Security Graded Protection of Information Security Technology (信息安全技术 网络安全等级保护基本要求) (GB/T 22239-2019); Assessment Requirements for Network Security Graded Protection of Information Security Technology (信息安全技术 网络安全等级保护测评要求) (GB/T 28448-2019); Security Design and Technology Requirements for Network Security Graded Protection of Information Security Technology (信息安全技术 网络安全等级保护安全设计技术要求) (GB/T 25070-2019). These national standards were promulgated by the State Bureau of Market Administration and Supervision and the National Information Security Standardization Technical Committee on May 13, 2019. These standards and requirements set the graded security level of networks and required protection measures for each level based on the Cybersecurity Law. Note that the Guideline is not law or regulation and is not legally binding.
- National Standard of Information Technology – Personal Information Security Specification (个人信息安全规范, GB/T 35273-2020) (the “Specification”), recently updated by the National Information Security Standardization Technical Committee, and effective October 1, 2020. This Standard sets the guidelines businesses should follow relating to personal data. Note that the Specification is not law or regulation.
- Technology Requirement for Personal Information Protection of Smart Mobile Terminal, promulgated by the National Information Security Standardization Technical Committee, effective on May 1, 2018. This Requirement sets the personal information protection guideline and technology requirements of mobile terminals. Note that the Requirement is not law or regulation.
- National Standards of Network Security Graded Protection:
The Draft Measures for the Security Assessment of Personal Information to be Transferred Abroad was made available for public comment on June 13, 2019. It provides the assessment process for personal information to be transferred abroad. The Password Law of the People's Republic of China came into effect on January 1, 2020, and regulates the management and certification of commercial passcode. The Draft Data Security Management Measures was promulgated in May 2019 for public comment, and sets protection measures for personal data and important data.
The jurisdictional scope of the rules does not include Hong Kong, Macau and Taiwan.
China does not have a single central data protection authority charged with enforcing privacy laws. The major regulators involved with possible issues regarding privacy laws include the:
- Ministry of Industry and Information Technology (MIIT) – regulates personal data collected and used in telecom and internet sectors
- Ministry of Public Security (MOS) – regulates internet security management and violations of personal information management
- Office of the Central Cyberspace Affairs Committee (OCCAC) and Cyberspace Administration of China (CAC) – regulates internet content monitor
- National Health and Family Planning Commission (NHFPC) – regulates medical records and population health information
- State Post Bureau (SPB) – regulates personal data collected and used in mailing and courier services
- State Administration for Industry and Commerce (SAIC) – regulates consumer personal information, except in areas or sectors where a specific authority has been given responsibility
- State Bureau of Market Administration and Supervision (SAMR) – regulates business activities of enterprises in Chinese market
- National Information Security Standardization Technical Committee (NISSTC) – sets the national standards of data security management