There is no overarching law in China to regulate the protection of data privacy. The protection is provided through diverse laws, regulations and local rules, including without limitation the PRC Constitution, the PRC Criminal Law, the General Principles of the Civil Law of the PRC, the PRC Tort Liability Law, the Law on Resident Identity Cards, the Postal Law, the Social Insurance Law, the PRC Cybersecurity Law, the PRC Telecommunication Regulation, and the Provisions on Protecting the Personal Information of Telecommunications and Internet Users.
Under the PRC Criminal Law, unlawful trading, offering, stealing and illegally obtaining personal information of citizens by individual or entity may be subject to a criminal penalty of up to imprisonment of seven years plus monetary fines.
It is worth noting that the PRC Cybersecurity Law was promulgated on 7 November 2016 which will take effect 1 June 2017. The new law has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China and has attracted a lot of media attention. The new PRC Cybersecurity Law intends to combat online fraud and protect China against Internet security risks. Amongst others, the new law imposes new security and data protection obligations on “network operators”, puts restrictions on transfers of data outside China by “key information infrastructure operators”, and introduces new restrictions on critical network and cybersecurity products.
Under the PRC Cybersecurity Law, a range of new obligations are imposed on organisations that are “network operators” (i.e. network owners, network administrators and network service providers). Some commentators are of the view that the relevant definitions contained in the law suggest that “network operators” could capture any business that owns and operates IT networks/infrastructure or even just websites in China. Amongst others, network operators are required to make publicly available data privacy notices (explicitly stating purposes, means and scope of personal information to be collected and used) and obtain individuals’ consent when collecting, using and disclosing their personal information. Network operators must adopt technical measures to ensure the security of personal information against loss, destruction or leaks, and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities. They must also comply with principles of legality, propriety and necessity in their data handling, and not be excessive, not provide an individual’s personal information to others without the individual’s consent, nor illegally sell an individual’s personal data to others. There are also general obligations to keep user information confidential and to establish and maintain data protection systems.
Monetary penalties for breach of provisions under the PRC Cybersecurity Law can result in a fine up to RMB1 million (if no illegal gains) or 10 times of the illegal gains plus confiscation of illegal gains and administrative penalties, i.e. revocation of relevant permit or business license of the entity in breach.
There is still a question mark on whether the PRC Cybersecurity Law shall apply to a non-cyber service focused corporation, which uses cyber services to store and manage the personal data of its employees in the daily business operation. More clarity is expected in the implementation rules which may be issued before the PRC Cybersecurity Law takes effect.