To download the Data Privacy Q&A guide, please click here.
To see other released Data Privacy Q&A guides on separate jurisdictions, please click here.
Is there a data privacy law in your jurisdiction? If yes, is it implemented? If no, what laws are relied on?
Yes. China’s Personal Information Protection Law (“PIPL”) was passed on 20 August 2021 and went into force on 1 November 2021. The PIPL is China’s first omnibus law regulating personal information protection.
What significant legal instruments relating to data protection are currently pending? If any, what are the timelines?
A number of implementing regulations for the PIPL are in the process of legislation. They include, among others, the third version of Measures for the Security Assessment of Outbound Data (Exposure Draft) (“Measures”) which was released on 29 October 2021 by the Cyberspace Administration (CAC) for public comments. The CAC, as China’s principal cybersecurity enforcement agency, dictates in the Measures specific circumstances in which security assessments are required. While the legislative timeline is unclear, the Measures will likely be enacted in 2022. The CAC is also expected to issue standard contractual clauses for cross-border transfer of data.
Who do Chinese Data Protection Laws apply to?
The PIPL has extra-territorial effect. It can apply to the processing of personal information of natural persons located in China irrespective of the location of the processing making it crucial for both entities doing business in or with China to consider whether they fall within scope of the PIPL. For entities engaged in personal information processing activities outside China, the PIPL will apply if:
Who are the relevant regulatory and enforcement authorities in China with regards to personal data protection?
The CAC serves as the main authority overseeing personal information protection. That said, other government agencies such as the Ministry of Public Security, which leads broader data security efforts, Ministry of Industry and Information Technology, and Ministry of Science and Technology, can also enforce the PIPL.
How is personal data defined in China?
The PIPL defines personal information as all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons located in China. Personal information does not include anonymized information that cannot identify a specific natural person.
Is there a distinction between personal data and sensitive data under the laws?
Yes, the PIPL defines sensitive personal information as personal information that when disclosed or illegally used, may cause harm to the dignity of natural persons. Sensitive personal information includes, among others, information on biometric characteristics, religious beliefs, personal identity information (such as ID card, passport, driver's license, work permit, social security card, residence permit, etc.), medical health, financial accounts, individual location tracking and personal information of minors under the age of 14.
Under the PIPL, sensitive personal information processing requires a specific purpose, specific need, and stricter protective measures. The relevant individual’s separate consent must be obtained, and written consent is required if stipulated in other laws/regulations.
Personal information handling entities are also obligated to inform the relevant individuals of the necessity of processing sensitive personal information and the impact(s) on their rights and interests. Personal information of minors require the consent of the parent/guardian.
Legal bases of processing personal data in China?
Below are the legal bases for processing personal information under the PIPL:
What is the consent requirement in China?
When consent serves as the legal basis for personal information processing, the individual must be fully informed and consent must be voluntarily and express. Where there is a change in the purpose of personal information handling, the handling method, or the categories of handled personal information, new consent regarding the change must be obtained.
What rights do individuals enjoy under the PIPL?
The PIPL is significant in that it provides individuals with a wider and stronger range of rights such as the below:
What restrictions are there for cross-border transfer of personal data?
Entities handling personal information, due to business or other needs, can transfer personal information outside China if it (1) adopts necessary measures to ensure that offshore recipient of the personal information matches the level of personal information protection as provided in the PIPL; and (2) fulfils the following requirements:
Is there a data localization requirement under the PIPL?
The PIPL requires storage of personal information in China in the following circumstances:
What liabilities/penalties would non-compliance with the PIPL result in?
Non-compliant entities will face fines ranging from RMB 1 million to RMB 50 million or 5% of the preceding year’s revenue, as well as other operational sanctions such as suspension of business activities or even being banned from operating in China.
 Handling, also referred to as processing, includes collection, storage, use, alteration, transmission, provision, and deletion of personal information. A personal information handler, as organizations/individuals that determine the purposes/means of personal information processing, is similar to the GDPR’s data controller.