Click here to visit old site
Click here to visit old site

Data Advocacy for China

Currently, there is not a comprehensive data protection law in the People’s Republic of China (‘PRC’). Instead, rules relating to personal data protection are found across various laws and regulations. Generally speaking, provisions found in laws such as the General Principles of Civil Law and the Tort Liability Law may be used to interpret data protection rights as a right of reputation or right of privacy. However, such interpretation is not explicit. A draft Personal Data Protection Law has been under review by the PRC Government for many years, but there is still no indication as to if and when such law will be passed.

The following form the backbone of general data protection rules currently in the PRC:

The Decision on Strengthening Online Information Protection (Promulgated and effective on 28 December 2012; the ‘Decision’) adopted by the Standing Committee of the National People’s Congress, and

National Standard of Information Security Technology – Guideline for Personal Information Protection within Information System for Public and Commercial Services (promulgated 05 Nov 2012 and effective on 01 February 2013, GB/Z 28828-2012; the ‘Guideline’) as published by General Administration of Quality Supervision, Inspection and Quarantine of China and Standardization Administration of China, (collectively referred to as the ‘General Data Protection Law’).The purpose of the Decision is to protect online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. The Decision has the same legal effect as a law. While the Guideline is only a technical guide and thus not legally binding, it is considered important because its scope extends to any “processing of personal information through information systems” (not necessarily connected to the Internet), and because of the fact that it covers in detail key issues such as data exports, sensitive data, data subject access and the right to rectification. Given the lack of binding laws and regulations which provide detailed guidance on data processing, the Guideline can be a good reference. Therefore, compliance with the Guideline is recommended as good practice.

In addition to the General Data Protection Law, provisions contained in other laws and regulations may be applicable depending on the industry or type of information at issue (for example, personal information obtained by financial institutions, e-commerce businesses, certain healthcare providers, or telecom or Internet service/content providers is subject to special regulation). For example (this is not an exhaustive list):

The Criminal Law of the People’s Republic of China prohibits sale or illegal provision of, or illegal access (such as theft) to citizens’ personal information.

Provisions of the Supreme People’s Court on Several Questions relating to the Applicable Law of Civil Disputes Concerning the Use of Informational Network to Harm Personal Rights and Interests (promulgated on 21 August 2014, and effective on 10 October 2014), which are applicable to Internet users and Internet service providers who use information networks to infringe the privacy rights of a third party.

The Provisions on Telecommunication and Internet User Personal Information Protection (promulgated on 19 July 2013 and effective on 1 September 2013), which are applicable to telecom and Internet service providers.

The Guidelines for the Supervision of Information Technology Outsourcing Risks of Banking Financial Institutions, which would be applicable to banks who are outsourcing information technology services.

The Consumer Rights Protection Law of the People’s Republic of China (promulgated 25 October 2013 and effective on 15 Mar 2014; the ‘Consumer Protection Law’) contains data protection obligations which are applicable to most if not all types of businesses that deals with consumers. The Consumer Protection Law was supplemented by the Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (promulgated in January 2015) (‘Consumer Protection Measures’). Further, the draft Implementation Regulations for the Consumer Protection Law of the People’s Republic of China (Draft for Review) (‘Draft Consumer Protection Regulations’) were formulated and published for consultation in 2016 by the State Administration for Industry and Commerce and reiterate and clarify some of the data protection obligations as regards consumers’ personal data.

A significant recent development is the Cybersecurity Law, which was passed on 7 November 2016 and comes into force on 1 June 2017. The new law, which has been widely reported in both the local and international press, introduces a range of new rules relating to networks and online activities in the PRC, including enhanced data protection/security obligations. It has significant implications for the data protection and data/cyber security practices of both Chinese companies and international organisations doing business in the PRC. In short, as regards data protection it imposes new security and data protection obligations on “network operators”; and puts restrictions on transfers of certain data (including personal information of PRC citizens) outside of the PRC by “key information infrastructure operators” (‘KIIOs’). Some of the data protections within the Cybersecurity Law formalise as binding legal obligations some data protection safeguards that were previously only perceived as good practice in the PRC.

Please note that our discussion here only includes the General Data Protection Law, the Cybersecurity Law and the Consumer Protection Law as such laws will have the most direct, general and broad application to most if not all types of businesses in the PRC. Applicability of other laws or regulations will invariably depend on the factual context of each case and further independent analysis is recommended, (for example, businesses in the banking, healthcare or securities sectors will be subject to industry-specific data protection regulations; and employee personal data attracts some protections under employment laws).

Advertising Law:

The amended PRC Advertising Law, which came into effect on September 1, 2015, introduces certain provisions addressing data privacy issues. The amended Advertising Law expressly provides that an advertisement must not, among other things, disclose the “privacy affairs” of an individual.

Furthermore, the law imposes specific requirements with respect to sending advertisements to consumers, including the requirement to obtain prior consent from consumers to receiving marketing materials. Advertisers in breach of the consent requirement could be subject to a fine of between RMB 5,000 to RMB 30,000.

Amendment to Criminal Law:

The Ninth Amendment to the PRC Criminal Law (the “Amendment to Criminal Law”) was issued on August 29, 2015 and became effective on November 1, 2015. Under the Amendment to Criminal Law, “selling (in breach of relevant rules of the State) or illegally providing personal information without consent of the information subject which involve[s] serious circumstances” may result in criminal liability of up to seven years’ imprisonment and/or fines. The crime of “misappropriating personal information obtained during the performance of duty or services” was previously limited to the staff of government agencies and companies in certain industries and sectors, however, the Amendment to Criminal Law removes this limitation, resulting in a much wider scope of application. In addition, Internet service providers which consistently fail to fulfill security management obligations causing serious breach of user information could face criminal liability of up to three years’ imprisonment and/or fines.

Draft Cybersecurity Law:

China recently released the PRC Cybersecurity Law (the “Cybersecurity Law”) on November 7, 2016. The Cybersecurity Law, which will come into effect on June 1, 2017, will be China’s first law specifically regulating activities in cyberspace. The Cybersecurity Law contains a number of provisions devoted to Personal Data protection. While many of these provisions restate the Personal Data protection requirements already in place governing the telecommunications sector and the consumer protection, the law will have a much wider scope of application – it applies to all “network operators,” which is defined broadly to include owners and administrators of computer information networks as well as network service providers. In addition, the Cybersecurity Law introduces the concept of “Key Information Infrastructures”. Operators of “Key Information Infrastructures (“KII”)” are specifically required to store personal information and other “important data” collected and generated during operations within the PRC. If it is “truly necessary” for a KII operator to store or transfer such data overseas for business reasons, it must undergo a government security assessment process. Violations of the Personal Data protection provisions may lead to confiscation of the illegal gain and a fine of up to 10 times the illegal gain or RMB 1,000,000 (in case there is no illegal gain), and in serious cases, suspension of business or revocation of business license and fines of up to RMB 100,000 for responsible individuals. For KII operators, unauthorized cross-border transfer of data may result in confiscation of the illegal gain and a fine of up to RMB 1,000,000 as well as suspension of business or revocation of business license and a fine of up to RMB 100,000 for responsible individuals.

Draft Implementing Regulations of the Consumer Protection Law:

Draft Implementing Regulations of the Consumer Protection Law (the “Draft Consumer Protection Implementing Regulations”) were released for public comments on August 5, 2016. The Draft Consumer Protection Implementing Regulations not only reiterate the general data privacy requirements contained in the recent amendments to the PRC Consumer Protection Law, which came into effect in March 2014, but also impose certain new or more specific requirements in respect of protection of consumers’ Personal Data. Most notably, the Draft Consumer Protection Implementing Regulations introduce data retention and data breach notification requirements on business operators, and provide an explicit exception to the restriction on unauthorized disclosure of consumer personal information for de-identified information. In addition, the Draft Consumer Protection Implementing Regulations expand the existing requirements under the Consumer Protection Law and the amended Advertising Law in relation to direct marketing to address electronic as well as telephone marketing communications using consumers’ Personal Data.

While there is wide recognition in China for the need to protect privacy, there has yet been no specific legislation for the protection of Personal Data or privacy in China. The General Provisions of the Civil Code of the People’s Republic of China (effective as of January 1, 1987) (the “Civil Code”), the Opinion of the Supreme People’s Court on Several Problems in the Implementation of the Civil Code (issued in 1988 and revised in 1990) and the Answers of the Supreme People’s Court to Several Questions on Trying Cases Concerning the Right to Reputation (effective on August 7, 1993) (collectively the “Opinions”) address several issues relating to “privacy.”

This changed when the Law of the People’s Republic of China on Tortious Liability (the “Tortious Liability Law”) came into effect on July 1, 2010 and privacy rights were formally recognized as a form of civil rights and interests.

Under the current legal framework, the following laws and regulations are also relevant to privacy protection:

  • the Criminal Law, as amended by its Ninth Amendment and became effective on November 1, 2015;
  • the Decision on Strengthening the Protection of Network Information, passed by the Standing Committee of the National People’s Congress on December 28, 2012 (the “NPC Decision”);
  • the amended Consumer Protection Law, effective from March 15, 2014; and
  • industry-specific regulations governing telecommunications, banking, insurance, real estate brokerage, post and courier, health and other sectors.

Definition of personal data

There is no single, pervasive definition of personal data in the PRC, but the definitions in the various laws, regulations and guidance that comprise the data protection framework in the PRC are starting to become more aligned. Personal data (which is referred to as ‘personal information’ in the Decision) means any electronic information which can enable you to identify a citizens individual identity and which relates to personal privacy.

Personal information under the Decision means any electronic information which can enable identification of a citizen’s individual identity and which relates to personal privacy. This definition was further clarified in the Guideline as any data or information in connection with a specific individual, which can be used, separately or in combination with other data, to identify the individual.

The Consumer Protection Law does not provide a definition for personal information, but the Consumer Protection Measures and Draft Consumer Protection Regulations define consumer personal information as a consumer’s name, gender, occupation, date of birth, identification document number, residential address, contact information, status of income and assets, health status, consumption habits, identifying biological characteristics and other information collected by business operators during their provision of goods or services that may, independently or in combination with other information, identify the consumer.

Under the Cybersecurity Law, personal information is defined as including all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity, including, but not limited to, the natural persons’ full name, date of birth, identification numbers, personal biometric information, addresses, telephone numbers and so forth.

Definition of sensitive personal data

The Guideline makes a distinction between sensitive personal information and general personal information. In the Guideline, sensitive personal information is defined as personal information the leakage or alteration of which may result in adverse impact to the data subject. What comprises sensitive personal information in practice depends on the intention of the data subject as well as the nature of the activities to be undertaken. Examples may include personal identification number, mobile phone number, race, political view, religious belief, genes or fingerprints. General personal information is personal data other than personal sensitive information.

The Decision, the Consumer Protection Law and the Cybersecurity Law do not make such distinction.

Data Processing:

Under the NPC Decision, companies that, in their business operations, collect and use Electronic Personal Information:

  • should only collect and use Electronic Personal Information where it is lawful, legitimate and necessary to do so;
  • must explicitly inform the Data Subjects of the purposes, scope and manner of data collection and use, and must obtain the Data Subjects’ consent to the same;
  • must only collect and use the Electronic Personal Information in compliance with the law and as agreed with the Data Subjects;
  • must keep the Electronic Personal Information collected strictly confidential, and must not disclose, tamper with, damage, sell or unlawfully provide the same to a third party;
  • must adopt technical and other necessary measures to ensure that the data is secure, and must take remedial steps immediately where data disclosure, damage or loss occurs or may occur; and
  • must only send commercial electronic messages to a recipient’s email address, landline or mobile number with the recipient’s consent or at his/her request, or where the recipient has not expressly declined the receipt of the same.

There are very similar provisions under the amended Consumer Protection Law, which impose obligations on business operators that provide goods or services to PRC consumers.

Industry-specific regulations raise additional considerations with respect to data privacy in the relevant service sectors (e.g., telecommunications, insurance, post and courier, health, etc.). For instance, banking institutions in China must comply with the relevant rules issued by the China Banking Regulatory Commission in respect of cross-border transfer of Personal Data. Another example is that medical institutions in China are not allowed to store population health data (such as electronic medical records of patients) on servers located outside China.

A business operator is also advised to check the relevant industry-specific regulations and guidelines for specific requirements or recommendations on data processing.

Processing by Data Controllers:

See Section 4(b) above. No distinction has been drawn between a Data Controller and any other user/processor of Personal Data.

Jurisdiction/Territoriality:

Chinese laws and regulations concerning Personal Data protection and security do not have any extraterritorial effect

Sensitive Personal Data:

No such term is defined under current Chinese laws and regulations.

In the absence of clear legal guidance, the General Administration of Quality Supervision, Inspection and Quarantine and the State Standards Commission published non-binding guidelines, i.e., Information Security Technology Guidelines for Personal Information Protection within Information System for Public and Commercial Services (the “Personal Information Protection Guidelines”), which define sensitive personal information as an individual’s personal information that may have adverse effects on the individual once it is leaked or modified. Examples of sensitive personal information include identification numbers, mobile phone numbers, racial or ethnic origin, political opinions, religious beliefs, DNA and fingerprints.

Please note that the Personal Information Protection Guidelines are not mandatory, and are for the relevant industry players’ reference only and has no legally binding effect.

Employee Personal Data:

The Administrative Regulations for Employment Services and Employment (effective as of January 1, 2008) (the “Employment Management Regulations”) use the term “Personal Data,” but this term is not further defined in the regulations.

Although there is no definition under Chinese law of “Employee Personal Data,” general rules governing record retention of enterprises refer to special retention and local government/trade union consent requirements for documents and materials that arise from the operation and management of an enterprise whose preservation is of “value to the State, society and the enterprise.” Discussions with selected government officials indicate that such materials could include the Personal Data of employees, and it is recommended that local authorities be consulted regarding certain categories of data (e.g., health records, disciplinary actions, pensions, social security information, etc.).

Consent Requirements:

General:

With the issuance of the NPC Decision, the consent of Data Subjects should be obtained for the collection and use of Personal Data in cyberspace. Under the amended Consumer Protection Law, the collection and use of consumer Personal Data, and the sending of unsolicited commercial messages are subject to consumer consent.

Sensitive Data:

Chinese law does not explicitly distinguish between personal information and sensitive personal information.

Minors:

The Law of the PRC on the Protection of Minors (effective from June 1, 2007) provides that no person may disclose the private matters of PRC citizens under the age of 18. There is no guidance on the application of the requirements, however, and the general view is that the collection and lawful use of the Personal Data of minors with the consent of their parents or guardians is acceptable.

Employee Consent:

Under the Employment Management Regulations, employers should keep their Employee Personal Data confidential, and must obtain an employee’s written consent before publicizing his or her Personal Data.

In addition, if an employer has formulated a data processing policy, and such policy forms part of the employer’s company rules, the employer is required to consult the employees through the trade union, the employee representatives’ congress or other means.

Online/Electronic Consent:

Electronic signatures are valid under PRC law. In addition, data messages that can exhibit their contents in tangible form, can be retrieved, consulted and if it can be established that their contents have maintained their integrity without modification since their finalization shall be deemed to be a written document and an original document. Though PRC law provides that the use of a data message as evidence may not be refused solely on the grounds of its creation, sending, receipt or storage in electronic form, in practice, it is generally much more difficult to submit an electronic contract/data message as evidence as opposed to a hard copy signature.

There is no national data protection authority in the PRC.

The PRC does not maintain a register of data administrators, personal data processing activities or databases containing personal information.

There is no legal requirement in the PRC for organizations to appoint a data protection officer.

The Guideline however recommends that a specific institution or specific personnel be appointed to be responsible for the internal management of personal data protection.

Under the Guideline, the organisation (‘Data Administrator’) should have a specific, clear and reasonable purpose when collecting personal information. Before a Data Administrator collects and processes personal information, they should notify the data subject of the following:

  • the purpose of the data processing
  • the methods of collection, scope of the data collected and the intended use
  • retention period
  • whether the data will likely be disclosed to a third party and the type of personal information that may be disclosed
  • the measures protecting the personal information
  • the name, address and contact information of the Data Administrator
  • the potential risks to the data subject of providing the requested personal information
  • the consequences of not providing the requested personal information
  • channels for data subjects to check and/or correct personal information and submit complaints, and
  • if personal information is to be transferred to or entrusted with another organisation or institution: (i) purposes of transfer or entrustment, (ii) scope of data transferred or entrusted and the intended use, and (iii) the name, address, contact method of the data recipient.

Under the Guideline, consent is required from the data subject before the personal information can be processed. Consent can be explicit or implicit. Implicit consent is sufficient for collection of general personal information. Explicit consent is required for collection of sensitive personal information. If the data subject clearly objects – and data subjects have the right to vary or withdraw consent – collection, use and disclosure should be discontinued or the personal information should be destroyed. Furthermore, personal information should be collected on a minimally required basis. Indirect or hidden collection methods are prohibited. Collection from those with limited or no capacity for civil conduct (generally persons under 16 years old) is prohibited unless consent is obtained from their parent/legal guardian.

Under the Guideline, the Data Administrator should process personal data for the stated purposes and within the scope notified to the data subject. Furthermore, personal information should be kept accurate and up to date during processing.

Under the Decision, the Consumer Protection Law and the Cybersecurity Law, organisations caught by those rules may collect and use personal information if the following conditions are met:

  • abide by the principles of legality, legitimacy and necessity, and may not be excessive
  • explicitly notify the purposes, means and scope of collection, use and disclosure of personal information
  • obtain the data subject’s clear consent to the personal information collection, use and disclosure;
  • not violate laws, regulations or agreements between the organisation and the data subject when collecting or using the personal information, and
  • make publicly available the organisation’s rules regarding collection and use of personal information.

Data subject rights to correction of their data, as well as a right to request deletion of data in the event of a data breach, are also provided in the Cybersecurity Law.

The rules do not apply to truly (and irreversibly) anonymised data according to the Cybersecurity Law and the Draft Consumer Protection Regulations.

Under the Guideline, a Data Administrator may transfer personal information to third parties if the following conditions are met:

  • the Data Administrator does not transfer in contravention, or outside the scope, of the transfer purposes notified to the data subject;
  • the Data Administrator ensures, by contractual means, that the data recipient has the capability and is responsible for properly processing the personal information in accordance with the Guideline;
  • personal information will be kept confidential (i.e. not disclosed to any individual, organisation or institution) during the transfer and processing by the data recipient;
  • the Data Administrator ensures that the personal information is kept accurate and up to date; and
  • unless explicit consent is obtained from the data subject, or permitted by laws or regulations, or express authorisation is obtained from relevant authorities, personal information must not be transferred to a data recipient outside the borders of the PRC.

With respect to transfers, there are no specific requirements in the Decision.

The Consumer Protection Law provides that organisations caught by the Consumer Protection Law and their employees must keep consumers’ personal information they collect strictly confidential and must not disclose, sell, or illegally provide it to others, and the Draft Consumer Protection Regulations clarify that this is unless there is data subject consent.

The Cybersecurity Law prohibits disclosure or transfer of an individual’s personal information to others without the individual’s consent. It further includes requirements for personal information of Chinese citizens and “important data” collected by KIIOs to be kept within the borders of the PRC. If there are business needs for the KIIOs to transfer this data outside of the PRC, security assessments must be conducted. The definition of KIIOs remains to be finalised.

Data localisation is an increasing trend in the PRC, with various sector specific regulations prohibiting transfer of personal information outside the borders of the PRC.

International Data Transfers:

Transfers of Personal Data out of China are permitted so long as the consent of the Data Subject has been obtained.

However, the production, reproduction, access and dissemination (including by means of cross-border transfer) of prohibited information is strictly forbidden under Chinese law. Prohibited information generally includes information which may harm the interests of the State, cause social instability or infringe another person’s rights.

In addition, certain industry sectors are subject to specific restrictions. For example, according to rules issued by the People’s Bank of China, personal financial information collected within China must be stored, processed and analyzed in China unless otherwise exempted. Similarly, medical and health institutions are prohibited from storing “population health information” on overseas servers.

Selected regulations also suggest that local government authorities in charge of archives should be consulted before the implementation of international data transfers.

Under the Guideline, a Data Administrator must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction of, or damage to, personal information. The measures taken must ensure a level of security appropriate to the harm that may result from such unauthorised or unlawful processing, accidental loss, destruction or damage, and appropriate to the nature of the data.

Furthermore, the Data Administrator should:

  • plan, design and implement a systemic personal information management process
  • design standard personal information management and implement the responsibility of managing personal information
  • designate expert organisations or personnel to be responsible for the internal management of personal information protection, available to process data subject complaints or inquiries
  • design and implement educational training on personal information protection
  • set up an internal management control system for personal information protection, and
  • periodically conduct assessments on the status and implementation of personal information security, protection standards and measures either on its own or through an independent evaluation agency.

The Decision requires technical and other necessary measures to be taken to ensure information security and to prevent the leakage, damage or loss of personal information.where there is a risk or occurrence of information leakage, damage or loss, remedial measures must be taken.

Similar data security obligations apply under the Consumer Protection Law.

Under the Cybersecurity Law, network operators are required to establish information protection systems. In particular, network operators must implement technical and other necessary measures to ensure the security of personal information and to prevent the collected data from being accidentally disclosed, tampered with or destroyed. Remedial measures must be taken immediately if personal information is being or is likely to be disclosed, tampered with or destroyed. Network operators should also establish systems to handle complaints or reports about personal information security, publish the means for individuals to make such complaints or reports, and promptly handle any such complaints or reports received.

Under the Guideline, a Data Administrator must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction of, or damage to, personal information. The measures taken must ensure a level of security appropriate to the harm that may result from such unauthorised or unlawful processing, accidental loss, destruction or damage, and appropriate to the nature of the data.

Furthermore, the Data Administrator should:

  • plan, design and implement a systemic personal information management process
  • design standard personal information management and implement the responsibility of managing personal information
  • designate expert organisations or personnel to be responsible for the internal management of personal information protection, available to process data subject complaints or inquiries
  • design and implement educational training on personal information protection
  • set up an internal management control system for personal information protection, and
  • periodically conduct assessments on the status and implementation of personal information security, protection standards and measures either on its own or through an independent evaluation agency.

The Decision requires technical and other necessary measures to be taken to ensure information security and to prevent the leakage, damage or loss of personal information.where there is a risk or occurrence of information leakage, damage or loss, remedial measures must be taken.

Similar data security obligations apply under the Consumer Protection Law.

Under the Cybersecurity Law, network operators are required to establish information protection systems. In particular, network operators must implement technical and other necessary measures to ensure the security of personal information and to prevent the collected data from being accidentally disclosed, tampered with or destroyed. Remedial measures must be taken immediately if personal information is being or is likely to be disclosed, tampered with or destroyed. Network operators should also establish systems to handle complaints or reports about personal information security, publish the means for individuals to make such complaints or reports, and promptly handle any such complaints or reports received.

Possible enforcement of, and sanctions for, a data protection breach in the PRC will depend on the specific data protection laws and regulations breached. The PRC currently lacks a centralised enforcement mechanism for data protection and there is no single data protection authority or any other state agency established to monitor the protection of personal data.

Sanctions in relation to data protection breaches are scattered across various different laws and regulations, and the measures described below may not be comprehensive in all situations, as additional laws or regulations may be applicable depending on the industry or type of information at hand.

Typically, it would be a graded approach – warning and requirement to comply, then possibly fines up to approximately RMB500,000. Affected individuals may also potentially claim for indemnification under the Tort Liability Law. In severe cases, breaches may lead to higher fines being imposed or the revocation of licence. Responsible personnel could be prohibited from engaging in relevant business and their conduct could be recorded in their social credit files. Depending on the severity of the illegal conduct, the responsible person could also be subject to detention or up to seven years of imprisonment, plus a concurrent fine to the organisation if applicable.

The data protection provisions provided by the Criminal Law have been the most widely used provisions to enforce privacy protection in the PRC. Essentially, only the illegal sale or purchase of personal data are subject to enforcement under the Criminal Law.

However, the enforcement environment is evolving rapidly as individuals are increasingly aware of their data protection rights and as data protection obligations expand as laws develop and are added in China. For example, the Cybersecurity Law suggests the possibility of ordering corrections, issuing warnings, confiscation of illegal gains and fines of up to 10 times of illegal gains (or fines of up to RMB1,000,000 where there is no illegal gain) upon discovery of violation in handling personal information. The responsible persons may also be fined between RMB 10,000 to 100,000.

Any infringement of privacy rights (as described in Section 4 above) will give rise to claims for injunctive relief and compensatory damages under the Tortious Liability Law.

Administrative penalties (e.g., issuing a warning, confiscating illegal income, imposing a fine, revoking the business license, etc.) may be imposed for violation of the privacy principles set out in the NPC Decision.

In serious cases, the above-mentioned activities may amount to a violation of the Law of the PRC on the Imposition of Penalties in Connection of the Administration of Law and Order (effective from March 1, 2006) (the “Penalties Law”). The Penalties Law is applicable to cases where the circumstances are not serious enough to amount to a crime but the administrative penalties are insufficient. Penalties imposed by the Public Security Bureaus under the Penalties Law include detention of up to 20 days.

Under the Amendment to Criminal Law:

  • anyone who unlawfully sells or provides personal information to third parties and causes serious results may be sentenced to up to three years of imprisonment or criminal detention and/or subject to a fine in serious cases, or be sentenced to three to seven years of imprisonment and/or subject to a fine in very serious cases;
  • anyone who unlawfully sells or provides to third parties the personal information acquired in the course of providing the relevant services or fulfilling his or her duties and causes serious results shall be sentenced to three to seven years of imprisonment and/or subject to a fine in serious cases;
  • for those stealing or illegally obtaining the aforesaid information, the same sanctions above will apply; and
  • if any of the above offenses is committed by an organization, it will be subject to a fine and all management and officers who are directly responsible will be subject to the sanctions stated above.

Under the Decision, individuals and organisations are prohibited from acquiring personal electronic information by theft or other illegal methods; and from selling or unlawfully providing personal electronic information to anyone else. Similar prohibitions on unlawful sale or supply of personal information apply under the Cybersecurity Law.

The Decision prohibits individuals and organisations from sending commercial electronic information to a personal fixed-line telephone, mobile phone or email address without the consent or request of the electronic information recipient, or where the recipient has explicitly declined to receive such information.

The Consumer Protection Law prohibits sending of commercial information where the consumer has not consented, made any request to receive the information, or has explicitly indicated he/she does not wish to receive the information. The Draft Consumer Protection Regulations would, if implemented, clarify that business operators are prohibited from sending consumers electronic information or telephone calls of a commercial nature without clear consent from consumers. The Draft Consumer Protection Regulations would further clarify that consumers should not bear the costs of consented-to commercial communications unless otherwise agreed.

The “Provisions on Administration of Internet Information Search Services” published by the Cyberspace Administration of China came into force on August 1, 2016 and require Internet search providers to ensure objective, fair and authoritative search results and remove any illegal content. Service providers must establish an information security management system to protect personal information and regularly examine the qualifications of public information. All pay-for-performance searches need to be clearly labelled on an item by item basis.

The Decision indicates that network service providers and other companies should ensure the privacy of personal electronic information. They are not allowed to disclose, falsify, damage, as well as sell or unlawfully provide personal electronic information to anyone else. The Consumer Protection Law and the Cybersecurity Law offer similar protection to consumer/user personal information as well.

The Decision also indicates that network service providers should strengthen management of information provided by users. Also, network service providers should stop the transmission of unlawful information and take necessary measures to remove them and save relevant records, then report to supervisory authorities.

Once citizens find network information that discloses their identity or breaches their legal rights, or are harassed by commercial electronic information, they have the right to require that the network service provider delete related information or take measures to prevent such behaviors.

Data subject rights to correction of their data, as well as a right to request deletion of data in the event of a data breach, are also provided by the Cybersecurity Law, which generally prescribes data protection and data security obligations by network operators.

Under the Decision, network service providers must require users to provide genuine identification (‘real name’) information when signing agreements to grant them access to the Internet, fixed-line telephone or mobile phone services or to permit users to make information public.

In relation to online privacy for mobile apps the “Provisions on Administration of Information Services of Mobile Internet Application Programs” require app providers to adopt real-name registrations and verity users’ identities based on mobile phone numbers or other information. Providers are prohibited from collecting users’ location data, reading their contacts, starting the recording function or camera or any other irrelevant functions without clear notification and users’ consent. Furthermore, app publishers are required to undertake information content review and management mechanisms including to punish anyone releasing illicit information through warnings, limitation of functions, cessation of updates, or shutting down accounts.

There are currently no specific requirements regarding cookies within existing laws or regulations in the PRC.

Accountability:

An organization has no legal obligation to conduct privacy impact assessments prior to the implementation of new information systems and/or technologies for the processing of Personal Data.

Whistle-Blower Hotline:

There are no laws/rules that govern whistle-blower hotlines in China.

E-Discovery System:

The implementation of an e-discovery system within an organization will not specifically raise any privacy issues in China.

Anti-Spam Filter:

The introduction of a spam-filtering solution in an organization will not raise privacy issues in China.

Cookies:

There is no specific law/rule that governs the use and deployment of cookies in China.

Direct Marketing:

An organization that plans to engage in direct marketing activities with a Data Subject is required to obtain the Data Subject’s prior consent.

Under the amended Consumer Protection Law and the amended Advertising Law, a business operator is prohibited from sending unsolicited commercial information to consumers who have not consented to receiving such information or who have expressly refused to receive the same.

qq.com  10879859

163.com  10238130

126.com  4047476

sina.com  2713846

tianya.cn  2242127

yahoo.com.cn  2008257

yahoo.cn  708311

sina.com.cn  220639

live.cn  171391

163.net  159301

sina.cn  46883

qq.cn  32987

msn.cn  26768

163.com.cn  23799

163.cn  23688

avl.com.cn  23015

qq.com.cn  20747

189.cn  16808

china.com.cn  13938

gmail.com.cn  13704

com.cn  13509

gmail.cn  10259

hotmail.com.cn  10132

126.cn  9696

huiseo.cn  7703

126.com.cn  7402

123.cn  7398

mail.ustc.edu.cn  7195

baby2323.88ip.cn  6651

csoftmail.cn  6573

sohu.com.cn  6235

fudan.edu.cn  6070

sjtu.edu.cn  6058

xnmsn.cn  5231

zte.com.cn  5189

online.sh.cn  4408

mails.tsinghua.edu.cn  4321

shao.mpc.cn  4217

peoplemail.com.cn  4202

zju.edu.cn  4039

yaoo.com.cn  3578

ptjn.noip.cn  3434

21.cn  3020

people.com.cn  2960

yhaoo.com.cn  2895

stu.xjtu.edu.cn  2866

wo.com.cn  2825

tom.cn  2769

sohu.cn  2564

wormsoft.cn  2528

yahoo.con.cn  2521

yaho.com.cn  2452

sian.com.cn  2446

pku.edu.cn  2376

mail.nankai.edu.cn  2361

petrochina.com.cn  2335

bdqnok-cp.com.cn  2312

chongseo.cn  2273

smmail.cn  2183

szef.cn  2096

hit.edu.cn  2079

stu.edu.cn  2059

swu.edu.cn  2044

yhoo.com.cn  1988

msn.com.cn  1965

bit.edu.cn  1931

tsinghua.org.cn  1847

nenu.edu.cn  1814

midea.com.cn  1803

vip.sina.com.cn  1737

tom.com.cn  1730

lzu.cn  1717

10pig.com.cn  1640

btamail.net.cn  1624

public.hk.hi.cn  1603

mail.sdu.edu.cn  1586

aol.com.cn  1555

dl.cn  1500

hotmail.cn  1488

cp-bdqnok.com.cn  1477

alcatel-sbell.com.cn  1473

pp.cn  1412

company-mail.cn  1405

bjtu.edu.cn  1310

yaho.cn  1277

yahu.cn  1252

wflove.noip.cn  1222

emails.bjut.edu.cn  1199

hongen.com.cn  1188

yahooo.com.cn  1184

yahu.com.cn  1175

tianya.com.cn  1146

263.net.cn  1139

yaoo.cn  1113

yahoocom.cn  1105

tiany.cn  1070

sem.tsinghua.edu.cn  1065

yahoo.cm.cn  1060

yaohoo.com.cn  1056

yhoo.cn  1041

123.com.cn  1033

mail.hz.zj.cn  1030

183.ha.cn  1005

tsinghua.edu.cn  976

alibaba.com.cn  971

hsit.edu.cn  965

cqit.edu.cn  962

tanya.cn  950

ruc.edu.cn  933

eyou.com.cn  924

tian.cn  921

marketnet.com.cn  881

st.lzu.edu.cn  871

yeah.cn  869

stu.snnu.edu.cn  866

kali.com.cn  864

mail.nbptt.zj.cn  856

hz.cn  856

sian.cn  854

newline.net.cn  847

public.szptt.net.cn  843

yahuoo.com.cn  820

shu.edu.cn  818

mail.dhu.edu.cn  795

sdu.edu.cn  792

jsmail.com.cn  790

cqu.edu.cn  786

ustc.edu.cn  771

chinaunicom.cn  763

mail.tsinghua.edu.cn  762

cnooc.com.cn  761

live.com.cn  751

medmail.com.cn  740

yahoo.co.cn  737

tju.edu.cn  735

cpok-bdqn.com.cn  734

bbn.cn  722

mail.hf.ah.cn  718

public.wh.hb.cn  715

ufida.com.cn  703

12.cn  697

tianyan.cn  692

swnu.edu.cn  689

mail.wzptt.zj.cn  687

cnpc.com.cn  686

public.qd.sd.cn  685

xionny.cn  683

manoke.cn  682

webmail.hzau.edu.cn  676

71mail.com.cn  671

xmu.edu.cn  669

yohoo.com.cn  665

mail.bnu.edu.cn  663

qioka.cn  662

chinaren.com.cn  657

myce.net.cn  653

yhaoo.cn  649

bdqncpok.com.cn  648

js.cn  640

foxmail.com.cn  640

cuc.edu.cn  639

hqu.edu.cn  637

enorth.com.cn  624

jsa.cn  618

kinunia.cn  612

mail.cn  610

168.cn  605

email.com.cn  603

nou.com.cn  602

deloitte.com.cn  602

seu.edu.cn  598

ahut.edu.cn  596

mails.gucas.ac.cn  593

perkes.cn  581

gsm.pku.edu.cn  581

public.xm.fj.cn  577

nuaa.edu.cn  577

mail.xjtu.edu.cn  574

mail.com.cn  574

nottingham.edu.cn  570

buttony.cn  570

email.jlu.edu.cn  563

uestc.edu.cn  558

tiaya.cn  558

hangzhau.cn  554

cmbc.com.cn  554

genomics.org.cn  553

yahoo.om.cn  546

sibs.ac.cn  544

scut.edu.cn  540

yanhoo.com.cn  532

sin.cn  531

cta.cq.cn  518

vip.joypark.com.cn  514

gdnt.com.cn  509

tongji.edu.cn  508

163com.cn  506

coolgwen.cn  503

tianga.cn  501

menopausesmith.cn  499

hstc.edu.cn  499

njau.edu.cn  497

dhc.com.cn  496

21cn.com.cn  494

lzu.edu.cn  487

coolsanta.cn  485

263.cn  485

pku.org.cn  484

bennettangeles.cn  480

hostessgift.cn  476

customs.gov.cn  475

jlu.edu.cn  474

scse.com.cn  471

percentcentral.cn  471

mail.sysu.edu.cn  469

atlantaclubs.cn  469

buaa.edu.cn  468

cau.edu.cn  466

zwu.edu.cn  465

nankai.edu.cn  465

cqut.edu.cn  463

fzu.edu.cn  462

online.ln.cn  461

public.bta.net.cn  457

vbeltsonline.cn  454

21.com.cn  451

staff.sina.com.cn  450

ahoo.com.cn  450

cableplus.com.cn  448

cumail.com.cn  447

public3.bta.net.cn  446

21cn.cn  445

njupt.edu.cn  438

byd.com.cn  436

mail.zte.com.cn  434

boco.com.cn  431

ict.ac.cn  428

livestockfeed.cn  423

pingan.com.cn  419

blackmail.cn  419

yahoo.cpm.cn  412

greatpyranees.cn  412

tzc.edu.cn  411

spdb.com.cn  411

hsbc.com.cn  409

.com.cn  408

yohoo.cn  404

nju.edu.cn  404

fmmu.edu.cn  404

gxnews.com.cn  403

vip.com.cn  401

ncepu.edu.cn  401

hhu.edu.cn  397

139.cn  396

mail.jhptt.zj.cn  394

163.nx.cn  393

cib.com.cn  389

nwpu.edu.cn  388

mail2.sysu.edu.cn  388

iccas.ac.cn  386

yianya.cn  385

tainya.cn  382

yahool.com.cn  380

sina.con.cn  380

ebamsworld.cn  379

pep.com.cn  377

public1.sz.js.cn  376

bipt.edu.cn  376

mail.jl.cn  375

directvdealer.cn  375

public.tpt.tj.cn  370

tinaya.cn  369

asustek.com.cn  368

dlut.edu.cn  367

cga.com.cn  367

qqcom.cn  366

kpmg.com.cn  366

ce.cn  364

wz.zj.cn  362

tianta.cn  361

mails.gscas.ac.cn  361

student.xjtlu.edu.cn  359

sinosoft.com.cn  359

tinya.cn  358

vip.cn  356

telekbird.com.cn  356

fiberhome.com.cn  353

whu.edu.cn  349

hrbeu.edu.cn  348

net.cn  347

yahuoo.cn  345

faw.com.cn  345

public.qz.fj.cn  343

yahuu.com.cn  342

suda.edu.cn  342

assistonline.cn  339

zzu.edu.cn  337

amoi.com.cn  336

136.cn  336

sdb.com.cn  333

mail.nwpu.edu.cn  333

clublacosta.cn  329

eyou.cn  324

sin.com.cn  323

2118.cn  323

tahoo.com.cn  322

mail.hl.cn  321

em.tsinghua.edu.cn  320

263.com.cn  319

mailme.cn  317

imr.ac.cn  314

tianye.cn  313

11.cn  313

mfa.gov.cn  311

ihep.ac.cn  310

yanoo.com.cn  309

teg.cn  309

yaohoo.cn  306

yahoo.ocm.cn  306

bnu.edu.cn  305

std.uestc.edu.cn  304

sipo.gov.cn  304

gz.gov.cn  304

mail.tzptt.zj.cn  302

yahoo.comc.cn  300

datangmobile.cn  299

dfl.com.cn  298

allfarm.cn  298

bupt.edu.cn  296

ujs.edu.cn  295

zjnu.cn  294

software.nju.edu.cn  294

bjut.edu.cn  293

sia.cn  292

greatful.cn  290

ciac.jl.cn  283

tuojiwaigua.cn  282

mails.thu.edu.cn  282

3g.cn  279

vip.bbn.cn  277

freemail.sx.cn  277

stud.buct.edu.cn  276

mail.sxptt.zj.cn  274

worldconcepts.cn  273

chongsoft.cn  273

clubnouveau.cn  272

sony.com.cn  270

ichbincool.cn  270

ecust.edu.cn  270

msik.com.cn  269

yah00.com.cn  268

asd.cn  268

tiangya.cn  267

3333333.com.cn  267

cass.org.cn  266

qq.comtianya.cn  265

student.ecnu.edu.cn  264

hahoo.com.cn  264

mail.hust.edu.cn  263

jmcatv.com.cn  262

foton.com.cn  262

boe.com.cn  261

yahooo.cn  260

webhostinfo.cn  260

mail.biti.edu.cn  260

cgnpc.com.cn  260

21com.cn  260

whut.edu.cn  256

hep.com.cn  256

smail.hust.edu.cn  255

no45no.com.cn  255

tiya.cn  253

public1.ptt.js.cn  253

pub.guangzhou.gd.cn  253

ayhoo.com.cn  253

public.lz.gs.cn  252

ec.com.cn  252

cn.cn  252

swufe.edu.cn  251

deltaww.com.cn  251

nwsuaf.edu.cn  250

con.cn  250

yahuu.cn  248

public.km.yn.cn  248

public1.wx.js.cn  245

joeco.com.cn  245

jmc.com.cn  245

bupt.cn  245

jas.cn  244

uahoo.com.cn  243

dicp.ac.cn  243

seorj.cn  242

cicc.com.cn  241

tianyn.cn  240

pub.dgnet.gd.cn  237

mail.cooec.com.cn  237

168.com.cn  237

paic.com.cn  235

bjmu.edu.cn  235

19.cn  235

thtf.com.cn  234

ufsoft.com.cn  233

student.zsu.edu.cn  233

liverflukes.cn  233

it.com.cn  232

ntu.edu.cn  229

mail.jxptt.zj.cn  229

liverlesions.cn  229

aerosmithlive.cn  229

public.guangzhou.gd.cn  228

emersonnetwork.com.cn  228

zjut.edu.cn  227

egdaily.cn  227

dailygraphic.cn  226

mail.china.com.cn  225

star-net.cn  223

df.cn  221

cumt.edu.cn  221

cnnb.com.cn  221

sd.cn  220

pub2.qz.fj.cn  220

fastmail.cn  219

beltslicense.cn  217

scau.edu.cn  216

yao.cn  215

cptf.com.cn  215

coolbackround.cn  215

sdf.cn  214

hoo.cn  214

162.cn  214

sxu.edu.cn  213

nakedgroups.cn  213

tianyu.cn  212

taiya.cn  212

smail.tongji.edu.cn  210

indirectrule.cn  210

hdu.edu.cn  210

njwhitepages.cn  208

mediacenters.cn  208

hoo.com.cn  208

mail.tongji.edu.cn  206

etang.com.cn  206

directioncom.cn  206

zeld.cn  205

onlinemaths.cn  205

0hpbbforum.cn  205

winmail.cn  204

ouc.edu.cn  204

cyu.edu.cn  204

mofcom.gov.cn  203

gdtel.com.cn  202

csrc.gov.cn  202

ciss.com.cn  202

cnr.cn  201

hpu.edu.cn  200

111.cn  200

coolsounds.cn  199

yanoo.cn  198

nbu.edu.cn  198

abcsz.com.cn  198

zhaopin.com.cn  197

yahoo.comm.cn  197

shuion.com.cn  197

mail.airchina.com.cn  197

livetheriver.cn  197

public.cx.nbptt.zj.cn  196

fijiliverock.cn  196

dhu.edu.cn  196

pp.com.cn  195

cnc.cn  195

directvforum.cn  194

cndnsfive.cn  194

centaline.com.cn  194

snnu.edu.cn  191

sei.com.cn  191

ahoo.cn  191

ah172.com.cn  191

victorianpages.cn  190

mydeliverer.cn  190

lingoonline.cn  190

mail.xidian.edu.cn  189

indirectlight.cn  189

bbi.edu.cn  189

2yo.cn  189

yahuo.com.cn  188

siriusonline.cn  188

ricciclub.cn  187

legworld.cn  187

directobject.cn  187

cooljerk.cn  187

bmcc.com.cn  187

yoladagreat.cn  186

sdau.edu.cn  186

qqyou.com.cn  186

inventec.com.cn  186

cdb.com.cn  186

wiggerworld.cn  185

chinaren.cn  185

35.cn  185

thunderbirdchange.cn  184

Close
Search

Hit enter to search or ESC to close

Your shopping cart

Cart