Database

Article 18 of the Counterterrorism law requires Internet service providers and telecommunication sector to “provide technical support and assistance, such as technical interface and decryption, to support the activities of the public security and state security authorities in preventing and investigating terrorist activities.”

There are two articles in the State Security Law permitting the state security organ to accede, when necessary, to any information or data held by anyone in China. Article 11 stipulates that ‘where state security requires, a state security organ may inspect the electronic communication instruments and appliances and other similar equipment and installations belonging to any organization or individual’ and Article 18 ‘When a State security organ investigates and finds out any circumstances endangering State security and gathers related evidence, citizens and organizations concerned shall faithfully furnish it with relevant information and may not refuse to do so.’

Under the Cybersecurity Law, network operators must promptly inform data subjects if their personal information is disclosed, tampered with or destroyed, and notification must also be made promptly to the relevant authorities.

Furthermore, a Personal Information Security Specification, which came into force in May 2018, further stipulates that data controllers must have security incident response plans in place. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.

In case the loss or divulgence of any personal financial data occurs in breach of the banking regulations, the banking financial institution must promptly (within one day) inform the People’s Bank of China.

Telecommunication companies and internet service providers must notify the Ministry of Industry and Information Technology of any actual or potential divulgence or loss of or damage to personal data.

Data subjects may always request the deletion of their personal data. Furthermore, according to a Personal Information Security Specification, which came into force in May 2018, data subjects have the right to erasure, as well as the right of account cancellation. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.

Under the Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems, personal information may be collected only if the user is notified of extensive information. This include the the purpose of collection; the means of collection, specific information collected, and time of retention; the scope of use of the collected personal information, including the scope of disclosure or provision of personal information to other organizations and institutions; measures for protection of personal information; risks the user may encounter after providing personal information; and, in circumstances where personal information must be transmitted or entrusted to another organization, the purpose for transmission or entrustment, the specific personal information and scope of use of the transmitted or entrusted personal information, and the name, address, and contact information of the recipient of the entrusted personal information.

The Personal Information Security Specification, which came into force in May 2018, also stresses that explicit consent is required when sensitive data is being collected. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.

According to a Personal Information Security Specification, which came into force in May 2018, personal information must be retained for the shortest period of time and only to the extent necessary. After personal information has been collected, the data controller must de-identify such information and retain the de-identified information separately from any personal identifiable information. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.

China instituted a licensing system for online taxi companies which requires them to host user data on Chinese servers for at least two years.

Under the Provisions, app providers are required to keep records of users’ activities for 60 days (Art. 7(6)).

The Regulation on Internet Information Services of the People's Republic of China requires that Internet Service Providers (ISPs) keep records of each service user’s time spent online, user account, IP address or domain name, phone number and other information for 60 days and provide that information to the authorized government authorities when required (Art. 14.).

In addition, the Decision on Strengthening Network Information Protection requires ISPs to cooperate with the government and provide technical support upon inquiry from the authorized government authorities (Art. 10).

Article 5.4.5. of the Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems prohibit the transfer of personal data abroad without express consent of the data subject, government permission or explicit regulatory approval "absent express consent of the subject of the personal information, or explicit legal or regulatory permission, or absent the consent of the competent authorities". If these conditions are not fulfilled, "the administrator of personal information shall not transfer the personal information to any overseas receiver of personal information, including any individuals located overseas or any organizations and institutions registered overseas."

Although the Guidelines are a voluntary technical document, they might serve as a regulatory basis for judicial authorities and lawmakers.

The Cybersecurity Law includes requirements for personal information of Chinese citizens and “important data” collected by "key information infrastructure operators" (KIIOs) to be kept within the borders of China (Art. 37). If transfers of data offshore are necessary for operational reasons, a security assessment must be conducted by designated agencies, unless otherwise regulated by laws and regulations. The definition of KIIOs remains to be finalised. As a result, it is reported that in February 2018, Apple began hosting Chinese users's iCloud accounts, along with their encryption keys, on a Chinese data center so as to comply with these new measures.

Additionally, the Draft Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data, issued in April 2017 by the Cyberspace Administration of China, would expand this restriction to all "network operators". This expands the scope of the measure to cover most, if not all, cloud service providers. The draft measures allow some smaller organizations (or smaller transfers) to be subject to a simple self-assessment regime, as long as the data they seek to transfer is not deemed relevant to national security, or social and public interest. However, larger organizations and larger transfers (e.g., over 500,000 records) must be assessed by the competent authority.

Additionally, a Personal Information Security Specification, which came into force in May 2018, further cements the need for security assessments when outsourcing data processing to a third party, and mandates the need for audits and contractually obligated security measures. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.

China's Telecommunications Regulations require all data collected inside China to be stored on Chinese servers. The US International Trade Commission reports that as a result of this regulation, Hewlett Packard, Qualcomm, and Uber were required to divest more than 50 percent of their businesses in China to Chinese companies, to avoid fines.

China instituted a licensing system for online taxi companies which requires them to host user data on Chinese servers.

Online maps are required to set up their server inside of the country and must acquire an official certificate.