Database
Restrictions on data
CHINA
Since December 2015
Entry into force in January 2016
Entry into force in January 2016
Chapter Data policies |
Sub-chapter Administrative requirements on data privacy
Counterterrorism Law of the People's Republic of China
Article 18 of the Counterterrorism law requires Internet service providers and telecommunication sector to “provide technical support and assistance, such as technical interface and decryption, to support the activities of the public security and state security authorities in preventing and investigating terrorist activities.”
Coverage Internet service providers and telecommunication sector
Restrictions on data
CHINA
Since February 1993
Chapter Data policies |
Sub-chapter Administrative requirements on data privacy
State Security Law
There are two articles in the State Security Law permitting the state security organ to accede, when necessary, to any information or data held by anyone in China. Article 11 stipulates that ‘where state security requires, a state security organ may inspect the electronic communication instruments and appliances and other similar equipment and installations belonging to any organization or individual’ and Article 18 ‘When a State security organ investigates and finds out any circumstances endangering State security and gathers related evidence, citizens and organizations concerned shall faithfully furnish it with relevant information and may not refuse to do so.’
Coverage Horizontal
Sources
- Zhizheng Wang, ‘Systematic Government Access to Private-Sector Data in China’, (2012) 2/4
International Data Privacy Law 220, http://idpl.oxfordjournals.org/content/2/4/220.full#fn-20 - http://www.refworld.org/docid/3ae6b4dd0.html
- http://www.china.org.cn/english/China/218754.htm
Restrictions on data
CHINA
Since November 2016
Entry into force in June 2017
Since May 2018
Entry into force in June 2017
Since May 2018
Chapter Data policies |
Sub-chapter Administrative requirements on data privacy
Cybersecurity Law
Information Technology – Personal Information Security Specification (GB/T 35273-2017)
Information Technology – Personal Information Security Specification (GB/T 35273-2017)
Under the Cybersecurity Law, network operators must promptly inform data subjects if their personal information is disclosed, tampered with or destroyed, and notification must also be made promptly to the relevant authorities.
Furthermore, a Personal Information Security Specification, which came into force in May 2018, further stipulates that data controllers must have security incident response plans in place. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.
Furthermore, a Personal Information Security Specification, which came into force in May 2018, further stipulates that data controllers must have security incident response plans in place. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.
Coverage Horizontal
Restrictions on data
CHINA
Since May 2011
Chapter Data policies |
Sub-chapter Administrative requirements on data privacy
Notice to Urge Banking Financial Institutions to Protect Personal Financial Information
In case the loss or divulgence of any personal financial data occurs in breach of the banking regulations, the banking financial institution must promptly (within one day) inform the People’s Bank of China.
Telecommunication companies and internet service providers must notify the Ministry of Industry and Information Technology of any actual or potential divulgence or loss of or damage to personal data.
Telecommunication companies and internet service providers must notify the Ministry of Industry and Information Technology of any actual or potential divulgence or loss of or damage to personal data.
Coverage Financial sector
Restrictions on data
CHINA
Since February 2013
Since May 2018
Since May 2018
Chapter Data policies |
Sub-chapter Personal rights to data privacy
Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems
Information Technology – Personal Information Security Specification (GB/T 35273-2017)
Information Technology – Personal Information Security Specification (GB/T 35273-2017)
Data subjects may always request the deletion of their personal data. Furthermore, according to a Personal Information Security Specification, which came into force in May 2018, data subjects have the right to erasure, as well as the right of account cancellation. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.
Coverage Horizontal
Restrictions on data
CHINA
Since November 2012
Entry into force in February 2013
Entry into force in February 2013
Chapter Data policies |
Sub-chapter Personal rights to data privacy
Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems
Information Technology – Personal Information Security Specification (GB/T 35273-2017)
Information Technology – Personal Information Security Specification (GB/T 35273-2017)
Under the Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems, personal information may be collected only if the user is notified of extensive information. This include the the purpose of collection; the means of collection, specific information collected, and time of retention; the scope of use of the collected personal information, including the scope of disclosure or provision of personal information to other organizations and institutions; measures for protection of personal information; risks the user may encounter after providing personal information; and, in circumstances where personal information must be transmitted or entrusted to another organization, the purpose for transmission or entrustment, the specific personal information and scope of use of the transmitted or entrusted personal information, and the name, address, and contact information of the recipient of the entrusted personal information.
The Personal Information Security Specification, which came into force in May 2018, also stresses that explicit consent is required when sensitive data is being collected. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.
The Personal Information Security Specification, which came into force in May 2018, also stresses that explicit consent is required when sensitive data is being collected. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.
Coverage Horizontal
Sources
- http://www.insideprivacy.com/international/china/china-releases-national-standard-for-personal-information-collected-over-information-systems-industr/
- http://www.wipo.int/edocs/lexdocs/laws/en/cn/cn174en.pdf
- https://www.chinalawblog.com/2018/02/chinas-personal-information-security-specification-get-ready-for-may-1.html
Restrictions on data
CHINA
Since May 2018
Chapter Data policies |
Sub-chapter Data retention
Information Technology – Personal Information Security Specification (GB/T 35273-2017)
According to a Personal Information Security Specification, which came into force in May 2018, personal information must be retained for the shortest period of time and only to the extent necessary. After personal information has been collected, the data controller must de-identify such information and retain the de-identified information separately from any personal identifiable information. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.
Coverage Horizontal
Restrictions on data
CHINA
Since November 2016
Chapter Data policies |
Sub-chapter Data retention
Interim Regulations for the Management of Network Appoint Taxi Services Operations
China instituted a licensing system for online taxi companies which requires them to host user data on Chinese servers for at least two years.
Coverage Online taxi companies
Restrictions on data
CHINA
Since June 2016
Entry into force in August 2016
Entry into force in August 2016
Chapter Data policies |
Sub-chapter Data retention
Administrative Provisions on Information Services of Mobile Internet Application Programs
Under the Provisions, app providers are required to keep records of users’ activities for 60 days (Art. 7(6)).
Coverage Internet app providers and mobile Internet app stores
Restrictions on data
CHINA
Since September 2000
Since December 2012
Since December 2012
Chapter Data policies |
Sub-chapter Data retention
Regulation on Internet Information Services of the People's Republic of China (互联网信息服务管理办法)
Decision on Strengthening Network Information Protection
Decision on Strengthening Network Information Protection
The Regulation on Internet Information Services of the People's Republic of China requires that Internet Service Providers (ISPs) keep records of each service user’s time spent online, user account, IP address or domain name, phone number and other information for 60 days and provide that information to the authorized government authorities when required (Art. 14.).
In addition, the Decision on Strengthening Network Information Protection requires ISPs to cooperate with the government and provide technical support upon inquiry from the authorized government authorities (Art. 10).
In addition, the Decision on Strengthening Network Information Protection requires ISPs to cooperate with the government and provide technical support upon inquiry from the authorized government authorities (Art. 10).
Coverage Internet Service Providers
Restrictions on data
CHINA
Since November 2012
Entry into force in February 2013
Entry into force in February 2013
Chapter Data policies |
Sub-chapter Restrictions on cross-border data flows
Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems
Article 5.4.5. of the Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems prohibit the transfer of personal data abroad without express consent of the data subject, government permission or explicit regulatory approval "absent express consent of the subject of the personal information, or explicit legal or regulatory permission, or absent the consent of the competent authorities". If these conditions are not fulfilled, "the administrator of personal information shall not transfer the personal information to any overseas receiver of personal information, including any individuals located overseas or any organizations and institutions registered overseas."
Although the Guidelines are a voluntary technical document, they might serve as a regulatory basis for judicial authorities and lawmakers.
Although the Guidelines are a voluntary technical document, they might serve as a regulatory basis for judicial authorities and lawmakers.
Coverage Horizontal
Sources
- https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw.data_protection/functions/handbook.pdf?country-1=CN
- Graham Greenleaf & George Yijun Tian, China Expands Data Protection through 2013 Guidelines, Privacy L. & Bus. Int’l Rep., Apr. 2013, at 1 (2013), available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2280037
- Chander, A. and U. Lê (2015), Data Nationalism, Emory Law Review, 64, 677, p. 678-739. Available at http://law.emory.edu/elj/content/volume-64/issue-3/articles/data-nationalism.html
Restrictions on data
CHINA
Since June 2017
Reported in April 2017, entering into force in December 2018
Since May 2018
Reported in April 2017, entering into force in December 2018
Since May 2018
Chapter Data policies |
Sub-chapter Restrictions on cross-border data flows
Cybersecurity Law
Draft Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data
Information Technology – Personal Information Security Specification (GB/T 35273-2017)
Draft Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data
Information Technology – Personal Information Security Specification (GB/T 35273-2017)
The Cybersecurity Law includes requirements for personal information of Chinese citizens and “important data” collected by "key information infrastructure operators" (KIIOs) to be kept within the borders of China (Art. 37). If transfers of data offshore are necessary for operational reasons, a security assessment must be conducted by designated agencies, unless otherwise regulated by laws and regulations. The definition of KIIOs remains to be finalised. As a result, it is reported that in February 2018, Apple began hosting Chinese users's iCloud accounts, along with their encryption keys, on a Chinese data center so as to comply with these new measures.
Additionally, the Draft Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data, issued in April 2017 by the Cyberspace Administration of China, would expand this restriction to all "network operators". This expands the scope of the measure to cover most, if not all, cloud service providers. The draft measures allow some smaller organizations (or smaller transfers) to be subject to a simple self-assessment regime, as long as the data they seek to transfer is not deemed relevant to national security, or social and public interest. However, larger organizations and larger transfers (e.g., over 500,000 records) must be assessed by the competent authority.
Additionally, a Personal Information Security Specification, which came into force in May 2018, further cements the need for security assessments when outsourcing data processing to a third party, and mandates the need for audits and contractually obligated security measures. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.
Additionally, the Draft Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data, issued in April 2017 by the Cyberspace Administration of China, would expand this restriction to all "network operators". This expands the scope of the measure to cover most, if not all, cloud service providers. The draft measures allow some smaller organizations (or smaller transfers) to be subject to a simple self-assessment regime, as long as the data they seek to transfer is not deemed relevant to national security, or social and public interest. However, larger organizations and larger transfers (e.g., over 500,000 records) must be assessed by the competent authority.
Additionally, a Personal Information Security Specification, which came into force in May 2018, further cements the need for security assessments when outsourcing data processing to a third party, and mandates the need for audits and contractually obligated security measures. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.
Coverage Horizontal
Sources
- https://assets.kpmg.com/content/dam/kpmg/cn/pdf/en/2017/02/overview-of-cybersecurity-law.pdf
- https://www.insideprivacy.com/international/china/cross-border-data-transfer-a-china-perspective/
http://cloudscorecard.bsa.org/2018/pdf/country_reports/2018_Country_Report_China.pdf - https://www.reuters.com/article/us-china-apple-icloud-insight/apple-moves-to-store-icloud-keys-in-china-raising-human-rights-fears-idUSKCN1G8060
https://www.bakermckenzie.com/en/insight/publications/2017/06/further-developments-in-draft-rules - https://www.chinalawblog.com/2018/02/chinas-personal-information-security-specification-get-ready-for-may-1.html
http://www.gb688.cn/bzgk/gb/newGbInfo?hcno=4FFAA51D63BA21B9EE40C51DD3CC40BE
Restrictions on data
CHINA
Since 2000
Chapter Data policies |
Sub-chapter Restrictions on cross-border data flows
Telecommunications Regulations of the People's Republic of China (中华人民共和国电信条例)
China's Telecommunications Regulations require all data collected inside China to be stored on Chinese servers. The US International Trade Commission reports that as a result of this regulation, Hewlett Packard, Qualcomm, and Uber were required to divest more than 50 percent of their businesses in China to Chinese companies, to avoid fines.
Coverage Telecommunication services and cloud services
Restrictions on data
CHINA
Since November 2016
Chapter Data policies |
Sub-chapter Restrictions on cross-border data flows
Interim Regulations for the Management of Network Appoint Taxi Services Operations
China instituted a licensing system for online taxi companies which requires them to host user data on Chinese servers.
Coverage Onine taxi companies
Restrictions on data
CHINA
Since December 2015
Entry into force in January 2016
Entry into force in January 2016
Chapter Data policies |
Sub-chapter Restrictions on cross-border data flows
Map Management Regulations
Online maps are required to set up their server inside of the country and must acquire an official certificate.
Coverage Maps services
Sources
- http://www.citylab.com/politics/2015/12/china-cracks-down-on-politcally-incorrect-maps/421032/
http://shanghaiist.com/2015/12/17/dont_get_caught_with_wrong_maps.php - http://www.businessinsider.com/companies-must-keep-map-data-on-servers-within-chinas-borders-2015-12?IR=T
- http://english.gov.cn/policies/latest_releases/2015/12/14/content_281475253904932.htm