1、CHINADATA PROTECTION & CYBER SECURITYPlease provide an overview of the legal and regulatory framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the relevant laws)?The Civil Code

2、 of the Peoples Republic of China (the “Civil Code”) was approved by the National Peoples Congress of China on May 28, 2020 and took eect on Jan 1, 2021. In 2020, the draft versions of the Personal Information Protection Law (the “PIPL Draft”) and the Data Security Law (the “DSL Draft”) was also rel

3、eased for public comments. The two draft, once ocially passed and implemented, will together with the Cyber Security Law of the Peoples Republic of China (the “CSL”) become the three pillars in the realm of cyber security and data protection. Came into eect on 1 June 2017, the CSL forms the backbone

4、 of cybersecurity and data privacy protection. Since the CSL does not stipulate comprehensive rules, Chinas data and privacy framework appears to be a patchwork with textures of various laws, measures, and sector-specic regulations, as well as national standards. From here, the three- dimensional st

5、ructure of “Civil Code Data protection & Cyber security laws Respective regulations and standards” has been established.The Civil Code stipulates privacy and personal information protection in the chapter on “Rights of Personality”. It does not distinguish between the data controller and data proces

6、sor as dened under the European General Data Protection Regulations (the “GDPR”), and uniformly introduces obligations on information handlers when processing personal information.Similar to the Civil Code, the PIPL Draft only species the personal information handler1 (“個(gè)人信息處理者”, to avoid misunderst

7、anding, hereinafter refers to “personal information controller” since its denition is similar tothat of data controller under the GDPR). The roles, such as the entrusted data processing party, are characterized by behaviors of parties concerned. It is noteworthy that both the PIPL Draft and the DSL

8、Draft stipulate the extra-territorial application of the law under certain circumstances. The PIPL Draft applies to the activities carried outside the territory of the Peoples Republic of China (“PRC”) for the purpose of providing services to, or analyzing and evaluating the behaviors of natural per

9、sons2. The DSL Draft investigates the legal liability of data activities engaged outside the territory of PRC which harm the state security, public interests, or the legitimate rights and interests of citizens or organizations of the PRC3.The CSL imposes dierent cybersecurity and data privacy obliga

10、tions on network operators and critical information infrastructure operators (“CIIOs”). Network operators encompass virtually all companies involved in any kind of Internet-based services4. Among them, CIIOs are the network operator of the critical information infrastructure in important industries

11、that, once damaged, disabled or data disclosed, may severely threaten the national security, national economy, peoples livelihood and public interests5.The non-binding national standard of Information Security Technology Personal Information Security Specication (the “PI Specication”), which became

12、eective as of 1 October 2020, illustrates the obligations of privacy protection in detail. Drafted with reference to the GDPR, the PI Specication adopts some denitions in the GDPR, e.g., the denitions of personal information controller and personal information processor6 mirror the denitions of data

13、 controller and data processor under the GDPR. The PI Specication plays a key role in personal information protection and has been cited by courts and enforcement authority. An increasing number of companies in the market also tend to refer to the PI Specication as the standard when conducting self-

14、 auditing of their personal information protection.For certain types of information in special sectors, theauthorities have enacted special regulations or standards. Take the nancial sector as an example, the Peoples Bank of China, the central bank of China responsible for regulation of nancial inst

15、itutions in mainland China, has issued rules to protect personal nancial information even prior to the legislation of the CSL, such as the Implementing Measures of the Peoples Bank of China for the Protection of Financial Consumers Rights and Interests in 2020.The enforcement authorities in this eld

16、 at least include the Cyberspace Administration of China (“CAC”), the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security (“MPS”), State Administration for Market Regulation (“SAMR”) and industry regulators.References1 PIPL Draft. Art. 69(1). A personal informat

17、ion handler refers to any organization or individual that independently determines the purpose and method of processing and other personal information processing matters.2 PIPL Draft. Art. 3.3 DSL Draft. Art. 2.4 CSL. Art. 76. A Network Operator (NO) refers to the owner or manager of a network or th

18、e provider of a network service.5 CSL. Art. 31. CIIO refers to the network operator of the critical information infrastructure in important industries and sectors such as public communications, information service, energy, transport, water conservancy, nance, public service and e-government, and oth

19、er critical information infrastructure that, once damaged, disabled or data disclosed, may severely threaten the national security, national economy, peoples livelihood and public interests.6 The PI Specication does not specify the denition of personal information processor, but imposes obligations

20、directly on the trustee where the personal information controller entrusts a third party to process personal information.Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?There is no binding law req

21、uiring data controller/processor to register privacy mechanism,while if they fall into the scope of Network Operator under the CSL, they shall comply with the Multi-Level Protection Scheme (“MLPS”) requirements.The DSL Draft stipulates that operators providing specialized online data processing and

22、other services shall obtain a business license or register in accordance with the law, and detailed measures will be formulated by competent telecommunications department such as MIIT1. It also lays down penalties for operators engaging related businesses without permission or registration2.Referenc

23、es1 DSL Draft. Art. 31.2 DSL Draft. Art. 44.How do these laws dene personal data or personally identiable information (PII) versus special category or sensitive PII? What other key denitions are set forth in the laws in your jurisdiction?Personal information under the CSL is dened as the information

24、 that is recorded in electronic or any other form and used alone or in combination with other information to recognize the identity of a natural person1. Personal information under the Civil Code is essentially similar with that under the CSL, while the Civil Code only species the recognition of the

25、 natural person. The PIPL Draft and the PI Specication expands the denition of “personal information” to include the information that reects a persons activities2, which allows the possibility to broaden the scope of personal information.Sensitive personal information is dened in the PI Specication3

26、 and the PIPL Draft4 as information that, if leaked, illegally provided or used without authorization, will endanger human rights and property interest, or cause damages to reputation, physical and mental health, or lead to discriminatory treatment. The PIPL Draft also stipulates that the personal i

27、nformation controller shall have a specic purpose and sucient necessity to process the sensitive personal information.Another key concept is the “important data” that is dened as data closely related to national security, economic development, and social and public interests5.References1 Civil Code.

28、 Art. 1034; CSL. Art. 76.5.2 PIPL Draft. Art. 4; PI Specication. 3.1.3 PI Specication. 3.24 PIPL Draft. Art. 29.5 Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft). Art. 17 (stipulating that specic scope of “important data” needs to refer to

29、 relevant national standards and important data identication guidelines for its specic scope. The ocial national standards and guidelines have not come out yet).What are the principles related to, the general processing of personal data or PII?The Civil Code and the CSL stipulates that personal info

30、rmation controllers shall abide by the “l(fā)awful, justiable and necessary” principles to collect and use personal information1.The PIPL Draft sets out following seven basic principles for personal information controllers to follow when carrying out personal information processing activities:1 Civil Co

31、de. Art. 1035; CSL. Art. 41.2 PIPL Draft. Art. 5.3 PIPL Draft. Art. 6.4 PIPL Draft. Art. 6.5 PIPL Draft. Art. 7.6 PIPL Draft. Art. 8.7 PIPL Draft. Art. 9.8 PIPL Draft. Art. 9.9 PI Specication. 4 g).Are there any circumstances where consent is required or typically used in connection with the general

32、 processing of personal data or PII and, if so, are there are rules relating to the form, content andi.ii.iii. iv.v.vi. vii.Personal information shall be processed in a lawful and proper manner and in accordance with the principle of good faith, and shall not be processed by fraud, misleading or oth

33、er means2;Personal information shall be for a denite and reasonable purpose instead of any purpose irrelevant to the purpose of processing3;Processing of personal information shall be limited to the minimum scope for achieving the purpose of processing4;Processing of personal information shall expre

34、ssly indicate the rules for processing personal information5;Personal information processed shall be updated in a timely manner6;Personal information controllers shall be responsible for the personal information processing7;Personal information controllers shall take necessary measures to ensure the

35、 security of the personal information processed8.administration of such consent?Overall, a noticeable dierence from GDPR is that the legal basis under the CSL is entirely consent-based. The CSL requires the personal information controllers to expressly notify and obtain consent of the users if the p

36、roducts or services collect user information and comply with relevant laws and regulations governing personal information protection if personal information of users are involved1. With a few exceptions2 discussed under Question 8, a personal information controller is required to inform the personal

37、 information subject of the purposes, means and scope of the collection and use of his or her personal information, and consent must be obtained prior to such collection3. The legal bases under Chinese laws and regulations is also undergoing changes over time as the PIPL Draft breaks through the res

38、trictions set by the CSL and takes a further step close to the GDPR (discussed under Question 8).The PI Specication aims to guarantee the PI subjects autonomy on personal information processing by requiring the controller to permit the subjects to make free choice when therere multiple functions4. A

39、nnex CCompared with the PIPL Draft, the PI Specication additionally provides the principle of subject participation that the personal information controller shall provide the personal information subject with means to full his/her rights9, but lacks the principle of accuracy.Referencesof the PI Spec

40、ication provides detailed means for realizing the autonomy of the personal information subjects. Particularly, before the extended business function is used for the rst time, the personal information subject shall be informed of the extended business function and the circumstance of personal informa

41、tion collection via pop-ups, text descriptions, checking boxes, prompts, etc., and allow the personalinformation subject to select and give consent to the extended business function one by one5. Any processing of personal information thereafter must be carried out within the scope of the consent. A

42、renewed consent is required when the processing exceeds the original scope of consent6.Besides, “separate consent” and “written consent” is the new requirement introduced by the PIPL Draft, which is not yet clearly dened and might raise the requirement on the form of consent needed7. The situations

43、requiring separate or written consent includes providing personal information to a third party8, publishing the personal information9, collecting personal images and personal identity characteristic information by devices in public places and providing to other persons or making public10, providing

44、the personal information outside the territory of PRC11, processing sensitive personal information12, etc.References1 CSL. Art. 41.2 The exceptions are listed in Art 1036 of the Civil Code and Art 5.6 of the PI Specication.3 CSL. Art. 41.4 PI Specication. 5.35 PI Specication. Annex C. 4 a).6 PI Spec

45、ication. 7.3 a).7 PIPL Draft. Art. 30.8 PIPL Draft. Art. 24.9 PIPL Draft. Art. 26.10 PIPL Draft. Art. 27.11 PIPL Draft. Art. 39.12 PIPL Draft. Art. 30.What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited fr

46、om collection?Under the PI Specication, explicit consent from the personal information subject is required for processing sensitive personal information1. “Explicit consent” is dened as express consent given in writing or orally orthrough other armative actions freely made by personal information su

47、bjects2. A personal information controller is required to ensure that the explicit consent of the personal information subject is his/her autonomous, specic and clear willingness given after being fully informed3. In addition, before collecting biometric information (discussed under Question 19), th

48、e personal information controller should separately inform the personal information subject of the purpose, method and scope of collecting and using personal biometric information, as well as the retention period and other rules, and obtain the explicit consent of the personal information subject4.

49、The PIPL Draft puts forward separate consent requirement for the processing which is subject to the individuals consent and involves sensitive personal information5. Besides, according to PIPL Draft, personal information controllers should assess the risk in advance before processing sensitive perso

50、nal information6. The Measures for the Supervision and Administration of the Online Trading prescribed that the dealers engaging in the online trading should obtain consent for each item when collecting sensitive personal information7.There might be requirements on data which are prohibited from col

51、lection in special industry sectors. For example, credit investigation organizations shall be prohibited from collecting personal information pertaining to religion, gene, ngerprint, blood type, diseases and medical history and other personal information for which collection is prohibited by laws an

52、d administrative regulations8.References1 PI Specication. 5.4 b)2 PI Specication. 3.6.3 PI Specication. 5.4 b).4 PI Specication. 5.4 c).5 PIPL Draft. Art. 30.6 PIPL Draft. Art. 54.7 Measures for the Supervision and Administration of the Online Trading. Art. 13.8 Administrative Regulations on Credit

53、Investigation Industry. Art.14.How do the laws in your jurisdiction address childrens personal data or PII?Personal information of person aged 14 or under are childs personal information and is classied into sensitive personal information under PI Specication1. Before collecting personal information

54、 of minors2 aged 14 or older, it shall seek explicit consent from the minors or their guardians; where the minors are aged under 14, it shall seek explicit consent from their guardians3.Activities related to childrens personal information are also subject to the special protection of the Provisions

55、on the Cyber Protection of Childrens Personal Information. The PIPL Draft also provides parental consent if theThe PIPL Draft does not include the pursuit of legitimate interests as one of the legal bases to process personal information, considering the implementation diculties in other countries an

56、d the current situation in China.II. Exceptions to obtaining consentThe PI Specication elaborates detailed exceptions to obtaining consent of the personal information subject for the collection and use of personal information as follows1:controller knows or should have known that it processespersona

57、l information of minors below the age of 144.References1 PI Specication. 3.2.2 Eighteen is the age of majority in China.3 PI Specication. 5.4 d).4 PIPL Draft. Art. 15.Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant prov

58、isions.Legislative tendency of legal basesUnlike the current legal framework, where the CSL establishes the consent of personal information subjects as the only legal basis for personal information processing, the Civil Code provides legal basis provided by laws and administrative regulations. The P

59、IPL Draft follows the rules in the Civil Code, breaking through the restrictions set by the CSL and prescribed other legal bases as follows:When the processing is essential for:Entering into or performing a contract; orPerforming statutory responsibilities or obligations; orResponding to public heal

60、th emergencies or for protecting the life, health or property safety of natural persons in emergency situations;Actions for public interests such as news reporting and public opinion supervision within the reasonable scope of processing;Other circumstances as stipulated by laws and administrative re