Skip to content

Personal Information Protection Regulations on the Mainland

Personal Information Protection Law of the Mainland

Highlights of the Mainland’s Personal Information Protection Law

Introduction

The Personal Information Protection Law, the first piece of legislation in the Mainland dedicated to the protection of personal information, was passed by the Standing Committee of the National People’s Congress on 20 August 2021 and was effective from 1 November 2021.

The Personal Information Protection Law establishes individuals’ consents as the principal legal basis for processing personal information. It requires that the processing of personal information shall abide by the principles of legality, fairness, good faith, minimum necessity, openness and transparency. There shall also be specific and reasonable purposes of processing.

Individuals shall have the right to access and obtain a copy of their personal information from the processors of personal information (similar to data users under the Personal Data (Privacy) Ordinance of Hong Kong). Individuals can also request the processors of personal information to rectify or delete their personal information, as well as to provide them with means to transfer their personal information to other processors.

When processing personal information of a minor under the age of 14, processors of personal information shall obtain the consent of the minor’s parent or guardian, and establish specific processing rules.

The Personal Information Protection Law prohibits the use of automated decision-making based on personal information if it leads to discriminatory trade practices such as unreasonable price discrimination against individuals. In addition, when automated decision-making is used for push notification or marketing, individuals shall be provided with an option for not receiving personalised information or convenient opt-out channels.

Processors of personal information which need to transfer personal information out of the Mainland shall obtain separate consent from individuals, and meet certain requirements, such as passing the security assessment made by the state cyberspace authorities, obtaining the required certification, or entering into a standard contract as prescribed by the state cyberspace authorities.

The Personal Information Protection Law contains provisions on extraterritorial application. Foreign organisations which process personal information of individuals in the Mainland for the purposes of offering products or services to them, or analysing and assessing their behaviours, shall be subject to this law. These foreign organisations shall also establish designated agencies or appoint representatives in the Mainland.

The state cyberspace authorities shall be responsible for coordinating the protection of personal information and the relevant regulatory work. Ministries of the State Council shall be responsible for the protection of personal information and regulatory work within their purview.

A processor of personal information which contravenes the requirements under the Personal Information Protection Law is liable to a maximum fine of RMB 50,000,000 or 5% of its annual turnover of the preceding year. Other penalties may include suspension of operation for rectification, cancellation of business permits or licenses, etc.

The full text of the Personal Information Protection Law (in Chinese only) is available on the website of the National People’s Congress: http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml

Below is the highlight of the Personal Information Protection Law.

Disclaimer

The information provided in this webpage is for general reference only. It does not serve as an exhaustive guide to the application of the Personal Information Protection Law and does not constitute legal or other professional advice. The Privacy Commissioner for Personal Data makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information set out on this webpage. Organisations and individuals who want to comply with the requirements under the Personal Information Protection Law should seek professional legal advice.

1. Legislative Purpose To protect the rights and interests in relation to personal information, regulate processing activities of personal information, and facilitate the rational use of personal information1.
2. Targets to be Regulated

The Personal Information Protection Law regulates personal information processing activities in the Mainland2, including the processing activities carried out by state organs3.

A processor of personal information refers to any organisation or individual that is able to make its own decision on the purpose, means of processing and other matters relating to the processing of personal information4.

3. Extra-territorial Application

Foreign organisations carrying out personal information processing activities in foreign countries for the purpose of, among others, offering products or services to natural persons in the Mainland, or analysing and assessing the behaviours of natural persons in the Mainland shall be subject to the Personal Information Protection Law5.

Foreign processors of personal information that are subject to the requirements under Article 3(2) of the Personal Information Protection Law shall establish designated agencies or appoint representatives in the Mainland. These agencies or representatives shall be responsible for matters relating to the protection of personal information6.

4. Definition of Personal Information Personal information refers to all kinds of information, recorded electronically or in other forms, that relates to identified or identifiable natural persons, excluding anonymised information7.
5. Sensitive Personal Information

Sensitive personal information refers to personal information that, if leaked or used illegally, may easily cause harm to the dignity of natural persons, or serious damage to the safety of individuals and properties, including information relating to biometric identification, religious beliefs, specific identities, healthcare, financial account, individual location tracking, etc., as well as personal information of minors under the age of 148.

Processors of personal information shall only process sensitive personal information if there is a specific purpose and a sufficient necessity, and when stringent protective measures are in place9.

Separate consent shall be obtained from individuals when processing sensitive personal information, unless otherwise specified by other laws and regulations10.

Any installation of image collection and personal identity recognition facilities in public premises shall be for the purpose and necessity of ensuring public security. Signages shall be prominently displayed. Information of personal images and personal identification collected shall only be used for the purpose of ensuring public security, and shall not be used for other purposes, unless separate consent from individuals has been obtained11.

Prior to processing sensitive personal information, processors of personal information shall carry out personal information protection impact assessments. The relevant reports and records shall be retained for at least three years12.

6. Transparency

When processing personal information, the principles of openness and transparency shall be adhered to. The rules on personal information processing shall be publicised, and the purposes, means and scope of processing shall be made available explicitly13.

Processors of personal information shall, before processing personal information, inform individuals prominently using comprehensible language and in a truthful, accurate and complete manner: (1) their names and contact information; (2) processing purposes, means of processing, categories of personal information processed, and the retention period; and (3) methods and procedures for individuals to exercise their rights, etc14.

If processors of personal information provide individuals with the above information by setting up personal information processing rules, they shall publicise the rules and ensure that the rules can be easily accessible and retained15.

If processors of personal information need to transfer personal information due to mergers, divisions, dissolutions or bankruptcies, they shall inform individuals of the recipients’ names and contact information16.

7. Collection, Use and Disclosure, etc.

The processing of personal information refers to collection, retention, use, handling, transmission, provision, disclosure, and erasure etc. of personal information17.

Processing of personal information shall abide by the principles of legality, good faith, necessity and integrity. It shall not be conducted by means that are fraudulent, misleading, or coercive, etc18.

When processing personal information, there shall be a specific and reasonable purpose. Processing of personal information shall be directly related to the purpose, and the impact on individuals’ rights and interests shall be kept to a minimum. Collection of personal information shall be minimised and shall not be excessive in relation to the purpose of processing19.

Processors of personal information shall only process personal information under the situations prescribed in the Personal Information Protection Law, including (1) when individuals’ consents have been obtained; (2) for performance of a contract, or carrying out human resources management; (3) for fulfilling legal duties/obligations; (4) for news reporting in the public interest; and (5) when the personal information concerned has been disclosed publicly by individuals themselves or otherwise legally disclosed, and the processing is within a reasonable scope20.

When processing personal information of minors under the age of 14, processors of personal information shall establish specific personal information processing rules21.

Organisations and individuals shall be prohibited from illegally collecting, using, processing, transferring, trading, providing or publicising personal information of other individuals, and shall not carry out personal information processing activities which endanger national security and public interests22.

8. Consent

An individual’s consent refers to consent which is given voluntarily and unambiguously by the individual who has been fully informed. Where the laws and regulations require separate or written consent for processing personal information, such requirement shall be complied with23. Obtaining individuals’ consents is one of the legal bases for processing personal information24.

When there is any change to the processing purpose, means of processing and categories of personal information, consent shall be obtained again25.

If the processing of publicly disclosed personal information has serious impact on the rights and interests of individuals, the individuals’ consents shall be obtained26.

Processors of personal information shall obtain separate consents from individuals in the following situations: when

  • providing personal information to other processors of personal information27;
  • publicising personal information28;
  • processing sensitive personal information29;
  • personal images and identification information collected in public venues are used for purposes other than public security30; and
  • transferring personal information out of the Mainland31.

When processing personal information belonging to a minor under the age of 14, processors of personal information shall obtain the consent of his or her parent or guardian 32.

Processors of personal information shall not deny offering products or services on the ground that individuals refuse to give consent or withdraw their consent to the processing of their personal data33.

9. Security

Processors of personal information shall be accountable for their personal information processing activities, and implement necessary measures to ensure the security of the personal information that they process34.

Processors of personal information which engage third parties to process personal information shall enter into a contract with the third parties to specify the purposes, duration and means of processing, categories of personal information and protection measures involved, as well as the rights and obligations of both parties, etc. The processors shall supervise the processing activities carried out by the third parties35.

Parties engaged to process personal information shall implement necessary measures to safeguard the security of the personal information processed36.

10. Retention Period

The retention period of personal information shall be the shortest time necessary for fulfilling the purpose of processing37.

Processors of personal information shall, whether on its own volition or upon the request of individuals, erase the personal information under the situations prescribed in the Personal Information Protection Law, such as when (1) the retention period has come to an end, (2) the purpose of processing has been fulfilled, cannot be fulfilled or the personal information is no longer necessary for fulfilling the purpose, (3) the consent of the individual has been withdrawn, or (4) the processors of personal information have ceased providing products or services38.

11. Accuracy

When processing personal information, the quality of the personal information shall be guaranteed in order to avoid any adverse impact on individuals’ rights and interests caused by inaccurate or incomplete personal information39.

12. Accountability and Governance

Having regard to the purposes, means of processing, categories of personal information, the impact on individuals’ rights and interests, and potential security risk, etc., processors of personal information shall implement measures to ensure that their personal information processing activities comply with the laws and regulations, and to prevent any unauthorised access to, leakage, distortion or loss of the personal information. These measures include: (1) establishing internal management systems and operating procedures; (2) managing personal information by category; and (3) employing security and technological measures such as encryption and de-identification, etc.40.

Processors of personal information shall appoint a personal information protection officer if the quantity of personal information that they process reaches the threshold set by the state cyberspace authorities. The personal information protection officer shall be responsible for supervising the personal information processing activities and the implementation of protective measures41.

Processors of personal information shall regularly conduct compliance audit of their personal information processing to ensure that these activities adhere to the laws and regulations42.

Personal information protection impact assessments shall be conducted by processors of personal information prior to the following situations: (1) processing sensitive personal information; (2) conducting automated decision-making; (3) engaging other parties to process personal information, and providing other processors of personal information with or publicising personal information; (4) transferring personal information out of the Mainland; or (5) carrying out processing activities which have serious impact on the rights and interests of individuals. Relevant reports and records shall be retained for at least three years43.

13. Obligations of Internet Platforms

Processors of personal information who provide important internet platform services, have a large number of users and operate with complex business models should fulfill specific obligations, including (1) establishment and improvement of compliance systems for personal information protection and establishment of independent bodies comprising of mainly external members to supervise their personal information processing activities; (2) abiding the principles of transparency, fairness and impartiality, establishment of rules of platforms, specifying practices and obligations of personal information processing for platforms’ products and service providers; (3) suspension of service to products or service providers which seriously violates the laws and regulations when processing personal information; and (4) publication of social responsibility reports on personal information protection on a regular basis and accepting supervision by the public44.

14. Breach Notification

In the event of leakage of, tampering with, or loss of personal information, or when such events may have occurred, processors of personal information shall take remedial actions immediately, and notify personal information protection authorities as well as individuals. The notification shall include (1) categories of personal information involved, causes of the incidents and potential harm; and (2) remedial measures taken by the processors of personal information and mitigation measures that individuals may take, etc45.

If processors of personal information consider that the measures taken can prevent any harm arising from the leakage of, tampering with, or loss of information, they may choose not to notify individuals. However, if personal information protection authorities consider that the personal information leakage may cause harm to individuals, they may require the processors of personal information to notify the individuals46.

15. Cross-border Data Transfer

Processors of personal information who need to transfer personal information out of the Mainland shall first carry out personal information protection impact assessments47. Processors of personal information shall also obtain separate consent from individuals and meet one of the following requirements48:

  • passing the security assessment conducted by the state cyberspace authorities;
  • obtaining certification in relation to personal information protection from professional institutions according to the regulations of the state cyberspace authorities;
  • entering into a standard contract as prescribed by the state cyberspace authorities with the overseas receiving parties to stipulate the rights and obligations of both parties;
  • fulfilling the requirements stipulated in other laws or regulations, or in the rules set by the state cyberspace authorities.

If the international treaties and agreements that the People’s Republic of China has concluded or acceded to contain provisions on the requirements of transferring personal information out of the Mainland, those requirements shall be complied with49.

Processors of personal information shall carry out necessary measures to ensure that the personal information processing activities undertaken by the foreign receiving parties meet the personal information protection standard prescribed by the Personal Information Protection Law50.

In addition, processors of personal information shall inform individuals of the names of the foreign receiving parties, their contact information, processing purposes, means of processing, categories of personal information involved, the ways and procedures individuals can enforce their rights under the Personal Information Protection Law, etc. Processors of personal information shall also obtain separate consent from individuals for the transfer of personal information51.

Operators of critical information infrastructure and processors of personal information by which the quantity of personal information processed reaches the threshold set by the state cyberspace authorities shall store the personal information collected and generated in the Mainland locally. If it is necessary to transfer the personal information overseas, they shall pass the security assessment conducted by the state cyberspace authorities, unless other laws, regulations or rules set by the state cyberspace authorities exempt them from undertaking the security assessment52.

16. Personalised and Automated decision-making

Automated decision-making refers to the use of computer programmes to automatically analyse, assess and make decisions about the behaviours, habits, interests, hobbies as well as financial, health and credit conditions of individuals53.

Processors of personal information using personal information in automated decision making shall ensure that the decision-making processes are transparent, and the results are fair and impartial. There shall not be any unreasonable price discrimination against individuals54.

If the automated decisions cause significant impact on individuals’ rights and interests, the individuals shall have the right to request the processors of personal information to provide explanation, and object to the decisions made solely by automated process55.

When automated decision-making is used for push notification and marketing, individuals shall be provided with an option for not receiving personalised information or convenient opt-out channels56.

Prior to implementing automated decision-making, processors of personal information shall conduct personal information protection impact assessments and retain the relevant reports and records for at least three years57.

17. Data Access and Correction

Individuals shall have the right to access and obtain a copy of their personal information from processors of personal information, and processors of personal information shall respond timely58.

If individuals discover that their personal information is inaccurate or incomplete, they shall have the right to request the processors of personal information to correct and supplement59.

Processors of personal information shall establish a convenient mechanism for accepting and processing the requests made by individuals. They shall provide individuals with reasons when denying their requests. Individuals may institute legal proceedings in the courts against the processors of personal information that deny their requests60.

18. Personal Information Portability

If individuals request processors of personal information to transfer their personal information to their designated processors of personal information, and the requests fulfill the conditions stipulated by the state cyberspace authorities, processors of personal data shall provide the means for transfer61.

19. Right to Erasure, Restrict or Refuse Personal Information Processing

Processors of personal information shall, on their own volition or upon receiving requests from individuals, erase personal information under one of the following situations62:

  • the purpose of processing has been fulfilled, cannot be fulfilled or the personal information is no longer necessary for fulfilling the purpose of processing;
  • processors of personal information have ceased providing products or services;
  • the retention period has come to an end;
  • individuals have withdrawn their consent;
  • processors of personal information have violated the laws, regulations or agreements when processing personal information;
  • other situations provided by the laws or regulations.

If erasure of personal information is technically infeasible, processors of personal information shall cease processing the personal information, except for processing which is necessary for the storage and security of the personal information63.

Individuals shall have the right to restrict or refuse the processing of their personal information by others, except when the laws or regulations stipulate otherwise64.

Close relatives of deceased natural persons may, for their own lawful and proper interests, exercise the rights in respect of the personal information of the deceased, such as accessing, obtaining a copy of, rectifying and erasing the information65.

20. Enforcement Authorities

The state cyberspace authorities shall be responsible for coordinating the protection of personal information and the relevant regulatory work. Ministries of the State Council shall be responsible for the protection of personal information and regulatory work within their purview of duties66.

The above authorities shall generally be referred to as personal information protection authorities67.

Personal information protection authorities shall refer illegal personal information processing activities that come to their attention while carrying out their duties to public security authorities if the activities may constitute criminal offences68.

21. Penalty

In the event that the processing of personal information violates the requirements in the Personal Information Protection Law, personal information protection authorities may issue an order for rectification, issue warnings and confiscate any unlawful income. Those refusing to rectify shall be liable to a fine up to RMB 1,000,000. The person in-charge who is directly responsible and other personnel who bear direct responsibility shall be liable to a fine between RMB 10,000 and RMB 100,00069.

For cases of serious nature, personal information protection authorities above the provincial level may issue an order of rectification, confiscate any unlawful income, and impose a fine up to RMB 50,000,000 or 5% of annual turnover for the previous year. The personal information protection authorities may also issue an order of suspension of business or operation for rectification, notify authorities in-charge for cancellation of business permits or licenses. The person in-charge who is directly responsible for and other personnel who bear direct responsibility shall be liable to a fine between RMB 100,000 and RMB 1,000,000, and may be barred from serving as directors, supervisors, senior officers and personal information protection officers in corporations within a certain period of time70.

If the violation of the Personal Information Protection Law amounts to public security offences, such act shall be liable to public security penalties. If it amounts to criminal offences, it shall be liable for criminal liabilities71.

Contraventions of the requirements under the Personal Information Protection Law may be entered into credit files and publicised72.

22. Civil Compensation

If the processing of personal information infringes individuals’ personal information rights and interests and causes harm, and the processors of personal information cannot prove that they are not at fault, the processors of personal information shall be liable for damages and other civil liabilities. The damages shall be determined on the basis of any loss suffered by the individual or any profit gained by the personal information processor. If the loss and profit are difficult to be ascertained, the amount of the damages shall be decided on the actual circumstances73.

If processors of personal information violate the requirements under the Personal Information Protection Law when processing personal information and infringe the rights and interests of a mass of individuals, the People’s Procuratorate, organisations endorsed by the state cyberspace authorities, and consumer organisations stipulated by the laws may file a lawsuit with the People’s Court according to the law74.

1 Article 1 of the Personal Information Protection Law
2 Article 3 of the Personal Information Protection Law
3 Article 33 of the Personal Information Protection Law
4 Article 73(1) of the Personal Information Protection Law
5 Article 3 of the Personal Information Protection Law
6 Article 53 of the Personal Information Protection Law
7 Article 4 of the Personal Information Protection Law
8 Article 28 of the Personal Information Protection Law
9 Article 28 of the Personal Information Protection Law
10 Article 29 of the Personal Information Protection Law
11 Article 26 of the Personal Information Protection Law
12 Articles 55 to 56 of the Personal Information Protection Law
13 Article 7 of the Personal Information Protection Law
14 Article 17 of the Personal Information Protection Law
15 Article 17 of the Personal Information Protection Law
16 Article 22 of the Personal Information Protection Law
17 Article 4 of the Personal Information Protection Law
18 Article 5 of the Personal Information Protection Law
19 Article 6 of the Personal Information Protection Law
20 Article 13 of the Personal Information Protection Law
21 Article 31 of the Personal Information Protection Law
22 Article 10 of the Personal Information Protection Law
23 Article 14 of the Personal Information Protection Law
24 Article 13 of the Personal Information Protection Law
25 Article 14 of the Personal Information Protection Law
26 Article 27 of the Personal Information Protection Law
27 Article 23 of the Personal Information Protection Law
28 Article 25 of the Personal Information Protection Law
29 Article 29 of the Personal Information Protection Law
30 Article 26 of the Personal Information Protection Law
31 Article 39 of the Personal Information Protection Law
32 Article 31 of the Personal Information Protection Law
33 Article 16 of the Personal Information Protection Law
34 Article 9 of the Personal Information Protection Law
35 Article 21 of the Personal Information Protection Law
36 Article 59 of the Personal Information Protection Law
37 Article 19 of the Personal Information Protection Law
38 Article 47 of the Personal Information Protection Law
39 Article 8 of the Personal Information Protection Law
40 Article 51 of the Personal Information Protection Law
41 Article 52 of the Personal Information Protection Law
42 Article 54 of the Personal Information Protection Law
43 Articles 55 to 56 of the Personal Information Protection Law
44 Article 58 of the Personal Information Protection Law
45 Article 57 of the Personal Information Protection Law
46 Article 57 of the Personal Information Protection Law
47 Articles 55 to 56 of the Personal Information Protection Law
48 Articles 38 to 39 of the Personal Information Protection Law
49 Article 38 of the Personal Information Protection Law
50 Article 38 of the Personal Information Protection Law
51 Article 39 of the Personal Information Protection Law
52 Article 40 of the Personal Information Protection Law
53 Article 73(2) of the Personal Information Protection Law
54 Article 24 of the Personal Information Protection Law
55 Article 24 of the Personal Information Protection Law
56 Article 24 of the Personal Information Protection Law
57 Articles 55 to 56 of the Personal Information Protection Law
58 Article 45 of the Personal Information Protection Law
59 Article 46 of the Personal Information Protection Law
60 Article 50 of the Personal Information Protection Law
61 Article 45 of the Personal Information Protection Law
62 Article 47 of the Personal Information Protection Law
63 Article 47 of the Personal Information Protection Law
64 Article 44 of the Personal Information Protection Law
65 Article 49 of the Personal Information Protection Law
66 Article 60 of the Personal Information Protection Law
67 Article 60 of the Personal Information Protection Law
68 Article 64 of the Personal Information Protection Law
69 Article 66 of the Personal Information Protection Law
70 Article 66 of the Personal Information Protection Law
71 Article 71 of the Personal Information Protection Law
72 Article 67 of the Personal Information Protection Law
73 Article 69 of the Personal Information Protection Law
74 Article 70 of the Personal Information Protection Law