The information on this page was current at the time it was published. Regulations, trends, statistics, and other information are constantly changing. While we strive to update our Knowledge Base, we strongly suggest you use these pages as a general guide and be sure the verify any regulations, statistics, guidelines, or other information that are important to your efforts.

Data Protection Regulation in China

In the business world today, the collection, use, and disclosure of personal data by a company is an integral part of its functioning and success. Data collection, use, and disclosure activities have many risks for both consumers and companies. For consumers, the unauthorized access and use of their personal data could mean identity theft, which can affect every aspect of their lives for many years. For companies of all sizes, a data breach can be ruinous. For a security breach, companies face criminal prosecution, civil penalties, audit, lawsuit liability, extreme expense to notify customers, to investigate the breach, to compensate customers, and update the system to prevent another such breach, and a loss of profits from a decrease in consumer confidence and a negative reputation. Although China does not have comprehensive data protection regulation, it is important to protect your customers’ privacy and personal data.

China recently passed a new data protection law that will go into effect in the summer of 2017. Some of the new requirements include required security checks on companies in certain industries, like finance and communications and mandatory in-country data storage. Globig will keep this Chinese data protection information current as the law changes.

What laws and regulations apply?

China does not have comprehensive or consolidated data protection legislation in place, rather there are data protection rules enforced by specific sectors within China, e.g., the financial sector and the telecommunications sector.

The People’s Republic of China Constitution protects an individual's right to dignity and privacy. Furthermore, there are consumer protection and cybersecurity laws that protect personal information in different contexts.

What are key principles or best practices in the processing of personal data in China?

Although there aren’t any specific rules that apply to data protection in general, some existing sector specific data protection rules are as follows:

• Data subjects should be expressly informed of the purpose, method, and scope for collecting and using their personal data. It is implied that the collection and use must not exceed the prescribed purpose, method, and scope. Furthermore, consent is generally required. Because it’s not clear whether that consent should be explicit or implied, seek legal advice.

• Personal data should not be illegally or improperly collected, used, or transferred.

• Unnecessary personal data should not be collected.

• Personal data should be kept strictly confidential, and should not be disclosed, sold, or illegally provided to others. Technical measures should be taken to ensure data security and prevent data leakage, loss, or theft. If such event occurs, immediate remedial measures should be taken.

• Data subjects may have access to their personal data.

• Data subject may correct mistakes concerning their data.

What laws or regulations apply to cookies?

There are no specific laws that govern the use of cookies.

What laws or regulations apply to the transfer of data outside China?

There are no general laws that govern the international transfer of personal data. There are a few industries in which there are specific international data transfer laws, including financial, credit, and health data.