Unlawful usage and disclosure of personal information in China can result in administrative penalties and in serious cases, criminal offences. The Personal Information Protection Law (‘PIPL’), the Personal Information Security Specification (‘Specification’) and Guide to Security Protection of Personal Information Online (‘Guide’) adopted on 1 November 2021, 6 March 2020, and April 10, 2019, respectively, form the legal framework regulating personal information usage and disclosure in China. Under the Laws, companies collecting data on individuals located in China are required to adopt measures to reduce mitigate unethical personal information disclosure and protect users from infringement.
Personal information violations can be severe, namely, the Criminal Law of the People’s Republic of China elevates the illegal sale or provision of citizen’s personal information to another to a criminal offense. Under Article 253 of the Criminal Law, individual violators face a maximum 3-year imprisonment term for serious violations and under exceptionally serious circumstances, an imprisonment term of 3-7 years. Equally, if the company commits the criminal offence, any directly liable officers or other directly liable individuals of the company shall be convicted and subject to the relevant criminal penalties. Therefore, companies should implement strict measures to regulate the use and disclosure of personal information.
In the below, we summarise the main do’s and don’ts of using and disclosing for companies handling the personal information of individuals located in China.
Do disclose personal information only when necessary and accordingly to law or within justifiable reasons
Article 1034 of the Civil Code defines personal information as the following:
Personal information refers to any information electronically or otherwise recorded that can be used, either alone or in combination with other information, to identify a specific natural person, including the name, date of birth, identification document number, biometric information, address, telephone number, email address, health information or whereabouts of the natural person.
Under Specification, personal information shall only be disclosed under the following conditions:
- When a security impact assessment is conducted
- When consent is obtained
- When record-keeping and retention obligations are performed
- When stating restrictions during information disclosure
Do clearly state the nature of the disclose and obtain consent
Companies processing personal information are referred as the processors and obliged to obtain consent and disclose the use of the professional information under PIPL.
Specifically, processors shall inform the individual of the following matters in a visible, clear, and easy-to-understand language, truthful, accurate and complete manner.
- The organizational or personal name and contact information of the personal information processor;
- The purpose and method of processing personal information, the type of personal information to be processed and its retention period;
- The way and procedure for the individual to exercise his/her rights provided for by this Law; and
- Any other matter to be informed as required by law or administrative regulations.
Any changes to the above shall be informed to the individual and such individual shall be able to withdraw consent. In a withdrawal, processors shall halt the collection or promptly delete the collected personal information.
Equally, PIPL prescribes the following circumstances in which individual consent is not required for disclosure.
- Where it is necessary for the conclusion or performance of a contract to which the individual is a contracting party, or where it is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded;
- Where it is necessary for performing a statutory responsibility or statutory obligation;
- Where it is necessary for responding to a public health emergency, or for protecting the life, health or property safety of a natural person in the case of an emergency;
- Where the personal information is processed within a reasonable scope to carry out any news reporting, supervision by public opinions or any other activity for public interest purposes;
- Where the personal information, which has already been disclosed by the individual or otherwise legally disclosed.
Don’t neglect additional processing measures for sensitive personal information
For sensitive personal information, companies are required to protect such data, obtain specific consent for disclosure and inform the individual of the necessity and the impact on their rights and interests. Sensitive personal information refers to the following:
- Religious beliefs;
- Bio-metrics;
- Specific identities, medical and health;
- Financial accounts, whereabouts and other information of a natural person;
- Personal information of minors under the age of fourteen
Though the following personal information are forbidden to be disclosed
- Personal bio-metric information
- Genetic, disease and other personal physiological information
- Analysis results of the racial or ethnic identity, political opinions, religious beliefs or other sensitive personal data of Chinese citizens
Do adopt stringent control measures
The Guides requires companies processing personal information to establish administrative control system to prevent unauthorised disclosure such as leakage or tampering. Control systems should be implemented, audited and improved continuously to reduce risks and indirect violations. Additionally, the following technical control shall be implemented for robust controls.
- Establishing password and/or verification to protect the integrity and confidentiality of personal information.
- Adopting measures to detect, prevent, and combat threats against the systems processing personal information.
- Employing an authentication system to verifying the identity of users who have access to the personal information processing systems; implement and audit access control; and prevent and detect intrusions of malicious code and malware.
- Establishing data security in the authentication, access control, and audit; ensure data integrity, confidentiality, availability, and sanitation.
Don’t neglect legal liabilities
The Specification is often serves as a guide for enforcers to regulate personal information disclosure. Companies failing to comply with the relevant rules and regulations can result in administrative and criminal liabilities.
Administrative liabilities
Those processing personal information in violation of this PIPL or failing to perform any obligation of personal information protection specified in PIPL in the processing of personal information will be ordered to make a correction, given a warning, and confiscated of any illegal gain. Any illegal activities shall be entered into credit files and be disclosed to the public.
Civil liabilities
Personal information infringement under the Cyber Security Law shall be ordered to make corrections and may be subject to following penalties either alone or in combination depending on the circumstances. Penalties include a warning, confiscation of illegal gains, and a fine between twice and ten times the illegal gains or a fine up to CNY 1,000,000 if there are no illegal gains on the organisation, as well as a fine between CNY 10,000 and CNY 100,000 on any directly liable officers or other directly liable individuals of the organisation.
In serious circumstances, the organisation may be ordered to suspend the relevant operation, suspend business for rectification, shut down its website or have its relevant business permit or business licence revoked.
Criminal liabilities
Under Article 253 of the Criminal Law, individual violators face a maximum 3-year imprisonment term for serious violations and under exceptionally serious circumstances, an imprisonment term of 3-7 years. Equally, if the company commits the criminal offence, any directly liable officers or other directly liable individuals of the company shall be convicted and subject to the relevant criminal penalties.
Conclusion
Enterprises using and disclosing data should adjust and adopt work practices accordingly to legal obligations. Understanding and monitoring the changes in new regulations is essential in navigating compliance commitments. At Horizons, we have been developing data compliance frameworks for large to medium-sized companies in China.
This content appears as a courtesy of Horizons Corporate Advisory, a proud member of the China Collaborative Group (CCG Association). It is informational in nature and does not constitute legal advice or establish an attorney-client relationship between you and its author, publisher or any member of CCG. For more information, please visit www.horizons-advisory.com.
