China Data Protection 2021

Data Protection in China has progressed significantly in recent years, starting from the issuance of the Cybersecurity Law (2016) to the more recent introduction of the Civil Code of the People’s Republic of China (2021). The Civil Code became effective on 1 January 2021, and expressly provides for the right to privacy and the protection of personal information.

The Civil codes provides for the protection of personal information ushering in a new regime of data, privacy and personal identification protection requirements which companies operating in China or globally with Chinese citizens must comply with.

In addition to the enacted Cybersecurity Law and the Civil Code, two additional laws have been issued for commentary in 2020, The Data Security Law and the Personal Information Protection Law. These are expected to be promogulated in either 2021 or 2022.

While the Civil Code provides for the rights of the individual, the Cybersecurity Law, the Data Security Law, and the Personal Information Law will provide the main legislative instruments for ensuring cybersecurity and data protection.


Cybersecurity Law

The Cybersecurity Law became effective on the 1st of June 2017.

The Cybersecurity Law contains personal information protection requirements which are applicable to all enterprises that operate a computerised information network system. The Cybersecurity Law contains a data localisation requirement, under which operators may not transmit personal information which they collect or generate within China in the course of operating their business in China to a destination outside of China, unless they first undergo a security assessment.

The Cybersecurity Law also establishes personal information protection obligations for network operators. Specifically, under the Cybersecurity Law, network operators are subject to notice and consent requirements in respect to the collection and use of personal information, and a requirement to comply with the principles of legitimacy, rightfulness, and necessity.


The Data Security Law

On 3 July 2020, the Data Security Law (Draft) was issued for public comment. The Data Security Law is considered to be a fundamental piece of legislation in the field of data security and is set to constitute the legal system for data regulation together with Cybersecurity Law and the Personal Information Protection Law.


Personal Information Protection Law

On 21 October 2020, the Personal Information Protection Law (Draft) was issued for public comment.

Reliant on the rights of the Civil Code and the rules of the Cybersecurity Law, Data Security Law and other relevant laws and regulations in China and overseas, the Personal Information Protection Law establishes the personal information processing rules, rights of individuals in personal information processing activities, and the obligations of personal information processors, and provides a comprehensive regulatory legal framework for personal information protection in China.

The Law borrows some principles from the General Data Protection Regulation similarly applies to the processing of personal information outside China in the following circumstances: (1) where the purpose is to provide products or services to individuals in China; (2) the analysis or assessment of the activities of individuals in China; and (3) other situations as stipulated by laws and regulations (art. 3).

Recent articles