The Evolving Personal Information Regulatory Framework in the Mainland of China

The Mainland of China has been stepping up its regulation on the protection of personal information in the last few years. Although there is yet a comprehensive piece of legislation specifically directed at personal information protection in the Mainland, the subject is nevertheless covered by an assortment of laws, administrative regulations, departmental rules and guidelines. In this article, I will highlight a few key regulations recently adopted or proposed in the Mainland to assist legal professionals and businesses in Hong Kong to navigate this evolving regulatory landscape.

The laws relating to protection of personal information that have been introduced or amended in recent years include the Law on Protection of Consumer Rights and Interests (2nd Amendment, 2013), Criminal Law (9th Amendment, 2015), Cybersecurity Law (2017), General Provisions of the Civil Law (2017), E-Commerce Law (2019). In addition to these laws, various departmental rules and guidelines have been issued to supplement and clarify the legal requirements.

The Law on Protection of Consumer Rights and Interests (2nd Amendment) introduced personal information protection for consumers purchasing goods and services. The Law imposes requirements on businesses to adhere to the principles of lawfulness, propriety, necessity and transparency when collecting and using consumers’ personal information. It also prohibits the imposition of unfair or unreasonable terms to limit consumers’ rights over their personal information. A breach of the Law is punishable by fines and revocation of business licence.

The Cybersecurity Law contains comprehensive, albeit principle-based, provisions on the handling of personal

information by “network operators” from cradle to grave. Network operators encompass those who use information networks to sell goods and services, such as retailers, hotels, airlines, banks etc. Individuals’ consent is required for the collection and use of personal information. The Law also imposes onerous obligations on network operators to ensure data security.

The Measures for Data Security Management (Consultation Draft, May 2019) supplement the provisions under the Cybersecurity Law by providing more detailed (and sometimes more onerous) requirements in respect of the protection of personal information and the administration of security over important data. Pursuant to the draft Measures, network operators who intend to collect sensitive personal information must register with the cyberspace administration and appoint a person responsible for data security. In the event of data breaches, network operators must notify the regulators and the individuals, as well as take remedial action.

The Provisions on Cyber Protection of Children’s Personal Information (2019), being another subordinate regulation of the Cybersecurity Law, provide additional protection for the personal information of children under 14 years, such as requiring network operators to obtain parental consent before collection and use of children’s personal information, appoint data protection officers, and provide privacy policies tailored for children.

It is worth noting that the Cybersecurity Law requires personal information and important data collected or generated by operators of “critical information infrastructure” during their operations in the Mainland to be stored locally (ie data localisation), unless there is a business need to transfer out, and a prescribed security assessment has been conducted. The Measures for Security Assessment for Cross-border Transfer of Personal Information (Consultation Draft, June 2019) propose to extend the data localisation requirement to all network operators. The draft Measures also require network operators to submit their security assessment reports to provincial cyberspace administrations for approval. If the export of data is likely to be against national security, public interest, or lacking in data security, approval may not be given.

A breach of a requirement under the Cybersecurity Law or its subordinate regulations may be punishable by fines, confiscation of unlawful income, revocation of business licence, and even criminal sanctions for certain conducts.

Unlike Hong Kong, the Mainland does not have a single dedicated data protection authority. Enforcement powers on personal information protection in the Mainland are dispersed amongst a variety of regulators, such as the Cyberspace Administration of China, the Ministry of Industry and Information Technology and the Ministry of Public Security. This scattered approach in regulation and enforcement increases the challenges in compliance.

Given the close social and economic connection between Hong Kong and the Mainland, we have published a booklet – “Introduction to the Regulations in the Mainland of China Concerning Personal Information and Cybersecurity Involved in Civil and Commercial Affairs” – providing an overview of the data protection regime in the Mainland and a comparison between the regimes in Hong Kong and the Mainland of China. It can be downloaded for free from my office’s website at: https://www. publications/books/books.html

While the data protection regime in the Mainland is still considered as decentralised and piece-meal, it is notable that the Standing Committee of the 13th National People’s Congress has put personal information protection law in its legislative work plan for 2020. We look forward to a more centralised and comprehensive personal information protection regime in the Mainland in near future.


Barrister, Privacy Commissioner for Personal Data, Hong Kong

Partner, RPC