Changes afoot in China cyber and data laws


Significant developments have been announced by the Chinese Government in recent weeks in relation to cyber security, data handling and online activities. Organisations doing business in the People's Republic of China are advised to start reviewing their current practices in anticipation of these changes.

Draft PRC Cybersecurity Law: the second reading of the draft PRC Cybersecurity Law took place in the first week of July 2016. The wide-ranging draft law, which was first proposed in June 2015, sets out sanctions against cybersecurity threats; proposes data anonymisation for some big data activities; and would require network operators to co-operate with state surveillance authorities and keep user weblogs for at least six months. Other key data-related proposals include:

  • Requirements to obtain individual consent for handling of personal data. The draft law also defines what is considered appropriate use of personal data.
  • Requirements for personal data of Chinese citizens and "important business data" collected by "key information infrastructure operators" (KIIOs) to be kept within the borders of the People's Republic of China. This reflects a growing trend towards data localisation in China. The definition of KIIOs remains to be finalised.
  • The updated draft has further refined the data localisation provisions so that they would appear only to allow cross-border data transfers on an exception basis if personal information and "important business data" collected by KIIOs are to be used (and not just if to be stored) overseas, subject to compliance with mandatory security assessment/measures by the relevant authorities.

Further details as to how certain terms and the draft law as a whole would be interpreted and enforced in practice are awaited, and the draft will now proceed to a third reading. Nonetheless, if implemented these changes - and in particular the requirement to keep certain data within China - could have a tremendous impact on how international businesses manage data relating to their China operations.

New app regulations: the Cyberspace Administration of China has released the "Provisions on Administration of Information Services of Mobile Internet Application Programs". These will come into force on 1 August 2016, and set out requirements with which mobile app providers must comply, including some specific data protection obligations, namely:

  • verifying users' identities by requesting mobile phone numbers or other information;
  • not collecting users' location information, reading their contacts, starting the recording function or camera or any other irrelevant functions without individual consent;
  • not using users' information without individual consent;
  • protecting users' information;
  • informing users of their rights;
  • punishing anyone releasing illicit information through warnings, suspension of service or shutting down accounts, keeping records of illicit information released through the app and reporting to relevant government authorities;
  • not pirating others' products; and
  • preserving user's activity for at least 60 days.

Organisations operating apps in China must, therefore, take note of these additional requirements and ensure they are compliant before 1 August.

New rules for online searches and advertising: stricter regulations have been introduced to prevent misleading online advertising after a popular Chinese search engine was criticised following the death of a cancer sufferer who, it was argued, influenced his searches for treatment and presented misguided medical information. The "Provisions on Administration of Internet Information Search Services" were implemented on 25 June 2016 and come into force on 1 August 2016. The new regulations require Internet search providers to ensure objective, fair and authoritative search results and to remove any illegal content. They require improved checks on advertisers. The regulations also deem all paid-for search results to be advertising and they must now be clearly labelled.

Data trading framework proposed: proposals in draft rules to accompany a draft Civil Code include data as a type of intellectual property such that, once the law is passed, data may be traded as property. This would allow organisations to buy and sell data for, say, marketing purposes. Reports suggest the draft rules may not be approved until Q1 2017 (and the whole Civil Code in 2020), but it illustrates the trend towards greater appreciation by the Chinese Government of the value and significance of data.

There have been other announcements from Chinese authorities in recent months in relation to a national big data blueprint; as well as suggestions of the proposed implementation of a national standard for personal data collection and protection, perhaps indicating that the introduction of a comprehensive data protection law may be forthcoming. Further details are awaited on these. 

These latest developments illustrate that cyber security, online services and data protection are areas of significant current interest to the Chinese authorities. They also highlight the trend towards increasing regulation of data handling and online activities in China. The legal framework in this area has advanced rapidly in recent years, and organisations are advised to keep their cyber security and data protection compliance programmes in China under regular review as the law - and, more importantly in China, enforcement of the law - evolves further.