Personal Information and Cybersecurity Protection in China

guideline| 1 April 2020

Sign up and benefit from our entire range of free services

If you sign up today you’ll be able to

  • Access to tailored advice through our Ask-the-Expert tool
  • A library of over 200 publications
  • Practical business tools
  • A network of trade promotion and business support partners
  • A comprehensive database of service providers with contact information

Over the past two year, the Chinese government has drafted a legal framework for its domestic cyberspace. Especially the adoption of the Cybersecurity Law in 2017 has marked a major change in the current legal and regulatory framework for cybersecurity including personal information protection.

Whether to a smaller or a larger degree, EU SMEs that collect, generate, store and use personal information in China or transfer data out of China are all subject to cybersecurity regulations. The continuous advance in computer technology and the subsequent changes and additions in the related legal framework create challenges and uncertainties among foreign enterprises. EU SMEs involved in China’s cyberspace often raise questions about their concrete responsibilities and obligations under the Cybersecurity Law.

EU SMEs operating in or with China should become familiar with the Cybersecurity Law in general and become aware of the challenges the ever-changing cybersecurity regulations impose on their business operations.

This guideline helps SMEs to gain a better understanding of their obligations and responsibilities with regard to cybersecurity.

Key Contents

Introduction

1. Scope of Application of PRC Legal Requirements

2. Definition and Scope of Personal Information

3. Data Privacy Obligations

4. Data Subject Rights

5. Data Breach

6. Cross-border Data Transfer

7. Cross-border Data Transfer

8. Cybersecurity Obligations

9. Regulatory Authorities

10. Legal Consequence

11. Enforcement Status

12. Recommendations

About the authors

DONG, Xiao (Marissa), Partner, JunHe LLP

Ms. Dong is a partner in the Beijing office and specializes in the areas of foreign direct investment, mergers and acquisitions, and telecom, internet, high-tech and data privacy and information law. She represents multinationals, foreign investment enterprises, and large Chinese state-owned and private companies. In her corporate and M&A practice, Ms. Dong guides inbound investors through all stages of operation in China, from market investigation to market entry and business expansion (including incorporating PRC entities, mergers and acquisitions, business permits and applications, corporate restructuring and compliance issues). Her clients include industry leaders in manufacturing, high-tech and internet and telecommunications services and education. By supporting clients in their operations in China, Ms. Dong has not only gained substantial experience in dealing with complex commercial transactions but also a deep understanding of the law and its implementation, government policies and the business environment, which enables her to assist clients to set up sensible strategies and explore practical approaches to doing business in China.

She also advises clients on all aspects of matters involving new technology and data, with a special emphasis on information privacy (consumers, employees, and patients), data security and breaches, and international data transfers. In these businesses, she has gained an understanding of new business models and technology, such as targeted advertising, internet payments, telematics, IoT and cloud computing, so as to help clients navigate China’s complex and sector-specific policy and regulatory landscape. Her clients include national and international information technology vendors, internet service providers, data brokers, retailers and distributors, and manufacturers of medical, industrial, and consumer products.

GUO Jinghe, Associate, JunHe LLP

Guo Jinghe is a lawyer in the Beijing office and specializes in the areas of foreign direct investment, mergers and acquisitions, and telecom, internet, high-tech and data privacy and information law. She represents multinationals, foreign investment enterprises, and large Chinese state-owned and private companies. She also advises clients on all aspects of matters involving new technology and data, with a special emphasis on information privacy (consumers, employees, and patients), data security and breaches, and international data transfers.

JunHe LLP

JunHe, founded in Beijing in 1989, is one of the first private partnership law firms in China. Since its establishment, JunHe has grown to be one of the largest and most recognized Chinese law firms. The firm has thirteen offices around the world and a team comprised of more than 880 professionals, including over 240 partners and legal counsel, as well as over 640 associates and legal translators.

Note:

The EU SME Centre Phase II officially runs out on April 6, 2020. Publications remain available for downloading for EU SME users of the website. For further queries on the reports, you are recommended to contact the authors directly or email at info@eusmecentre.org.cn.

Sign up and benefit from our entire range of free services

If you sign up today you’ll be able to

  • Access to tailored advice through our Ask-the-Expert tool
  • A library of over 200 publications
  • Practical business tools
  • A network of trade promotion and business support partners
  • A comprehensive database of service providers with contact information