Using and disclosing personal information in China – do’s and don’ts

Unlawful usage and disclosure of personal information in China can result in administrative penalties and serious cases can result in criminal offenses. The Personal Information Protection Law (‘PIPL’), the Personal Information Security Specification (‘Specification’), and the Guide to Security Protection of Personal Information Online (‘Guide’) adopted on 1 November 2021, 6 March 2020, and April 10, 2019, respectively, form the legal framework regulating personal information usage and disclosure in China. Under the Laws, companies collecting data on individuals located in China are required to adopt measures to reduce and mitigate unethical personal information disclosure and protect users from infringement.

Personal information violations can be severe, namely, the Criminal Law of the People’s Republic of China elevates the illegal sale or provision of a citizen’s personal information to another to a criminal offense. Under Article 253 of the Criminal Law, individual violators face a maximum 3-year imprisonment term for serious violations and under exceptionally serious circumstances, an imprisonment term of 3-7 years. Equally, if the company commits a criminal offense, any directly liable officers or other directly liable individuals of the company shall be convicted and subject to the relevant criminal penalties. Therefore, companies should implement strict measures to regulate the use and disclosure of personal information.

Below, we summarise the main dos and don’t’s of using and disclosing for companies handling personal information of individuals located in China.  

Do disclose personal information only when necessary and accordingly to law or within justifiable reasons

Article 1034 of the Civil Code defines personal information as the following:

Personal information refers to any information electronically or otherwise recorded that can be used, either alone or in combination with other information, to identify a specific natural person, including the name, date of birth, identification document number, biometric information, address, telephone number, email address, health information or whereabouts of the natural person.

Under the Specification, personal information shall only be disclosed under the following conditions:

  • When a security impact assessment is conducted
  • When consent is obtained
  • When record-keeping and retention obligations are performed
  • When stating restrictions during information disclosure

Do clearly state the nature of the disclosure and obtain consent

Companies processing personal information are referred as processors who are obliged to obtain consent and disclose the use of professional information under PIPL.

Specifically, processors shall inform the individual of the following matters in a visible, clear, easy-to-understand language, truthful, accurate, and complete manner.

  • The organisation or personal name and contact information of the personal information processor;
  • The purpose and method of processing personal information, the type of personal information to be processed, and its retention period;
  • The way and procedure for the individual to exercise his/her rights provided for by this Law; and
  • Any other matter that is to be informed as required by law or administrative regulations.

Any changes to the above points shall be informed to the individual and such individual shall have an option to withdraw consent. In a withdrawal, processors shall halt the collection or promptly delete the collected personal information.

Equally, PIPL prescribes the following circumstances in which individual consent is not required.

  • Where it is necessary to conclude or perform a contract to which the individual is a contracting party, or where it is necessary to carry out human resources management under an employment policy legally established or a collective contract legally concluded;
  • Where it is necessary to perform a statutory responsibility or statutory obligation;
  • Where it is necessary to respond in a public health emergency, or to protect the life, health, or property safety of a natural person in the case of an emergency;
  • Where the personal information is processed within a reasonable scope to carry out any news reporting, supervision by public opinions, or any other activity for public interest purposes;
  • Where the personal information, which has already been disclosed by the individual or otherwise legally disclosed

Don’t neglect additional processing measures for sensitive personal information

For sensitive personal information, companies are required to protect such data, obtain specific consent for disclosure and inform the individual of the necessity and the impact on their rights and interests. Sensitive personal information refers to the following:

  • Religious beliefs;
  • Biometrics;
  • Specific identities, medical and health;
  • Financial accounts, whereabouts, and other information of a natural person;
  • Personal information of minors under the age of fourteen 

Though the following personal information shall not be disclosed:

  • Personal biometric information;
  • Genetic, disease, and other personal physiological information;
  • Analysis results of the racial or ethnic identity, political opinions, religious beliefs, or other sensitive personal data of Chinese citizens.

Do adopt stringent control measures

The Guide require companies processing personal information to establish an administrative control system to prevent unauthorised disclosure such as leakage or tampering. Control systems should be implemented, audited, and improved continuously to reduce risks and indirect violations. Additionally, the following technical control shall be implemented for robust controls.

  • Establishing passwords and/or verification to protect the integrity and confidentiality of personal information;
  • Adopting measures to detect, prevent, and combat threats against the systems processing personal information;
  • Employing an authentication system to verify user identities who access the personal information processing systems; implement and audit access control; and prevent and detect intrusions of malicious code and malware; 
  • Establishing data security in the authentication, access control, and audit; ensuring data integrity, confidentiality, availability, and sanitation.

Don’t neglect legal liabilities

The Specification often serves as a guide for enforcers to regulate personal information disclosure. Companies failing to comply with the relevant rules and regulations can result in administrative and criminal liabilities.

Administrative liabilities

Those processing personal information in violation of PIPL or failing to perform any obligation of personal information protection specified in PIPL in the processing of personal information will be ordered to correct, given a warning, and confiscated of any illegal gain. Any illegal activities shall be entered into credit files and disclosed to the public.

Civil liabilities

Personal information infringement under the Cyber Security Law shall be ordered to make corrections and may be subject to the following penalties either alone or in combination depending on the circumstances. Penalties include a warning, confiscation of illegal gains, and a fine between twice and ten times the illegal gains or a fine up to CNY 1,000,000 if there are no illegal gains on the organisation, as well as a fine between CNY 10,000 and CNY 100,000 on any directly liable officers or other directly liable individuals of the organisation.

In serious circumstances, the organisation may be ordered to suspend the relevant operation or the business for rectification, shut down its website, or have its relevant business permit or business license revoked.

Criminal liabilities

Under Article 253 of the Criminal Law, individual violators face a maximum 3-year imprisonment term for serious violations and under exceptionally serious circumstances, an imprisonment term of 3-7 years. Equally, if the company commits a criminal offense, any directly liable officers or other directly liable individuals of the company shall be convicted and subject to the relevant criminal penalties.

Conclusion

Enterprises using and disclosing data should adjust and adopt work practices accordingly to legal obligations. Understanding and monitoring the changes in new regulations is essential to navigate compliance commitments. At Horizons, we have been developing data compliance frameworks for large to medium-sized companies in China.

If you have questions or concerns related to personal information or other related matters, please contact Horizons at +86 21 5356 3400 or talktous@horizons-advisory.com.