Latest Developments of Data Protection Law in China

Since the ultimate goal of any business is to better serve its clients, collecting information from them is inevitable. However, clients’ information often contains sensitive personal information, so the collection, processing or sharing of such data require prior consent and follow certain procedures. In cases of non-compliance, significant fines up to 5% of a company’s annual revenue may be imposed, as well as a dozen other potential sanctions.

Therefore, it is critical for businesses to fully understand data compliance legislation, and to adopt a well-structured compliance system.

The framework

The Data Security Law (DSL) and Personal Information Protection Law (PIPL) were promulgated and implemented in 2021. Together with the Cybersecurity Law, which took effect in 2017, the three laws constitute the basic legal framework on data governance in China. They have different emphases: the National Security Law, the Cybersecurity Law and the DSL focus on the protection of national security and public interests, whereas the PIPL focuses on protection of personal information rights and interests during the processing of personal information.

Under the above-mentioned legal framework, various legislative departments and regulatory agencies have issued implementation requirements. Meanwhile, industry-specific regulatory commissions and industry organisation bodies are also updating industrial rules accordingly, and national standards are being formulated, offering practical guidance. For example, the Cybersecurity Review Measures was promulgated on 4 January 2022, and came into force on 15 February 2022.

In general, the legal framework in the field of data governance has taken shape, with specific regulatory rules and practical guidance gradually established and improved.

Law enforcement

According to incomplete data collected by the 21st Century Economic Herald, administrative penalties related to violation of information collection imposed by the People’s Bank of China (PBoC), the China Banking Regulatory Commission and the State Administration of Foreign Exchange totalled 119 in 2021 alone, with the total amount of fines reaching RMB46.5 million (USD6.9 million).

The above-mentioned penalties generally relate to financial institutions’ failures to conform to the regulations of either personal data protection or cybersecurity. Such violations mainly include: failure to collect and use personal information in accordance with regulations; inquiry of personal information or corporate credit information without consent; failure to inform the subjects before disclosing their personal misconduct information; or leaking of customer information.