Point of View: China’s Cybersecurity Law: Personal Information Protection Overview

Point of View: China’s Cybersecurity Law: Personal Information Protection Overview

As part of our series providing insights into the Cybersecurity Law of the People’s Republic of China (PRC), this Point of View (POV) highlights a key area pertaining to personal information protection.

Personal information is defined as information that can be used individually or in combination with other information to identify a person. Requirements around the dissemination and management of personal information by network operators are prescribed within the Cybersecurity Law and are closely linked to the national standard of personal information protection, the Personal Information Security Specification (“the Specification”).

The enforcement of personal information protection is primarily based on the Territoriality Principle: all legal entities operating in mainland China must comply with legal requirements, and authorities can prosecute offenses committed within the Chinese border. This means that both local and multi-national companies operating within mainland China are accountable for personal information protection and must comply with requirements outlined in the Cybersecurity Law and the Specification. It is therefore essential that companies understand these requirements and address the potential compliance challenges discussed in this POV.

Point of View: China’s Cybersecurity Law: Personal Information Protection Overview

Overview of Personal Information Protection

Both the Cybersecurity Law and the Specification prescribe a set of principles for network operators around personal information protection. Although the Specification is neither a law nor a regulation and cannot legally make any official judicial interpretations of the Cybersecurity Law, it is one of the most important national standards concerning the protection of personal information in China. Corporations are recommended to comply with the Specification to demonstrate compliance with the personal information protection requirements under the Cybersecurity Law.

Since late 2018, the Cybersecurity Law has been referenced by the Ministry of Public Security, the Ministry of Industry and Information Technology, the Cyberspace Administration of China (CAC), and State Administration for Market Regulation during investigations and prosecutions of illegal acts. Going forward, the Specification and other upcoming rules and measures will be utilized and developed by regulatory authorities to facilitate law enforcement.

Compliance Requirements of Personal Information Protection

Under the Cybersecurity Law, network operators are required to fulfill certain technical security measures and compliance procedures to protect personal information. Furthermore, the Specification, along with other laws and administrative rules from regulatory authorities, are applied to the Cybersecurity Law for clarification, interpretation, and stipulation.