The Personal Information Protection Law (PIPL), the first piece of legislation in the Mainland dedicated to the protection of personal information, was passed by the Standing Committee of the National People’s Congress on 20 August 2021 and was effective since 1 November 2021.
The PIPL regulates the processing of personal information and protects an individual’s rights and interests in relation to personal information. It stipulates that the processing of personal information must abide by the principles of legality, justice, integrity, minimum necessity, openness and transparency, and the purposes of processing shall be explicit and reasonable.
Individuals have the right to access, copy, correct and request erasure of their personal information from personal information processors (similar to data users under the Personal Data (Privacy) Ordinance of Hong Kong). Individuals can also request personal information processors to provide them with the means of transferring their personal information to other processors.
When processing personal information of a minor under the age of 14, personal information processors must obtain the consent of the minor’s parent or guardian, and must formulate specific personal information processing rules.
The PIPL prohibits the use of automated decision-making based on personal information to implement unreasonable differential treatment in trade practices, such as unreasonable price discrimination against individuals (commonly known as “sha shu” behaviour). In addition, when automated decision-making is used to push information or conduct commercial marketing, personal information processors must provide individuals with options that do not target at their personal characteristics or convenient means to opt-out.
If personal information processors wish to transfer personal information out of the Mainland, they must obtain separate consent from individuals and meet specific requirements, such as passing the security assessment conducted by the national cyberspace authorities, obtaining certification from the relevant professional institutions, or entering into a standard contract formulated by the national cyberspace authorities.
The PIPL has extraterritorial effect. If overseas organisations process personal information of natural persons in the Mainland for the purposes of offering products or services to them, or for analysing or evaluating their behaviours, such overseas organisations must abide by the requirements under the PIPL, and establish designated agencies or appoint representatives in the Mainland.
The national cyberspace authorities shall be responsible for the overall coordination of personal information protection and the related supervision and management. The relevant departments of the State Council shall also be responsible for the protection of personal information and the related supervision and management within their purview.
A personal information processor that contravenes the requirements under the PIPL is liable to a maximum fine of RMB 50,000,000 or 5% of its annual turnover of the preceding year, and can also be ordered, amongst others, to suspend its business operations for rectification, have the relevant business permits or licenses revoked.
The full text of the PIPL (in Chinese) is available on the website of the National People’s Congress(NPC): https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm. English translation published by the NPC is also available at http://en.npc.gov.cn.cdurl.cn/2021-12/29/c_694559.htm. Please note that the NPC has specifically highlighted that the translation is for reference only.
Disclaimer
The information provided in this webpage is for general reference only. It does not provide an exhaustive guide to the application of the PIPL and / or any other regulations or documents as mentioned in this webpage, and does not constitute any legal advice. The Privacy Commissioner for Personal Data makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information set out on this webpage. Organisations and individuals should seek professional legal advice for compliance with the requirements under the PIPL and / or other regulations or documents in the Mainland.
Below are the highlights of the PIPL.
1. Legislative Purpose | To protect the rights and interests in relation to personal information, regulate personal information processing activities, and promote the reasonable use of personal information1. |
2. Targets to be Regulated |
The PIPL regulates processing activities of natural persons’ personal information in the Mainland2, including the processing activities carried out by state organs3. A personal information processor refers to any organisation or individual that autonomously determines the purpose, means, etc. of the processing of personal information4. |
3. Extra-territorial Application |
The PIPL also applies to the overseas processing of personal information of natural persons in the Mainland under the following circumstances5:
(1) offering products or services to natural persons in the Mainland; |
4. Definition of Personal Information | Personal information refers to all kinds of information, recorded electronically or by other means, that relates to identified or identifiable natural persons, but does not include anonymised information6. |
5. Definition of Sensitive Personal Information |
Sensitive personal information refers to personal information that, if leaked or used illegally, may easily lead to the infringement of the dignity of natural persons, or may seriously endanger their personal and property safety, including information relating to biometrics, religious beliefs, specific identities, healthcare, financial accounts, an individual’s whereabouts etc., as well as personal information of minors under the age of 147. |
6. Transparency |
When processing personal information, the principles of openness and transparency shall be adhered to. The rules on personal information processing shall be made public, with the purposes, means and scope of processing be made available explicitly8. Before processing personal information, personal information processors shall truthfully, accurately and fully inform individuals of the following matters in a prominent way with comprehensible language: (1) their names and contact information; (2) purposes and means of personal information processing, categories and retention periods of personal information to be processed; and (3) methods and procedures for individuals to exercise their rights, etc.9. If personal information processors are to provide individuals with the above information by formulating personal information processing rules, the rules shall be made public and be easily accessible and retained10. If personal information processors need to transfer personal information due to mergers, divisions, dissolutions, bankruptcies or for any other reasons, they shall inform individuals of the recipients’ names and contact information11. If personal information processors provide the personal information they process to any other processors, they shall inform the individuals of the recipient's name and contact information, the purposes and means of processing and the categories of personal information to be processed, and obtain separate consent from the individual12. |
7. Collection, Use and Disclosure, etc. |
Personal information processing includes the collection, retention, use, processing, transmission, provision, disclosure, and erasure etc. of personal information13. Personal information shall be processed in accordance with the principles of legality, justice, necessity and integrity, and shall not be processed by fraudulent, misleading, or coercive, etc. means14. The processing of personal information shall be for an explicit and reasonable purpose, be limited to the purpose directly related to the processing purpose, and the impact on individuals’ rights and interests shall be kept to a minimum. Collection of personal information shall be minimised and shall not be excessive in relation to the purpose of processing15. Personal information processors shall only process personal information under the circumstances as prescribed in the PIPL, including (1) when an individual’s consent has been obtained; (2) when necessary for the establishment or performance of a contract, or for human resources management; (3) where necessary for fulfilling statutory duties or obligations; (4) where necessary for responding to public health emergencies, or for the protection of life, health and safety of property of a natural person in emergencies; (5) for the reasonable processing of personal information for news reporting, media supervision, and other activities conducted in the public interest; (6) for the reasonable processing of personal information that has been disclosed publicly by individuals themselves or is otherwise legally disclosed; and (7) in other circumstances as provided by laws or administrative regulations16. No organisation or individual shall illegally collect, use, process, transmit, trade, provide or disclose the personal information of other individuals, or engage in personal information processing activities that endanger national security or harm public interests17. Image collection and personal identification equipment in public places shall be installed only when it is necessary for the purpose of maintaining public safety, with prominent reminder signs being set up. The personal images and identification information collected can only be used for the purpose of maintaining public safety and, unless the individuals' separate consents are obtained, shall not be used for any other purpose18. The PIPL is not applicable where a natural person processes personal information for personal or household affairs19. Further, personal information processors shall only process sensitive personal information if there is a specific purpose and when it is of sufficient necessity, and where stringent protective measures are in place20. Separate consents shall be obtained from individuals when processing their sensitive personal information21. Prior to processing sensitive personal information, personal information processors shall carry out personal information protection impact assessments, and the relevant reports and records shall be retained for at least three years22. Processors of sensitive personal information shall also notify an individual of the necessity of processing his sensitive personal information and the impact it has on his rights and interests23. If personal information processors process personal information of minors under the age of 14, they shall formulate specific personal information processing rules for such processing24. |
8. Consent |
An individual’s consent refers to consent which is given voluntarily and explicitly by the individual who has been fully informed. Such requirement shall apply where the laws and administrative regulations require separate consent or written consent for processing an individual’s personal information25. Obtaining individuals’ consents is one of the situations in which personal information is lawfully processed26. When there is any change to the purposes or means of personal information processing, or the categories of personal information involved, new consent shall be obtained again27. If the processing of disclosed personal information has a significant impact on the rights and interests of individuals, the individuals’ consents shall be obtained28. Personal information processors shall obtain separate consents from individuals in the following circumstances, including when:
When processing personal information of minors under the age of 14, personal information processors shall obtain the consent of the minors’ parents or guardians34. Personal information processors shall not refuse to provide products or services to individuals on the ground that individuals refuse to give consent or withdraw their consent to the processing of their personal information, except where the processing of personal information is necessary for the provision of products or services35. Where personal information processing is based on an individual's consent, an individual shall have the right to withdraw his consent. Personal information processors shall provide convenient ways for individuals to withdraw their consents36. |
9. Accuracy |
When processing personal information, the quality of the personal information shall be guaranteed in order to avoid any adverse impacts on individuals’ rights and interests caused by inaccurate or incomplete personal information37. |
10. Security |
Personal information processors shall be accountable for their personal information processing activities, and take necessary measuresto safeguard the security of the personal information that they process38. Personal information processors that entrust third parties to process personal information shall enter into a contract with the third parties specifying the purposes, duration and means of processing, the categories of personal information involved, the protective measures involved, as well as the rights and obligations of both parties, etc.. The personal information processors shall supervise the processing activities carried out by the entrusted parties39. The parties entrusted to process personal information shall take necessary measures to safeguard the security of the personal information that they process40. |
11. Retention Period |
The retention period of personal information shall be the shortest time necessary for fulfilling the purpose of processing41. Personal information processors shall, whether on its own initiative or upon the request of individuals, erase the personal information under the circumstances prescribed in the PIPL, such as when (1) the retention period has expired, (2) the purpose of processing has been fulfilled, cannot be fulfilled or the personal information is no longer necessary for fulfilling the purpose, (3) the consent of the individual has been withdrawn, or (4) the personal information processors have ceased providing products or services etc42. |
12. Accountability and Governance |
Having regard to the purposes and means of processing, the categories of personal information involved, the impact on individuals’ rights and interests, and the potential security risks, etc., personal information processors shall take the following measures to ensure that their personal information processing activities comply with the laws and regulations, and to prevent any unauthorised access to, leakage, tampering or loss of the personal information: (1) formulating internal management systems and operation procedures; (2) implementing classified management of personal information; and (3) adopting security technical measures including encryption and de-identification43. Personal information processors that process personal information up to the threshold as prescribed by the national cyberspace authorities shall appoint personal information protection officers who shall be responsible for supervising the personal information processing activities and the implementation of protective measures44. Processors of personal information outside the Mainland that are regulated by the PIPL shall establish designated agencies or appoint representatives in the Mainland to be responsible for handling matters related to personal information protection45. Personal information processors shall regularly conduct compliance audits on their compliance with the laws and administrative regulations in relation to their personal information processing activities46. Personal information protection impact assessments shall be conducted by personal information processors under the following circumstances: (1) processing sensitive personal information; (2) using personal information to conduct automated decision-making; (3) entrusting other parties to process personal information, providing personal information to other personal information processors, or disclosing personal information; (4) transferring personal information out of the Mainland; or (5) carrying out processing activities which have significant impacts on the rights and interests of individuals. Relevant reports and records shall be retained for at least three years47. |
13. Obligations of Internet Platforms |
Personal information processors that provide important internet platform services, have a large number of users and operate with complex business models should fulfill specific obligations, including (1) establishing robust compliance systems for personal information protection and establishing independent bodies comprising mainly of external members to supervise the personal information processing activities; (2) abiding by the principles of openness, fairness and impartiality, formulating platforms rules, specifying practices and obligations of personal information processing for platforms’ products and service providers; (3) suspending the provision service to products or service providers that seriously violate the laws and administrative regulations when processing personal information; and (4) regularly publishing social responsibility reports on personal information protection and being subject to supervision by the public48. |
14. Breach Notification |
When personal information leakage, tampering, or loss have occurred or may occur, personal information processors shall take remedial actions immediately, and notify personal information protection authorities as well as individuals. The notification shall include (1) categories of personal information involved, causes of the incidents and potential harm; and (2) remedial measures taken by the personal information processors and mitigation measures that individuals may take, etc49. If personal information processors consider that the measures taken can effectively prevent any harm arising from the leakage, tampering, or loss of information, they may choose not to notify individuals. However, if personal information protection authorities consider that the personal information leakage may cause harm to individuals, they have the right to require the personal information processors to notify the individuals50. |
15. Cross-border Data Transfer |
Personal information processors that need to transfer personal information out of the Mainland due to business needs shall first carry out personal information protection impact assessments, and retain such reports and records for at least three years51. In addition, personal information processors shall also obtain separate consents from individuals and meet one of the following conditions52:
If an international treaty and agreement that the Mainland has concluded or acceded to contains requirements on transferring personal information out of the Mainland, those requirements can be complied with53. Personal information processors shall take necessary measures to ensure that the personal information processing activities undertaken by the overseas recipients meet the personal information protection standard prescribed by the PIPL54. In addition, personal information processors shall inform individuals of the names and contact information of the overseas recipients, the purposes and means of processing, the categories of personal information involved, as well as the methods and procedures for individuals to exercise their rights under the PIPL, etc55. Critical information infrastructure operators and personal information processors that process personal information up to the threshold as prescribed by the national cyberspace authorities shall store the personal information collected and generated in the Mainland locally. If it is necessary to transfer the personal information overseas, they shall pass the security assessment conducted by the national cyberspace authorities, unless other laws, regulations or provisions set by the national cyberspace authorities stipulate that they do not need to undertake the security assessment56. |
16. Automated decision-making |
Automated decision-making refers to the activities of automatically analysing and evaluating personal behaviours, hobbies, or economic, health, and credit status etc. through computer programs, and making decisions57. Personal information processors using personal information in automated decision making shall ensure the transparency of decision-making, and the fairness and impartiality of the results, and must not impose unreasonable differential treatment to individuals in terms of transaction prices and other transaction conditions58. Individuals shall have the right to request the personal information processors to provide explanation, and object to the decisions made solely by automated decision making for automated decisions that have a significant impact on individuals’ rights and interests59. When automated decision-making is used to push information and conduct commercial marketing, individuals shall be provided with options that do not target at their personal characteristics or convenient means to opt-out60. Prior to carrying out automated decision-making, personal information processors shall conduct personal information protection impact assessments and retain the relevant reports and records for at least three years61. |
17. Rights of Data Access and Correction |
Individuals shall have the right to access and duplicate their personal information from personal information processors, and personal information processors shall provide the same in a timely manner62. If individuals discover that their personal information is inaccurate or incomplete, they shall have the right to request personal information processors to correct and supplement the relevant information63. Personal information processors shall establish a convenient mechanism for receiving and handling applications from individuals who exercise their rights. Where an individual’s request to exercise his rights is refused by a personal information processor, reasons for the refusal should be provided. The individual may also file a lawsuit with the people's court if a personal information processor refuses his request64. |
18. Personal Information Portability |
If individuals request personal information processors to transfer their personal information to their designated personal information processors, and the requests meet the requirements stipulated by the national cyberspace authorities, personal information processors shall provide the means for the transfers65. |
19. Right to Erasure, Restrict or Refuse Personal Information Processing |
Personal information processors shall, whether on their own initiative or upon receiving requests from individuals, erase personal information under one of the following circumstances66:
If erasure of personal information is technically infeasible, personal information processors shall cease processing the personal information, except for storage and taking necessary security protection measures67. Individuals shall have the right to restrict or refuse the processing of their personal information by others, except when the laws or administrative regulations stipulate otherwise68. Close relatives of deceased natural persons may, for their own lawful and legitimate interests, exercise rights such as accessing, duplicating, correcting and erasing the personal information of the deceased69. |
20. Right to be Informed |
Individuals shall have the right to be informed and the right to make decisions on the processing of their personal information, and the right to restrict or refuse the processing of their personal information by others, except as otherwise stipulated by laws or administrative regulations70. Individuals shall have the right to request personal information processors to interpret their personal information processing rules71. Personal information processors shall establish a convenient mechanism for receiving and handling applications made by individuals who exercise their rights72. Where an individual's request to exercise his rights is refused by a personal information processor, reasons for the refusal should be provided. The individual may file a lawsuit with the people's court if a personal information processor refuses his request for exercising his rights73. |
21. Enforcement Authorities |
The national cyberspace authorities are responsible for the overall coordination of personal information protection and the related supervision and management. The relevant departments of the State Council shall be responsible for the protection of personal information and the related supervision and management within their purview74. The above authorities shall collectively be referred to as personal information protection authorities75. If personal information protection authorities, while performing their duties, discover illegal personal information processing activities that may constitute criminal offences, they shall timely refer the matter to public security authorities for handling in accordance with the law76. |
22. Penalty |
In the event that the processing of personal information violates the requirements under the PIPL, personal information protection authorities may order for rectification, issue a warning and confiscate illegal gains. Those refusing to rectify shall be liable to a fine of not more than RMB 1,000,000. The person in-charge who is directly responsible and other personnel who bear direct responsibility shall be liable to a fine of not less than RMB 10,000 but not more than RMB 100,00077. For cases of serious nature, personal information protection authorities above the provincial level may order rectification, confiscate illegal gains, and impose a fine of not more than RMB 50,000,000 or 5% of annual turnover of the previous year. The personal information protection authorities may also order the suspension of relevant business operations and business for rectification, and notify the competent authorities to revoke relevant business permits or licenses. The person in-charge who is directly responsible and other personnel who bear direct responsibility shall be liable to a fine of not less than RMB 100,000 but not more than RMB 1,000,000, and may be prohibited from serving as directors, supervisors, senior managers and personal information protection officers in relevant corporations within a certain period of time78. If the violation of the requirements under the PIPL amounts to behaviour in violation of public security management, such act shall be liable to public security administration penalties. If it amounts to criminal offences, it shall be liable for criminal liabilities79. Contraventions of the requirements under the PIPL may be entered into the relevant credit record and published80. |
23. Compensation / Litigation |
If the processing of personal information infringes individuals’ personal information rights and interests and causes harm, and the personal information processors cannot prove that they are not at fault, the personal information processors shall assume the liability for damages and other tort liabilities. The liability for damages shall be determined on the basis of the losses suffered by individuals or the benefits acquired by the personal information processors from the infringement. Where it is difficult to determine the losses of individuals and benefits of personal information processors, the amount of the damages shall be determined based on the actual circumstances81. If personal information processors process personal information in violation of the requirements under the PIPL, and infringe the rights and interests of many individuals, the people’s procuratorate, the consumer organisations specified by the law, and the organisation designated by the national cyberspace authorities may file a lawsuit with the people’s court according to the law82. |
Date | Publication / Article |
---|---|
24/5/2024 | Office of the Privacy Commissioner for Personal Data, Hong Kong: Striving to Safeguard Personal Data Privacy and Promote Cross-boundary Data Flow |
16/4/2024 | Hong Kong: Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area |
14/3/2024 | A Trusted Framework for the Cross-boundary Flow of Personal Information within the Guangdong–Hong Kong–Macao Greater Bay Area |
29/12/2021 |
Cross-border Transfer of Data under the Personal Information Protection Law of the Mainland <Chinese only> |
20/12/2021 | Cross-border Transfer of Data under the Personal Information Protection Law of the Mainland |
Monthly (Since April 2021) |
PCPD e-Newsletter
|
18/11/2021 |
Introduction to the Personal Information Protection Law of the Mainland<Chinese only>
|
Since the implementation of the Personal Information Protection Law, different authorities of the Mainland have published regulations and documents in relation to cross-border transfers of personal information, including:
The consultation documents in relation to cross-border transfers of personal information that have been published by different authorities in the Mainland include:
Date of Publication | Consultation Document |
---|---|
1/11/2023 | Draft Practical Guidance of Cybersecurity Standards – Requirements for Protection of Personal Information for Cross-Border Data Transfers in the Guangdong-Hong Kong-Macau Greater Bay Area (《網絡安全標準實踐指南 - 粵港澳大灣區跨境個人信息保護要求 (徵求意見稿)》) <Chinese only> |
The National Information Security Standardisation Technical Committee (TC260) published a second edition of the “Practical Guidance of Cybersecurity Standards – Technical Specifications for Certification of Cross-border Processing of Personal Information Version V2.0” (the Guidance) on 16 December 2022. The Guidance amended an earlier version84 published on 24 June of the same year by enhancing the requirements for personal information processors and data recipients outside the jurisdiction.
Article 38 (2) of the PIPL states that one of the prerequisites for carrying out cross-border personal information processing activities is that personal information processors obtain certification in relation to personal information protection from specialised institutions according to the provisions issued by the national cyberspace authorities. The Guidance provides a basis for certification institutions to conduct certification of cross-border personal information processing activities, and serves as a reference guideline for personal information processors to regulate their own cross-border personal information processing activities85.
The Guidance sets out various basic principles in relation to cross-border processing of personal information, requiring both personal information processors and the relevant data recipients outside the jurisdiction to meet the requirements of the legislations and regulations of the Mainland86. Parties are also required to, amongst others, enter into legally binding agreements, designate an officer to take charge of personal information protection, and to conduct a personal information protection impact assessment before carrying out cross-border processing activities87. Besides, the Guidance incorporates protection on various rights and interests of personal information subjects88, including the right to withdraw consent, the rights to access and to erase their personal information, etc. The Guidance also sets out additional and more detailed requirements and obligations for personal information processors and data recipients outside the jurisdiction to observe when carrying out cross-border personal information processing activities, so as to meet the relevant requirements as set out in the Security Assessment Measures on Cross-border Transfers of Data and in the Draft Rules on the Standard Contractual Clauses for Cross-border Transfers of Personal Information.
Other major requirements of the Guidance include:
As no implementation date is specified in the Guidance, the date of issue shall be deemed as the effective date of the Guidance (i.e. 16 December 2022).
On 18 November 2022, the State Administration for Market Regulation (SAMR) and the Cyberspace Administration of China (CAC) jointly issued the Implementation Rules for Personal Information Protection Certification (the Rules). The Rules provides clearer guidance on the certification of personal information processors in relation to their cross-border personal information processing activities, as mentioned in Article 38(2)93 of the PIPL. The Rules sets out the basic principles and requirements of certification for personal information processors in relation to their collection, storage, use, processing, transmission, provision, disclosure, erasure and cross-border transfers, etc of personal information.
The certification is a voluntary mechanism. The Rules stipulates that personal information processors carrying out cross-border personal information processing activities would have to comply with the national standards as set out in GB/T 35273-2020 Information Security Technology—Personal Information Security Specification94 as well as in the TC260-PG-20222A Guidance.
The Rules also provides the following two personal information protection certification marks95:
(1) Certification mark for activities not involving cross-border processing of personal information
(2) Certification mark for activities involving cross-border processing of personal information
“ABCD” represents the certification institution.
According to the Rules, the modes for Personal Information Protection Certification include96:
Certifications issued by certification institutions are valid for three years. Personal information processors must pass the post-certification supervision within the validity period in order to maintain the validity of the certification. For certifications that are due to expire, renewal applications should be made within six months before the actual date of expiry. The certification would only be renewed where the approval of post-certification supervision by the relevant certification institutions is passed and the requirements of certification are satisfied97.
As no implementation date is specified in the Rules, the date of issue shall be deemed as the effective date of the Rules (i.e. 18 November 2022).
The Measures apply to the security assessments of cross-border transfers of critical data and personal information collected and generated by data processors through their operations in the Mainland99. The term “critical data” refers to any data which, if tampered with, damaged, leaked, or illegally acquired or used, may endanger national security, the operation of the economy, social stability, public health and security, etc100. It is worth noting that as stated in the Draft Information Security Technology - Guideline for Identification of Critical Data released by the National Information Security Standardization Technical Committee on 7 January 2022, “critical data” specifically excludes state secrets and personal information. However, statistical data and derivative data which formation is based on massive personal information may be regarded as critical data101.
According to the Measures, data processors (including enterprises or organisations) which effect cross-border transfers of data shall, in any of the following situations, carry out their own security assessments and report such security assessments to the CAC through local cyberspace administration authorities at the provincial level102:
Regarding the applicability of the Measures, it should be read together with the Regulations on Facilitating and Regulating Cross-Border Data Flow, published by the CAC on 22 March 2024 (see below).
The self-assessment shall address, among others, the following key factors103:
Regarding the procedures for reporting a security assessment, the Measures require a data processor to submit reporting materials to the local cyberspace administration authorities at the provincial level, which shall, within five working days upon receipt, confirm if the reporting materials are in order. If so, they are to be submitted to the CAC104. The CAC shall, within seven working days upon receipt of the reporting materials, determine whether or not to accept them for review and notify the data processor in writing105. The CAC shall complete the security assessment within 45 working days from the date of issuance of the written acceptance notice to the data processor106. If the situation is complicated or the reporting materials need to be supplemented or corrected, the processing time may be appropriately extended, and the data processor is to be notified of the estimated extension period107. The Measures also provide for a re-assessment mechanism. Where a data processor objects to the assessment results, the data processor may apply for a re-assessment within 15 working days upon receipt of the assessment results. The re-assessment results will be final verdict108. Furthermore, the Measures empower the relevant authorities to hold a data processor legally accountable according to the law, if the data processor willfully submits false materials109.
To guide and assist data processors in reporting security assessments of cross-border transfers of data in a regulated and orderly manner, the CAC issued the Guidance on Reporting Security Assessments of Cross-border Transfers of Data (1st edition)110 and the Guidance on Reporting Security Assessments of Cross-border Transfers of Data (2nd edition)111 on 31 August 2022 and 22 March 2024 respectively, explaining the specific requirements on the means and procedures of reporting such security assessments, as well as the materials to be submitted.
According to the Measures, the approval of the security assessment of cross-border transfers of data is valid for two years, to be calculated from the date when the results of assessment are issued. The Measures set out the circumstances under which a data processor shall submit a report afresh before the expiry of the aforesaid period of validity112:
Regarding the validity of the security assessment of cross-border transfers of data, the Measures should be read together with the Regulations on Facilitating and Regulating Cross-Border Data Flow, published by the CAC on 22 March 2024 (see below).
The Measures require data processors to submit another report on data security assessment 60 working days before the validity period expires, so as to continue with their cross-border transfers of data113.
Lastly, the Measures provide that where cross-border data transfers carried out before 1 September 2022 (i.e. before the Measures came into operation) do not conform with the provisions of the Measures, steps must be taken to rectify the situation within 6 months from 1 September 2022114.
The CAC promulgated the Measures on the Standard Contract for Cross-border Transfers of Personal Information (the Standard Contract Measures) on 24 February 2023. The Measures, which comes with 13 provisions and a template standard contract, will come into operation on 1 June 2023.
The Standard Contract Measures is promogulated pursuant to legislations and regulations including the PIPL116. Personal information processors are required to follow the provisions of the Standard Contract Measures and enter into a standard contract if they wish to rely on the execution of standard contracts to transfer personal information out of the Mainland as prescribed by Article 38(3)117 of the PIPL118. The Standard Contract Measures also stipulates clearly that all other contractual provisions entered into between a personal information processor and a recipient outside the jurisdiction must not be in conflict with the standard contract119.
According to the Standard Contract Measures, personal information processors that satisfy all of the following conditions may rely on the execution of standard contracts to transfer personal information out of the Mainland120:
Regarding the applicability of the Standard Contract Measures, it should be read together with the Regulations on Facilitating and Regulating Cross-Border Data Flow, published by the CAC on 22 March 2024 (see below).
Pursuant to the Standard Contract Measures, the relevant personal information processor shall enter into a standard contract strictly in accordance with the template standard contract121 and shall carry out a personal information protection impact assessment prior to the outbound transfer of personal information122. The impact assessment report, together with the standard contract signed, shall be filed with the local cyberspace administration authority at the provincial level within 10 working days from the effective date of the contract123. Any transfers of personal information out of the Mainland shall only take place after the standard contract takes effect124.
To guide and assist personal information processors in filing the standard contracts for cross-border transfers of personal information in an orderly manner, the CAC issued the Guidance on Filing the Standard Contract for Cross-border Transfers of Personal Information (1st edition)125 and the Guidance on Filing the Standard Contract for Cross-border Transfers of Personal Information (2nd edition)126 on 30 May 2023 and 22 March 2024 respectively, setting out the details on the mode of filing, filing procedures, and materials to be submitted, etc.
Further, it is noteworthy that the Standard Contract Measures stipulates clearly that personal information processors that are required to duly undergo security assessments for transferring personal information out of the Mainland shall not deploy tactics such as quantity splitting so that they may transfer personal information outside the jurisdiction by entering into standard contracts127.
The personal information protection impact assessment shall assess, among others, the following key matters128:
Where any of the following situations take place during the effective period of the standard contract, the personal information processor shall conduct a new personal information protection impact assessment, supplement or re-enter into a standard contract with the personal information recipient outside the jurisdiction, and comply with the corresponding filing requirements:
As to the terms of the standard contract, they cover, amongst others, the obligations of the personal information processor and the recipient outside the jurisdiction130, the impact of personal information protection policies and regulations of the location of the recipient outside the jurisdiction on the performance of the standard contract131, the rights of the individuals132, remedies available to individuals133, and liability for breach of the contract134. The personal information processor and the recipient outside the jurisdiction may also incorporate other provisions if necessary.
Finally, where cross-border transfers of personal information which have commenced before the effective date of the Standard Contract Measures (i.e. 1 June 2023) do not conform with the provisions of the Standard Contract Measures, action should be taken to rectify the situation within six months from the commencement of the Standard Contract Measures (i.e. before 30 November 2023)135.
The CAC released the Regulations on Facilitating and Regulating Cross-Border Data Flow (the Regulations) on 22 March 2024, which came into effect on the same day. The Regulations, which comprise of 14 provisions,seek to facilitate the orderly and free flow of data through, inter alia, introducing certain exemptions where data processors may be exempted from conducting security assessments, entering into standard contracts, or obtaining personal information protection certification.
According to the Regulations, where the data concerned has not been classified or publicly promulgated by the relevant authorities or regions as important data, no security assessments would have to be conducted by the data processor(s)137. Situations where there can be exemptions from conducting security assessments, entering into standard contracts or obtaining personal information protection certifications include:
The Regulations stipulates that security assessments shall be filed with the CAC through provincial cyberspace authorities where one of the following requirements are met141:
Data processors that are not CIIOs are required to enter into standard contracts or obtain personal information protection certifications when personal information of over 100,000 individuals but less than 1,000,000 individuals (not containing any sensitive personal information), or sensitive personal information of less than 10,000 individuals, to be counted from 1 January of the current year, is to be transferred out of the Mainland142.
Data processors that transfer personal information abroad should fulfil obligations related to notification, obtaining separate consent from individuals, conducting personal information protection assessments. etc.143. The validity period of approved security assessments results is 3 years. For data processors that need to continue to transfer data abroad and have not encountered any circumstances that necessitate reapplications, they may make an application with the CAC for extending the validity period of the approved assessment results within 60 working days before the validity period expires. Upon approval, the validity of the assessment results can be extended for another 3 years144.
Pursuant to the framework of the national data classification and grading protection system, free trade pilot zones can formulate its own list of data that requires security assessments, standard contracts or other personal information protection certifications, also known as a “negative list” , based on its respective needs145. Upon approval of the provincial CAC offices, such “negative list” should be filed with the national CAC and national data management authorities. Data not included in the “negative list” can be exempted from the requirements of conducting security assessments, entering into standard contracts or obtaining personal information protection certifications.
Finally, in case of any inconsistencies between the provisions in the Security Assessment Measures on Cross-border Transfers of Data and the Measures on the Standard Contract for Cross-border Transfers of Personal Information and those of the Regulations, the previsions of the Regulations shall prevail146.
The Cyberspace Administration of China (CAC) and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region (ITIB) signed the Memorandum of Understanding on Facilitating Cross-boundary Data Flow Within the Guangdong-Hong Kong-Macao Greater Bay Area (MoU) on 29 June 2023 to jointly promote cross-boundary data flows in the Guangdong-Hong Kong-Macao Greater Bay Area (GBA). The Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (GBA SC) is a facilitation measure under the MoU to foster the cross-boundary flows of personal information147 within the GBA. It was formulated by the CAC, ITIB, and Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD).
The Chief Executive’s Policy Address 2024 stated that the facilitation measures of the GBA SC, piloted in the banking, credit referencing and healthcare sectors, would be extended to all sectors. As announced by the Digital Policy Office of the Government of the Hong Kong Special Administrative Region (DPO) on 1 November 2024, the facilitation measures of the GBA SC are extended to cover all sectors in Hong Kong with effect from 1 November 2024.
The GBA SC applies to cross-boundary flows of personal information between personal information processors148 and recipients which are registered (applicable to organisations) or who are located (applicable to individuals) in the Mainland cities within the GBA (i.e. Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing of Guangdong Province) and Hong Kong, including cross-boundary personal information transfers from the Mainland cities within the GBA to Hong Kong and those from Hong Kong to the Mainland cities within the GBA.
The GBA SC contains the following eight parts:
Article 1 Definition
Article 2 Obligations and Responsibilities of Personal Information Processors (including data users)
Article 3 Obligations and Responsibilities of Recipients
Article 4 Rights of Personal Information Subjects (including data subjects)
Article 5 Remedies
Article 6 Termination of Contract
Article 7 Liabilities for Breach of Contract
Article 8 Miscellaneous
According to the GBA SC, personal information processors (including data subjects) have to comply with the clauses stipulated therein. For instance, the obligations and responsibilities of personal information processors include (but are not limited to):
For recipients, their obligations and responsibilities under the GBA SC include (but are not limited to):
Please click here to download the GBA SC.
The Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (the Implementation Guidelines on the GBA SC) are guidelines established by the governments of the Mainland and Hong Kong for the implementation of the GBA SC. The Implementation Guidelines on the GBA SC came into operation on 13 December 2023. Personal information processors and recipients in the GBA may, in accordance with the requirements of the Implementation Guidelines on the GBA SC, conduct cross-boundary flows of personal information between the Mainland cities within the GBA and Hong Kong by entering into a Standard Contract150.
Please click here to download the Implementation Guidelines on the GBA SC.
To help organisations in Hong Kong understand the applicability of the GBA SC and the relationship between the GBA SC and other Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data issued by the PCPD, the PCPD has issued the “Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)”.
Please click here to download the “Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)”.
Please click here to browse the thematic website set up by the Digital Policy Office (DPO) of the Hong Kong Special Administrative Region Government (the then Office of the Government Chief Information Officer (OGCIO)) to obtain further information.
Further, please click the links below for the reference materials published by the regulatory authorities under the GBA SC:
Regulatory Authorities | Subject Matter | Reference Materials |
---|---|---|
PCPD | Personal information protection impact assessments | |
DPO (the then OGCIO) | Filing requirements | Filing Guidelines on the “Standard Contract for the Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” |
Cyberspace Administration of Guangdong Province | Filing requirements |
Announcement on Facilitation Measure on “Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” (關於落實《粵港澳大灣區(內地、香港)個人信息跨境流動標準合同實施指引》的通知) <Chinese only> |
Date of Publication | Date of Implementation | Relevant Document | Area of Interest | Description |
---|---|---|---|---|
14 September 2024 | Not specified | Cybersecurity Technology — Labeling Method for Content Generated by Artificial Intelligence (Consultation Paper) | Artificial Intelligence |
The Draft Consultation Paper provides detailed technical requirements on how to label artificial intelligence generated content, such as text, audio and video with explicit label and implicit label. The Draft Consultation Paper is applicable to artificial intelligence content generation service providers and online information content propagation service providers. Full text (available in Chinese only) |
14 September 2024 |
Not specified | Measures for Labelling AI-Generated Synthetic Content (Consultation Paper) (Draft Measures) | Artificial Intelligence |
The Draft Measures further standardises the labelling of artificial intelligence generated content and specifies the obligations of (i) artificial intelligence content generation service providers, (ii) online information content propagation service providers and their users, and (iii) online application distribution platform operators. Full text (available in Chinese only) |
9 September 2024 |
Not specified | AI Safety Governance Framework | Artificial Intelligence |
To implement the Global AI Governance Initiative and promote consensus and coordinated efforts on AI safety governance among governments, international organisations, companies, research institutes, civil organisations and individuals, the Framework aims to effectively prevent and defuse AI safety risks. Full textMainland Corner’s September 2024 Column (available in Chinese only) |
26 July 2024 | Not specified | Draft Measures for the Administration of National Cyberspace Identity Authentication Public Services | Processing of Personal Information |
The Draft Measures proposes the establishment of a national public service platform for, among others, granting and authenticating cyberspace IDs. Users can avoid providing personal information in plaintext (e.g. their government-issued ID card numbers) to internet service providers for account registration and identity authentication purposes. Full text (available in Chinese only) Mainland Corner’s August 2024 Column (available in Chinese only) |
25 June 2024 | Not specified | Practical Guidance of Cybersecurity Standards – Cybersecurity Assessment Guidelines for Large Online Platforms | Cybersecurity |
To assist large online platforms in conducting cybersecurity assessments through identifying and preventing cybersecurity risks that affect or could potentially affect social stability or public interests, the Practical Guidance sets out the content of cybersecurity assessments and the methods of conducting them. Full text (available in Chinese only) Mainland Corner’s July 2024 Column (available in Chinese only) |
14 September 2024 |
Not specified | Practical Guidance of Cybersecurity Standards – Classification Guidelines for Sensitive Personal Information | Processing of Personal Information |
To guide personal information processors in identifying sensitive personal information and to regulate the processing, export and protection of sensitive personal information, the Practical Guidance sets out the classification methods concerning sensitive personal information and identified common categories and examples of such sensitive personal information. Full text (available in Chinese only) Mainland Corner’s June 2024 Column on the Draft Practical Guidance (available in Chinese only) |
21 March 2024 | 1 October 2024 | Data Security Technology – Rules for Data Classification and Grading | Data Security |
To implement the national data classification and grading system as stipulated in the Data Security Law, the Data Security Technology – Rules for Data Classification and Grading sets out key guidelines in relation to the basic principles, frameworks, methods, and processes for data classification and grading. Full text (available in Chinese only) Mainland Corner’s May 2024 Column (available in Chinese only) |
29 February 2024 | Not specified | Basic Security Requirements for Generative Artificial Intelligence Service | Artificial Intelligence |
To support the implementation of the Interim Measures for the Management of Generative Artificial Intelligence Services, the Basic Security Requirements were issued to set out basic standards for service providers of generative artificial intelligence (AI) services in the Mainland to follow in relation to the security of AI training data and foundation models, the technical security measures to be adopted, as well as the requirements to comply with in conducting security assessments. Full text (available in Chinese only) Mainland Corner’s March 2024 Column (available in Chinese only) |
8 December 2023 Consultation ended on 7 January 2024 |
Not specified | Draft Management Measures on the Report of Cybersecurity Incidents | Cybersecurity |
To regulate the reporting of cybersecurity incidents and to reduce the losses and hazards resulted therefrom, the Draft Management Measures was drafted with a view to standardising the reporting procedures of cybersecurity incidents while setting out clear obligations for different relevant regulatory bodies to follow. Full text (available in Chinese only) |
16 October 2023 | 1 January 2024 | Regulations on the Protection of Minors in Cyberspace | Children Privacy |
The Regulations on the Internet Protection of Minors was drafted pursuant to the Law on the Protection of Minors, the PIPL and the Cybersecurity Law. It seeks to enhance the protection of personal information of minors and covers areas including the cultivation of cyberspace literacy, the dissemination of network content and the prevention of internet addiction. Full text (available in Chinese only)Mainland Corner’s January 2024 Column (available in Chinese only) |
25 August 2023 | Not specified | Practical Guidance of Cybersecurity Standards – Labelling Methods for Content Generated by Generative Artificial Intelligence Services | Artificial Intelligence |
The Practical Guidance of Cybersecurity Standards – Labelling Methods for Content Generated by Generative Artificial Intelligence Services sets out the implementation rules for labelling and demarcating content generated from generative artificial intelligence, including that of texts, images, audios, and videos. Apart from guiding providers of generative artificial intelligence to enhance the standards of content labelling, it also serves as a referential guide for other relevant regulatory departments. Full text (available in Chinese only) Mainland Corner’s September 2023 Column (available in Chinese only) |
9 August 2023 Consultation ended on 8 October 2023 |
Not specified | Draft Information Security Technology – Security Requirements for Processing of Sensitive Personal Information | Processing of Personal Information |
The Draft Information Security Technology – Security Requirements for Processing of Sensitive Personal Information seeks to regulate the processing activities of sensitive personal information by information processors in the Mainland. It also serves as a reference guide for regulatory departments and third-party assessment organisations in monitoring, managing and assessing the relevant processing activities. Full text (available in Chinese only) |
8 August 2023 Consultation ended on 7 September 2023 |
Not specified | Draft Interim Measures for the Regulation of Facial Recognition Technology | Facial Recognition |
The Draft Interim Measures for the Regulation of Facial Recognition Technology seeks to regulate the application of facial recognition technology in the Mainland to, amongst others, protect the personal information rights of individuals in the Mainland, their personal and property rights and interests, as well as to maintain public order and security. It applies to activities that process facial biometric information and provide products or services through the use of facial recognition technology in the Mainland. Full text (available in Chinese only) |
3 August 2023 Consultation ended on 2 September 2023 |
Not specified | Draft Measures for the Management of Compliance Audit for Personal Information Protection | Processing of Personal Information |
The Draft Measures for the Management of Compliance Audit for Personal Information Protection applies to information processors who are required to conduct regular compliance audits under the PIPL or if they are obliged to do so under the directions from the CAC or other relevant departments that are responsible for personal information protection. It also stipulates the rules that are applicable to the performance of such compliance audits. Full text (available in Chinese only) |
2 August 2023 Consultation ended on 2 September 2023 |
Not specified | Draft Guidelines for the Construction of Minors’ Mode on Mobile Internet | Children Privacy |
The Draft Guidelines for the Construction of Minors’ Mode on Mobile Internet is aimed at preventing minors from getting addicted to the internet by encouraging the development of a positive cyberspace in the Mainland. It requires platforms of different mobile intelligence terminals, mobile internet applications and mobile internet applications distribution services to develop a dedicated interface for minors in relation to their services to ensure compliance with the general requirements, technical requirements and management requirements of the CAC. Full text (available in Chinese only) |
10 July 2023 | 15 August 2023 | Interim Measures of the Management of Generative Artificial Intelligence Services | Artificial Intelligence |
The Interim Measures of the Management of Generative Artificial Intelligence Services applies to the use of generative artificial intelligence technologies in providing services of generated text, images, audios, videos etc. within the territory of the Mainland. It specifically requires relevant service providers who provide services that contain characteristics of public opinion or are capable of social mobilisation to conduct security assessments, and to conduct filing, rectification and cancellation of filing, etc. in accordance with the Rules on Management of Algorithmic Recommendations in Internet Information Services. Full text (available in Chinese only) Mainland Corner’s August 2023 Column (available in Chinese only) |
12 June 2024 |
1 August 2024 | Regulations on the Management of Cyber Violence Information | Cybersecurity |
The Draft Regulations on the Management of Cyber Violence Information requires network information service providers to comply with their content management responsibilities by, amongst others, establishing a comprehensive mechanism on the governance of cyber violence information, and strengthening systems such as account management, audits of information dissemination, monitoring and early warnings, reporting and assistance, and addressing cyberviolence information. It aims to strengthen the governance of cyberviolence information while fostering a sustainable ecosystem over the Mainland’s internet sphere. Full text (available in Chinese only) |
23 May 2023 | 1 December 2023 | Information Security Technology – Implementation Guidelines for Notices and Consent in Personal Information Processing (GB/T 42574-2023) (The Implementation Guidelines) | Processing of Personal Information |
The Implementation Guidelines provides practical guidelines on the specific methods and steps for personal information processors to notify individuals under different scenarios, and stipulates the rules in obtaining their consent under the PIPL. As the PIPL has not provided clear definitions on “consent” and “notices”, the Implementation Guidelines is of referential value for personal information processors in complying with the PIPL. Full text (available in Chinese only) Mainland Corner’s July 2023 Column (available in Chinese only) |
25 November 2022 | 10 January 2023 | Provisions on the Administration of Deep Synthesis of Internet-based Information Services | Artificial Intelligence |
The Provisions on the Administration of Deep Synthesis of Internet-based Information Services applies to deep synthesis service providers that use deep synthesis technology in the Mainland. It sets out the relevant regulations in relation to the provision of deep synthesis services and provides concrete guidance on the regulatory work concerning deep synthesis technology. Full text (available in Chinese only) Mainland Corner’s February 2023 Column (available in Chinese only) |
25 September 2021 | 25 September 2021 | The Code of Ethics for the New Generation of Artificial Intelligence | Artificial Intelligence |
The Code of Ethics for the New Generation of Artificial Intelligence aims to integrate ethics and morals into the full life cycle of AI and provide ethical guidance for stakeholders engaged in AI-related activities to follow. Full text (available in Chinese only) |
10 June 2021 | 1 September 2021 | Data Security Law | Data Security |
The Data Security Law applies to data processing activities in the Mainland and provides for the regulation of such activities. It establishes a data categorisation and classification system as well as a data security risk assessment framework. It also sets out other guidelines in relation to the monitoring and giving of early alerts of data security risks, the establishment of a data security emergency response mechanism, and a review system for data security etc. The Data Security Law is administered and enforced by the Cyberspace Administration of China. Full text (available in Chinese only) Mainland Corner’s June 2021 Column (available in Chinese only) |
7 November 2016 | 1 June 2017 | Cybersecurity Law | Cybersecurity |
The Cybersecurity Law is the first legislation in regulating cybersecurity in the Mainland. It applies to the construction, operation, maintenance and use of the network as well as the supervision and administration of cybersecurity in the Mainland. The Cybersecurity Law provides specific regulations for network operators and critical information infrastructure operators to follow. It is administered and enforced by the Cyberspace Administration of China. Full text (available in Chinese only) |
1 | Article 1 of the PIPL |
2 | Article 3 of the PIPL |
3 | Article 33 of the PIPL |
4 | Article 73(1) of the PIPL |
5 | Article 3 of the PIPL |
6 | Article 4 of the PIPL |
7 | Article 28 of the PIPL |
8 | Article 7 of the PIPL |
9 | Article 17 of the PIPL |
10 | Article 17 of the PIPL |
11 | Article 22 of the PIPL |
12 | Article 23 of the PIPL |
13 | Article 4 of the PIPL |
14 | Article 5 of the PIPL |
15 | Article 6 of the PIPL |
16 | Article 13 of the PIPL |
17 | Article 10 of the PIPL |
18 | Article 26 of the PIPL |
19 | Article 72 of the PIPL |
20 | Article 28 of the PIPL |
21 | Article 29 of the PIPL |
22 | Articles 55 to 56 of the PIPL |
23 | Article 30 of the PIPL |
24 | Article 31 of the PIPL |
25 | Article 14 of the PIPL |
26 | Article 13 of the PIPL |
27 | Articles 14 and 23 of the PIPL |
28 | Article 27 of the PIPL |
29 | Article 23 of the PIPL |
30 | Article 25 of the PIPL |
31 | Article 29 of the PIPL |
32 | Article 26 of the PIPL |
33 | Article 39 of the PIPL |
34 | Article 31 of the PIPL |
35 | Article 16 of the PIPL |
36 | Article 15 of the PIPL |
37 | Article 8 of the PIPL |
38 | Article 9 of the PIPL |
39 | Article 21 of the PIPL |
40 | Article 59 of the PIPL |
41 | Article 19 of the PIPL |
42 | Article 47 of the PIPL |
43 | Article 51 of the PIPL |
44 | Article 52 of the PIPL |
45 | Article 53 of the PIPL |
46 | Article 54 of the PIPL |
47 | Articles 55 to 56 of the PIPL |
48 | Article 58 of the PIPL |
49 | Article 57 of the PIPL |
50 | Article 57 of the PIPL |
51 | Articles 55 to 56 of the PIPL |
52 | Articles 38 to 39 of the PIPL |
53 | Article 38 of the PIPL |
54 | Article 38 of the PIPL |
55 | Article 39 of the PIPL |
56 | Article 40 of the PIPL |
57 | Article 73(2) of the PIPL |
58 | Article 24 of the PIPL |
59 | Article 24 of the PIPL |
60 | Article 24 of the PIPL |
61 | Articles 55 to 56 of the PIPL |
62 | Article 45 of the PIPL |
63 | Article 46 of the PIPL |
64 | Article 50 of the PIPL |
65 | Article 45 of the PIPL |
66 | Article 47 of the PIPL |
67 | Article 47 of the PIPL |
68 | Article 44 of the PIPL |
69 | Article 49 of the PIPL |
70 | Article 44 of the PIPL |
71 | Article 48 of the PIPL |
72 | Article 50 of the PIPL |
73 | Article 50 of the PIPL |
74 | Article 60 of the PIPL |
75 | Article 60 of the PIPL |
76 | Article 64 of the PIPL |
77 | Article 66 of the PIPL |
78 | Article 66 of the PIPL |
79 | Article 71 of the PIPL |
80 | Article 67 of the PIPL |
81 | Article 69 of the PIPL |
82 | Article 70 of the PIPL |
83 | Full text available at https://www.tc260.org.cn/front/postDetail.html?id=20221216161852 (Chinese only) |
84 | Full text available at https://www.tc260.org.cn/front/postDetail.html?id=20220624175016 (Chinese only) |
85 | Part 1 of the Guidance – Application Situations |
86 | Part 4 of the Guidance – Basic Principles |
87 | Part 5 of the Guidance – Basic Requirements |
88 | Part 6 of the Guidance – Protection of the Rights and Interests of Personal Information Subjects |
89 | Part 2 of the Guidance – Certification Bodies |
90 | Part 5.2.2 of the Guidance – Personal Information Protection Organisation |
91 | Part 6.2 of the Guidance – Obligations for Personal Information Processors and Data Recipients located outside the jurisdiction |
92 | Full text available at http://www.cac.gov.cn/2022-11/18/c_1670399936983876.htm (Chinese only) |
93 | Where a personal information processor has a genuine need to carry out cross-border transfers of personal information owing to, among others, business needs, the processor shall obtain personal information protection certification from the relevant specialized institution according to the provisions issued by the national cybersecurity authorities. |
94 | Full text available at https://www.tc260.org.cn/piss/files/zwb.pdf (Chinese only) |
95 | Part 5.2 of the Rules – Certification Marks |
96 | Part 3 of the Rules – Certification Modes |
97 | Part 5.1.1 of the Rules – Renewal of Certification |
98 | Full text available at http://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm (Chinese only) |
99 | Article 2 of the Measures |
100 | Article 19 of the Measures |
101 | Draft Information Security Technology - Guideline for Identification of Critical Data – 3.1 Critical Data |
102 | Article 4 of the Measures |
103 | Article 5 of the Measures |
104 | Article 7 of the Measures |
105 | Article 7 of the Measures |
106 | Article 12 of the Measures |
107 | Article 12 of the Measures |
108 | Article 13 of the Measures |
109 | Article 11 of the Measures |
110 | Guidance on Reporting Security Assessments of Cross-border transfers of data (1st edition): http://www.cac.gov.cn/2022-08/31/c_1663568169996202.htm (Chinese only) |
111 | Guidance on Reporting Security Assessments of Cross-border Transfers of Data (2nd edition): https://www.cac.gov.cn/2024-03/22/c_1712783131692707.htm (Chinese only) |
112 | Article 14 of the Measures |
113 | Article 14 of the Measures |
114 | Article 20 of the Measures |
115 | Full text of the Standard Contract Measures: http://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm (Chinese only) |
116 | Article 1 of the Standard Contract Measures |
117 | Where a personal information processor truly needs to transfer personal information out of the Mainland for business sake or other reasons, a personal information processor shall conclude a contract stipulating both parties’ rights and obligations with the overseas recipient in accordance with the standard contract formulated by the national cyberspace authority. |
118 | Article 2 of the Standard Contract Measures |
119 | Article 6 of the Standard Contract Measures |
120 | Article 6 of the Standard Contract Measures |
121 | Article 4 of the Standard Contract Measures |
122 | Article 5 of the Standard Contract Measures |
123 | Article 7 of the Standard Contract Measures |
124 | Article 6 of the Standard Contract Measures |
125 | Guidance on Filing the Standard Contract for Cross-border Transfers of Personal Information (1st edition): http://www.cac.gov.cn/2023-05/30/c_1687090906222927.htm (Chinese only) |
126 | Guidance on Filing the Standard Contract for Cross-border Transfers of Personal Information (2nd edition): https://www.cac.gov.cn/2024-03/22/c_1712783131692707.htm (Chinese only) |
127 | Article 4 of the Standard Contract Measures |
128 | Article 5 of the Standard Contract Measures |
129 | Article 8 of the Standard Contract Measures |
130 | Clauses 2 and 3 of the template standard contract |
131 | Clause 4 of the template standard contract |
132 | Clause 5 of the template standard contract |
133 | Clause 6 of the template standard contract |
134 | Clause 8 of the template standard contract |
135 | Clause 13 of the template standard contract |
136 | Full text: https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm |
137 | Article 2 of the Regulations |
138 | Article 3 of the Regulations |
139 | Article 4 of the Regulations |
140 | Article 5 of the Regulations |
141 | Article 7 of the Regulations |
142 | Article 8 of the Regulations |
143 | Article 10 of the Regulations |
144 | Article 9 of the Regulations |
145 | Article 6 of the Regulations |
146 | Article 13 of the Regulations |
147 | According to the GBA SC, personal information processed by personal information processors in the Mainland cities of the GBA shall be determined in accordance with the Personal Information Protection Law of the People’s Republic of China; personal information processed by personal information processors in the Hong Kong Special Administrative Region shall be determined in accordance with the definition of “personal data” under the Personal Data (Privacy) Ordinance of the Hong Kong Special Administrative Region. |
148 | According to the GBA SC, “personal information processor”, for the Mainland, refers to an organisation or individual that autonomously determines the purposes and means of personal information processing; for the Hong Kong Special Administrative Region, it also includes a “data user”, which, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data. A “personal information processor” is a transferor of personal information across the boundary. |
149 | According to the GBA SC, “personal information subject”, for the Mainland, refers to the natural person identified by or associated with the personal information; for the Hong Kong Special Administrative Region, it also includes a “data subject”, which, in relation to personal data, means the individual who is the subject of the data. |
150 | Personal information that has been classified or promulgated by the relevant authorities or regions as critical data is excluded. |