Cyber Security in China

Is it unlawful in this jurisdiction to access third party data without authorisation? Is it unlawful to store data which has been accessed without authority? The PRC Criminal Law broadly prohibits anyone from illegally obtaining personal data of others by stealing or any other means. If the circumstances are serious, the offender could be subject to imprisonment of up to three years and/or a fine. Where any entity commits such offence, it shall be fined, and the person in charge and other responsible personnel of the entity may also be subject to criminal penalties. The Decision of the Standing Committee of the National People’s Congress on Strengthening the Protection of Network Information also provides administrative penalties for stealing or otherwise illegally obtaining personal data of others, and selling or otherwise illegally providing personal data of others. These penalties include warnings, fines, confiscation of illegal gains, revocation of business license, closure of website, prohibition of the responsible personnel from engaging in internet services as well as being recorded on the social credit files and disclosed to the public. In serious cases where the infringement on personal data constitutes acts against public security administration, the offender may be subject to penalties including warnings, fines and/or administrative detention of up to 20 days, according to the Law of the PRC on the Imposition of Penalties in connection with the Administration of Law and Order. Please note that the laws mentioned above do not specify what constitutes “illegally obtaining” personal information. It is possible that under a broad interpretation, the term would cover unauthorised assess of data as well as storage of data depending on the intent of the offender. In addition to criminal and administrative penalties, the PRC Tort Liability Law establishes a private right of action for infringement of one’s right to privacy. The infringed party may seek compensation for actual losses (or profits arising from the infringement if actual losses cannot be determined) and where applicable, damages for emotional distress, in addition to other remedies provided under the law (e.g. cessation of infringement, return of property, apology from the infringer, restoration of reputation, etc.). Given the potentially broad scope of privacy rights, if a person accessed the personal data of others without authorisation or stored data which has been accessed without authorisation, such person may be subject to civil liabilities for infringement of the privacy rights of others. Where the above infringement is committed by an internet user through the internet, the internet content service provider shall be jointly and severally liable with the internet user if (i) after being notified of the infringement, the internet content service provider fails to take necessary actions to remedy the infringement (such as deleting or blocking the infringing web content or disconnecting the link), which causes additional harm to the infringed party, or (ii) if the internet content service provider is aware that the internet user is committing the infringement through its internet services and fails to take necessary measures. Is there a legal mechanism whereby you can seek access to or retrieve the copy of data which has been accessed without authority? Is there a legal mechanism that enables you find out information about who may have accessed your data without authority and/or how it was used? Currently there is no specific legal mechanism to address or remedy a data breach. The infringed party may file a case against the data possessor or suspected infringer through an ordinary civil or criminal proceeding, and seek court assistance in collecting or preserving evidence (in a civil case) or rely on police investigations (in a criminal case). However, the thresholds of initiating a criminal case could be high, and the costs of launching a civil lawsuit could be substantial, while the efficacy of these procedures to enable fact-finding by data subjects remains largely to be tested. Is there any restriction on the use that can be made of the information or documentation obtained regarding a data breach incident using a legal process? As mentioned above, currently there is no specific legal mechanism that aims to help data subjects to investigate and collect information regarding a data breach incident. As a general comment, under the PRC Civil Procedure Law, the courts have the power to use “preservation measures” such as orders of specific performance or injunction, in situations where such measures are necessary to facilitate enforcement of judgment or prevent harm to be done to one party. Thus if the infringed party has brought a civil proceeding against the data possessor to retrieve and preserve relevant data records, it may also apply for a restrictive order requiring the data possessor to keep confidential any information or documentation thus obtained, to the extent necessary to prevent tip-off to the infringer and harm to the infringed party. However, as civil procedures involving data breach claims have been uncommon in China, it is unclear whether the courts would grant a restrictive order upon the application by the infringed party. Under the PRC Criminal Procedure Law, evidence collected in a criminal proceeding shall be kept confidential if it concerns state secrets, trade secrets or personal information. Relevant entities and persons that are requested to cooperate with the police’s technical investigation measures shall keep their involvement and relevant information confidential. Is it possible to maintain confidentiality in relation to the legal steps necessary to get access to the data or information? In a criminal proceeding, the pre-trial investigation phase should normally be quiet and secretive. At the trial stage, however, both civil and criminal cases shall be tried publicly, except for cases that involve state secrets, trade secrets or the private affairs of individuals. It remains to be tested if a case involving data breach incidents should be regarded as a case that involves privacy of individuals and thus be exempt from a public trial. In any event, courts are required to publicly pronounce their judgments regardless of whether the cases were tried publicly or not. If it is later determined that proceedings should be commenced in another jurisdiction (for example, the perpetrator is found to reside there), can you stop the proceedings in this jurisdiction in such a way that you are not prevented from commencing proceedings on the same issue as a result of the application of res judicata, double jeopardy or some other similar principle? Yes, if the proceeding is stopped before a judgment or ruling is pronounced by the court. The plaintiff in a civil action may apply for withdrawal of the case anytime before a judgment or ruling is pronounced and if the court decides to grant the approval, the plaintiff may commence proceeding on the same issue in this or another jurisdiction again, as long as the statutes of limitations permit. Is there an obligation in your jurisdiction to hold personal information securely? China does not have a comprehensive data privacy law that imposes general obligations to maintain personal information securely. However, various sector specific regulations impose security and confidentiality requirements on certain entities and individuals with access to personal information, for example:

  • Telecommunications regulatory agencies, telecommunications business operators and internet information service providers and their personnel with respect to internet user information;
  • Business operators and their personnel with respect to consumer information;
  • Medical personnel, hospitals and public health authorities with respect to patient records;
  • Banks and bank personnel with respect to bank customer accounts and personal credit information;
  • Travel agencies with respect to tourists data;
  • School personnel with respect to student records;
  • Government agencies and personnel with respect to government records; and
  • Insurance personnel with respect to insurance customer information and other insurance records.

Does the law in your jurisdiction restrict or place conditions on the transfer of personal or other information to other foreign jurisdictions? Chinese laws currently do not place restrictions or conditions on cross-border transfer of information as a general matter. However, there are restrictions that apply to the transfer of certain types of information (such as the following) to places outside of China. Personal financial information collected within China by commercial banks must be stored, processed and analysed within the territory of China. Such personal information may not to be transferred overseas unless otherwise permitted by law or regulation. Similarly, personal information collected by credit reporting agencies within China must be stored and processed within the territory of China, and credit reporting agencies must comply with the law when providing personal information to offshore entities or individuals. Population health information is also prohibited from being stored in servers abroad. Furthermore, information containing or concerning state secrets is prohibited from being transferred to places outside China. Is there a generally applicable obligation to notify data subjects of a data breach in your jurisdiction? No. Is there a generally applicable obligation to notify the authorities of a data breach in your jurisdiction? There is no mandatory requirement under PRC law to report data breaches to any authority as a general matter. However, there are reporting requirements applicable to sectors such as the financial, credit reporting, telecommunications, postal and tax sectors. Please see answer to question below. Are there sector specific mandatory data breach notification obligations in your jurisdiction? Yes, a few examples are provided below. In the financial sector, in the event of a breach concerning any personal financial data, financial institutions are required to promptly report the breach to the People’s Bank of China. Also, a commercial bank shall periodically examine the inquiries of the individual credit database and shall report the results of the examination to the People’s Bank of China and the credit service centre. In the event of any actual or potential divulgence or damage or loss of personal information that has caused or may cause serious consequences, telecommunications business operators or internet information service providers must immediately report such event to the relevant telecommunications regulatory authority. Any company providing postal services or courier services must report to the relevant postal administration authority any information security incident with respect to personal information collected and used in mailing and courier services. In the event of any leakage of tax-related confidential information of taxpayers, the relevant tax authority must report such event in a timely manner according to relevant laws and regulations.