Data Protected - People's Republic of China
Last updated March 2024
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
_____________________________________________________________________
General | Data Protection Laws
____________________________________________________________
National Legislation
General data protection laws
Personal Information Protection Law
The Personal Information Protection Law of the People’s Republic of China (the “PIPL”) is the primary personal data protection legislation in the People’s Republic of China (the “PRC” or “China”).
This summary mainly focuses on requirements under the PIPL, rather than other sector-specific laws and regulations.
Other sector-specific laws and regulations relating to data protection
The PRC Cybersecurity Law (the “CSL”) regulates cybersecurity in China. Despite its focus on cybersecurity, the CSL also contains general provisions relating to personal data protection. Most of these provisions are repeated in or supplemented by PIPL.
The PRC Data Security Law (the “DSL”) regulates data processing activities, particularly seeking to enhance the security of data and facilitates the development and utilisation of data. While the DSL applies to data generally, it focuses on protection of “important data” and “core data” that are relevant to the PRC’s national security, national economy, and public interest. The majority of important data and core data is non-personal data.
In addition, there are principles and rules relating to data protection that can be found in other laws, regulations and local provisions, including: (i) general principles and provisions relating to privacy in the Chinese Constitution, the Civil Code and the Criminal Law; (ii) sector-specific provisions, such as laws and regulations relating to the credit reference, internet, financial, telecommunications, automotive, e-commerce and consumer protection sectors; (iii) legislation in connection with personal data protection at the local level, such as the Shenzhen Special Economic Zone Data Regulations, the Shanghai Municipal Data Regulations and the Sichuan Province Data Regulations; and (iv) various implementing rules under the CSL, DSL and PIPL (together, the “Personal Data Protection Regulations”).
There are also national and local guidelines on protection of personal data, such as the guidelines on protection of personal data jointly issued by the General Administration of Quality Supervision, Inspection and Quarantine and the State Standardisation Administration (the “TC260”) in 2017 and amended in 2020 (the “Personal Data Protection Guidelines”). Although the Personal Data Protection Guidelines do not have force of law, they are considered by market participants to set out the best practice that is likely to be expected by Chinese regulators.
Finally, in January 2019, the Ministry of Industry and Information Technology (the “MIIT”), the Cyberspace Administration of China (the “CAC”), the Ministry of Public Security (the “MPS”) and the State Administration of Market Supervision (the “SAMR”) jointly announced a rectification programme targeting the misuse of personal data by operators of mobile internet applications in China (the “App Rectification Announcement”). Following release of the App Rectification Announcement, various implementing rules have been issued and apps generally remain under scrutiny by the relevant Chinese authorities.
References to China or the PRC in this summary are references to the People’s Republic of China excluding Taiwan and the Hong Kong and Macau Special Administrative Regions.
Entry into force
The PIPL came into force on 1 November 2021.
The CSL came into force on 1 June 2017.
The Personal Data Protection Guidelines came into effect on 1 October 2020.
The DSL came into force on 1 September 2021.
The Personal Data Protection Regulations have varying dates on which they entered into force.
_____________________________________________________________________
Details of the competent national supervisory authority
There is no independent data protection authority.
However, the CAC is responsible for the overall planning and co-ordination of personal data protection work and related supervision and administration, so is generally regarded as the leading data protection authority.
In addition, there are also competent authorities in some industries monitoring the enforcement of the Personal Data Protection Regulations in their respective areas. In practice, these authorities typically include the MIIT, the MPS, the SAMR and their respective local branches.
Notification or registration scheme and timing
There is currently no general notification or registration obligation triggered by the collection of personal data.
However, there are some reporting requirements under the PIPL that may be applicable to certain organisations’ data processing activities in the PRC. For example, certain organisations are required to report to their supervisory authority information relating to their appointed local representative and/or data protection officers.
Exemptions to notification
Not applicable.
_____________________________________________________________________ Top
Scope of Application
What is the territorial scope of application?
The PIPL applies to the processing of personal data within the PRC.
It also applies on an extraterritorial basis to processing activities outside the PRC: (i) for the purpose of providing products or services to natural persons located within the PRC; (ii) to analyse or assess behaviour of natural persons within the PRC; or (iii) under any other circumstance as provided by any law or administrative regulation.
Is there a concept of a controller and a processor?
Yes. The PIPL uses the terms “personal information processor” (similar to a controller) and “entrusted party” (similar to a processor).
A “personal information processor” (a “PI Processor”) refers to an organisation or individual that independently decides on the processing purposes and processing methods during personal data processing activities.
An “entrusted party” is not specifically defined in the PIPL but generally refers to a party that processes personal data on the PI Processor’s behalf, and must process personal data in line with the purpose, period and means as agreed upon with the PI Processor. Certain PIPL obligations also apply to an entrusted party.
Are both manual and electronic records subject to data protection legislation?
Yes.
Are there any national derogations?
Yes.
The PIPL does not impose obligations on individuals acting in a personal or domestic capacity. With respect to personal data processing by state organs: (i) while the PIPL also applies to processing activities conducted by the Chinese government, where Chinese law provides otherwise in respect of the processing of personal information for the purpose of statistical and archive administration organised and implemented by the government and its departments, the latter will prevail; and (ii) the notification obligations under the PIPL are further exempted when Chinese law requires otherwise or where notifying data subjects will hinder state organs from performing their statutory duties.
In general, disclosure obligations under Chinese law override personal data protection laws. Disclosure of data may be required by government authorities and courts under different circumstances.
Some key disclosure situations include: (i) entities and individuals are under an obligation to disclose information to regulators in regulatory investigations; (ii) the courts, public security organs and procuratorates may request entities and individuals involved in legal proceedings to give access to documents and information relating to such proceedings; (iii) the disclosure of government-held information if non-disclosure of which would have a material adverse impact on the public interest; and (iv) the disclosure of the identity of dishonest debtors in court enforcement proceedings.
_____________________________________________________________________ Top
Personal Data
What is personal data?
Personal data (or more specifically, to use the term in the PIPL, “personal information”) refers to all kinds of information relating to identified or identifiable natural persons recorded by electronic or other means, excluding anonymised information.
Is information about legal entities personal data?
No.
What are the rules for processing personal data?
Processing of personal data must comply with the general data protection principles under the PIPL: (i) Lawfulness, legitimacy, necessity and good faith principle: personal data must be processed under the principles of lawfulness, legitimacy, necessity and good faith and shall not be processed in a deceptive and misleading manner; (ii) Purpose limitation and data minimisation: personal data must be processed with clear and reasonable purposes and directly relevant to the processing purpose; (iii) Transparency: PI Processors must be open and transparent in personal data processing and rules on personal data processing; (iv) Accuracy: personal data to be processed must be accurate and updated in a timely manner; (v) Accountability and security: PI Processors must be responsible for their data processing activities and take necessary measures to protect the security of personal data being processed; and (vi) Storage limitation: personal data should only be retained to the minimum period necessary to fulfil the purpose of data processing, unless applicable laws provide otherwise.
The processing of personal data must also satisfy at least one condition for processing personal data. These conditions are that the processing is: (i) necessary for the conclusion or performance of a contract; (ii) necessary for human resources management in accordance with the law; (iii) necessary for the performance of statutory duties or obligations; (iv) necessary for the response to public health or other emergencies; (v) within a reasonable scope for news reporting, media supervision, and other activities conducted in the public interest; (vi) related to publicly available personal information and within a reasonable scope (yet to be defined) in accordance with the PIPL; and (vii) other circumstances as provided by laws or administrative regulations.
Are there any formalities to obtain consent to process personal data?
Yes. Consent must be voluntarily and explicitly given by the data subject on a fully informed basis.
As a general principle, to obtain consent, PI Processors must truthfully, accurately, and completely notify data subjects in a conspicuous way and in clear and easily understood language. In some cases, such as the processing of sensitive personal data, “separate consent” must be obtained, i.e. the consent cannot be bundled with the general consent to other processing activities.
Consent can be withdrawn by the data subject.
In May 2023, TC260 issued a set of national standards (effective since 1 December 2023), outlining some best industry practice to guide organisations to implement notice and consent requirements in the personal data processing activities (the “Notice and Consent Standards”).
Are there any special rules when processing personal data about children?
Yes. Under the PIPL, a child is someone under the age of 14. Consent from a child in relation to processing of his or her personal data will only be valid if authorised by a parent or other guardian.
The personal data of children is treated under the PIPL as sensitive personal data so the additional obligations applicable to sensitive personal data would apply to the processing of personal data of children. There are also special rules protecting the criminal records of juveniles under the age of 18 (see below).
Are there any special rules when processing personal data about employees?
Apart from the legal basis under the PIPL of processing personal data as is necessary for human resources management in accordance with the law (see above), there are no specific rules regulating the processing of personal data about employees.
There are, however, restrictions relating to collection of personal data of employees. Under the Employment Contract Law, an employer is entitled to assess the basic situation of an employee related to his or her employment contract, and the employee must provide information as requested accordingly. While there is no guidance on the meaning of “the basic situation of an employee related to an employee’s employment contract”, in practice an employer may not collect an employee’s personal data which bears no relationship to his or her employment, such as his or her religious belief, details of personal property, etc. In addition, if the processing involves sensitive personal data, which is common in an employment context, additional obligations applicable to sensitive personal data would apply to such processing (see below).
In addition, in February 2019 nine central governmental authorities issued a circular promoting the employment of females and putting an express ban on gender discrimination during recruitment. Under this circular, during a job interview, an employer is not permitted to ask a female candidate about her marital status or her circumstances relating to childbirth or children. Similarly, pregnancy tests are now prohibited as part of any pre-employment medical check. These requirements are reiterated in the Law on the Protection of Rights and Interests of Females amended in October 2022.
_____________________________________________________________________ Top
Sensitive Personal Data
What is sensitive personal data?
Sensitive personal data refers to the personal data that can easily lead to the infringement of the personal dignity of natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and information of minors under the age of 14.
This is different to the standard types of sensitive personal data (though there are some similarities).
Are there additional rules for processing sensitive personal data?
Yes. Processing of sensitive personal data can only be conducted as necessary for specific purposes and under strict protection. Additional notification should be provided to data subjects about the necessity of the processing and the impact on their rights and interests except where notification is not necessary in accordance with law. Where PI Processors rely on consent, they must obtain data subjects’ separate consent or, if required by relevant laws, written consent.
Finally, a PIPIA (as defined below) must be conducted before the processing of sensitive personal data.
Are there additional rules for processing information about criminal offences?
Information about criminal offences is likely treated as sensitive personal data thus subject to the additional rules for processing sensitive personal data (see above). There are no other specific rules regulating the processing of information about criminal offences.
However, there are specific rules on the procedures for requesting access to an individual’s own criminal records from the PRC public security organs. There are also special rules relating to criminal records of juveniles under 18 years old who commit a criminal offence and are sentenced to imprisonment for 5 years or less or receive lighter penalties. The records sought under both sets of rules must be kept strictly confidential and may not be provided to any entity or individual unless such provision is required according to applicable law.
In addition, any individual who has received a criminal penalty must actively report such information when enlisted or employed. Juveniles under 18 years old who commit a criminal offence, and are sentenced to imprisonment for 5 years or less or receive lighter penalties, are exempted from such reporting obligations.
Are there any formalities to obtain consent to process sensitive personal data?
Yes. Where personal data is processed on the basis of consent, a “separate consent” must be obtained, i.e. consent to the processing of personal information should not be bundled with consent to other processing activities.
Furthermore, where laws or administrative regulations other than the PIPL provide that written consent must be obtained for the processing of sensitive personal data, those provisions will prevail.
_____________________________________________________________________ Top
Data Protection Officers
When must a data protection officer be appointed?
When a PI Processor processes personal data reaching or exceeding a certain volume (to be specified by the CAC) they must appoint a person in charge for personal data protection, commonly referred to as a data protection officer (a “DPO”).
The DPO’s contact details must be made public, and his or her name and contact details must be provided to the authority.
However, further details relating to the qualifications of any DPO remain to be released in implementation rules under the PIPL.
Although it is only best practice guidance, the Personal Data Protection Guidelines suggest that a data protection officer should be appointed to supervise personal data protection processes where a controller either: (i) has a principal business that involves processing of personal data and an aggregate number of employees in excess of 200; or (ii) processes personal data of more than 1,000,000 data subjects or expects to process personal data of more than 1,000,000 data subjects within 12 months, or processes the sensitive personal data of more than 100,000 data subjects.
What are the duties of a data protection officer?
A DPO is in charge of an organisation’s personal data protection, responsible for overseeing personal data processing activities as well as the protection measures taken.
_____________________________________________________________________ Top
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
Yes. The PIPL introduced accountability obligations, stating that PI Processors must be responsible for their data processing activities and take necessary measures to protect the security of personal data being processed.
Following this principle, organisations are mandated to formulate internal management systems and operational procedures, implement classified management of personal information, adopt corresponding security technical measures, conduct regular safety education and training for practitioners, etc.
PI Processors are also required to keep records of certain processing activities, similar to the record keeping obligations in the GDPR.
Are privacy impact assessments mandatory?
Yes. The PIPL requires PI Processors to conduct a personal information protection impact assessment (“PIPIA”) where it: (i) processes sensitive personal data; (ii) uses personal data to conduct automated decision-making; (iii) entrusts personal data processing, provides personal data to other PI Processors, or discloses personal data to the public; (iv) provides personal data to an overseas recipient; or (v) conducts other personal data processing activities which have major impacts on data subjects' rights and interests.
_____________________________________________________________________ Top
Rights of Data Subjects
Privacy notices
Before processing personal data, a PI Processor must truthfully, accurately, and completely notify data subjects of the processing in a conspicuous way and in clear and easily understood language (with limited exceptions and qualifications).
The matters to be notified to data subjects include: (i) the name and contact information of the PI Processor; (ii) purposes and methods of processing of personal data, categories of personal data to be processed, and the retention periods; (iii) methods and procedures for data subjects to exercise the rights provided in the PIPL; and (iv) other matters that should be notified as provided by laws and administrative regulations. Where any matter as set forth in (i) to (iv) changes, the PI Processor must notify the data subject of the change.
In addition, in March 2019, in connection with the App Rectification Announcement, a special working group commissioned by the CAC, MIIT, MPS and SAMR published more detailed guidance on privacy notices as part of their guidelines for self-assessment of the illegal collection and use of personal data by mobile application operators (the “App Self-Assessment Guidelines”).
In May 2022, TC260 released a draft national standard named Information Security Technology — Requirements of Privacy Policy of Internet Platforms, Products and Services for public consultation which, once implemented, will provide more detailed guidance on drafting privacy notices.
The Notice and Consent Standards also set out helpful guidance on how to fulfil the requirements relating to information notices.
Rights to access information
Data subjects have the right to access, and be given a copy of, their personal data from PI Processors, except under limited circumstances where the laws or administrative regulations provide that the processing must be kept confidential.
Where data subjects request access to or a copy of their personal data, PI Processors must provide such data in a timely manner.
Rights to data portability
Where specific conditions are met (to be specified by the CAC) data subjects can ask a PI Processor to transfer their personal data to another PI Processor.
Right to be forgotten
A data subject has the right to request the PI Processor to delete his or her personal data if: (i) the processing purpose has been achieved or cannot be achieved, or it is no longer necessary to achieve the processing purpose; (ii) the PI Processor ceases the provision of products or services, or the retention period has expired; (iii) the data subject withdraws consent; (iv) the PI Processor processes personal data in violation of any law or administrative regulation or the agreement; or (v) other circumstances as provided by laws and administrative regulations.
Objection to direct marketing
There is no general right to object to direct marketing under the PIPL. However, data subjects have the right to withdraw consent to the processing of their personal data that relies on their consent. As, in general, the processing of personal data for direct marketing purposes can only be conducted with data subjects’ consent, the right to withdraw consent would entail the right to object to direct marketing.
In addition, for marketing conducted by means of automated decision-making, PI Processors must simultaneously provide data subjects with options not targeting individuals' characteristics or convenient ways to object to such processing.
Other rights
The PIPL also provides other types of rights to data subjects (with limited exceptions and qualifications), including: (i) the right to correct or supplement when personal data is found incorrect or incomplete; (ii) the right to request PI Processors to explain their rules for the processing of personal data; (iii) the right to object to decisions made by the PI Processor solely through automated decision-making; and (iv) the right of a deceased person’s close relative to exercise certain rights.
_____________________________________________________________________ Top
Security
Security requirements in order to protect personal data
The PIPL contains a general obligation to take necessary measures to protect the security of personal data being processed (see above). Organisations must take measures to prevent unauthorised access to, or breach, tampering or loss of any personal data. As part of this they must formulate an internal management system and operational procedures, implement classified management of personal data and adopt technical measures such as encryption and de-identification.
Specific rules governing processing by third party agents (processors)
Under the PIPL, a PI Processor entrusting the processing of personal data to an entrusted party must oversee the entrusted processing, putting in place an agreement with the entrusted party on a number of matters relating to the processing and rights and obligations between both parties. An entrusted party can only process personal data as agreed and instructed.
Notice of breach laws
The PIPL requires PI Processors to immediately take remedial measures, and notify the competent authorities and affected data subjects immediately where there is an actual or potential breach, tampering, or loss of personal data.
An exception applies to notifying affected data subjects where measures have been taken to effectively avoid the harm created by the breach. However, the authorities may still require affected data subjects to be notified if they believe the breach may create harm to the data subjects.
On 8 December 2023, the CAC released the draft Administrative Measures for Cybersecurity Incident Reporting, together with the Cybersecurity Incident Grading Guide and the Cybersecurity Incident Information Reporting Form for public consultation, detailing requirements that organisations should follow in the event of a cyber incident. On the same day, the MIIT adopted the Measures for Data Security Management in Industry and Information Technology Sector (for Trial Implementation), enhancing the data security regulation including data breach reporting requirements in this particular sector. Five days later, the MIIT published a draft contingency plan for data security incidents in the industry and information technology sector, proposing a four-tier, colour-coded system depending on factors such as the degree of urgency, development status, scale of data, associated consequence and the actual harm.
_____________________________________________________________________ Top
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
Data localisation: Under the PIPL, personal data collected and generated in the PRC by a critical information infrastructure operator or a PI Processor processing personal data reaching a certain threshold amount must store such data domestically, and export of such personal data is subject to certain restrictions (see below).
Data export mechanisms: Under the PIPL, PI Processors must satisfy at least one of the following conditions to transfer personal data outside the PRC: (i) passing a security assessment organised by the CAC, to the extent the data localisation requirements above apply; (ii) obtaining a personal data protection certification issued by a specialised institution; (iii) concluding a contract with the overseas recipient incorporating the “standard contract” to be formulated by the CAC; or (iv) fulfilling other conditions provided in law and regulations.
Additional requirements: Apart from the above, the PIPL further prescribes additional requirements applicable to a personal data export, such as to obtain separate consent (where applicable), provide additional notification and conduct a PIPIA.
In particular, the current status of the four data export mechanisms as stated above is as follows:
- Security assessment: The Data Export Security Assessment Measures took effect from 1 September 2022, which specify the criteria for assessing when an outbound data transfer triggers a mandatory CAC-led security assessment and set out how to complete this assessment.
- Personal data protection certification: In June 2022, TC260 released guidance on the personal data protection certification regime. On 4 November 2022, the Implementation Rules for Personal Information Protection Certification were published by the CAC with immediate effect. A new set of draft national standards governing this transfer mechanism was released in March 2023.
- Standard contract: The China Personal Information Export Standard Contract (also known as the “China SCC”) became effective on 1 June 2023. To rely on this transfer mechanism, an organisation must submit, for filing purposes, its executed standard contract and a completed PIPIA report to the competent provincial CAC within 10 working days from the effective date of the standard contract.
- Special derogations and conditions: On 22 March 2024, the CAC released the Provisions on Facilitating and Regulating Cross-border Data Flows. The provisions lift the above data export restrictions for certain business activities. Similarly, several development plans for the pilot free trade zones in the cities of Shanghai and Tianjin were published in late December 2023 and early 2024, which signaled China’s intention to ease regulatory restrictions for enterprises registered in those zones. Mainland China and the Hong Kong SAR are also exploring and have begun to implement some pilot regimes for cross-border data transfers within the Guangdong-Hong Kong-Macau Greater Bay Area.
Notification and approval of national regulator (including notification of use of Model Contracts)
As set out above, a PI Processor will require approval in some cases, e.g. where they need to pass a security assessment organised by the CAC.
Currently there is no obligation under applicable law to obtain approval for the use of the standard contract. Nevertheless, as set out above, where an organisation relies on the China standard contract mechanism, the executed standard contract and its respective PIPIA report must be filed with the local branch of the CAC within 10 working days from the effective date of the standard contract.
Use of binding corporate rules
There are no rules relating to the use of binding corporate rules, albeit a data export certification regime (to be implemented) may introduce similarities in this respect.
_____________________________________________________________________ Top
Enforcement
Fines
The regulators have a range of powers under the PIPL, including directing an organisation to pay a financial penalty of up to RMB 50 million (circa USD 7 million) or up to 5% of the previous year’s turnover.
In addition, the directly responsible persons (e.g., directors, senior managers, DPOs or other persons who are in-charge of data processing within the organisation) can be subject to a fine up to RMB 1 million (circa USD 140,000) and prohibited from assuming managerial and DPO roles for a certain period.
Imprisonment
Under the Chinese Criminal Law, any individual may be imprisoned for up to seven years for: (i) illegally selling or providing to others personal data; or (ii) stealing or otherwise illegally accessing personal data, if in either case the relevant circumstances are severe.
Compensation
When the personal data processing infringes upon rights and interests relating to personal data and causes damage, and the organisation cannot prove that it is not at fault, the organisation may have civil liability for damage and other tort liability.
Other powers
Sanctions for contravention of the PIPL will depend on the legal obligation that has been contravened and the nature of that contravention. Sanctions may include administrative sanctions, such as a warning, fines, confiscation of profit arising from the violation, suspension or revocation of operating licences and website or application shutdown.
Practice
Enforcement against apps, mini programmes, websites, and other online platforms: Following the App Rectification Announcement in 2019, the Chinese authorities have taken sustained enforcement action against apps and other platforms. Based on publicly disclosed sanctions, in 2023, the CAC removed 259 mobile apps from app stores and ordered 119 mini-programmes to cease operation, arranged regulatory talks with 10,646 websites and ordered 453 websites to suspend functionality or updates. In the same year, the CAC, together with the authorities in charge of telecommunications, cancelled licences or filing registrations of, or closed, 14,624 websites. Separately, the MIIT announced that nine batches of a total of 292 apps and SDKs were removed from app stores due to violations of user rights.
Enforcement under the PIPL: Since the effectiveness of the PIPL from 1 November 2021, increasing cases and penalties have demonstrated more frequent enforcement and stricter scrutiny with respect to personal information protection. Most notably, the CAC announced a fine of RMB50 million (approx. USD 7 million) on one of China’s major academic research databases for its illegal processing of personal information in September 2023, and a fine of RMB 8.026 billion (approx. USD 1.13 billion) on a major Chinese ride-sharing service provider for its violation of the PIPL, the DSL and the CSL. In the past year, local branches of the CAC have also been pressing ahead with enforcement against violations of the PIPL. For instance, the CAC branches in Shanghai, Zhejiang and Guangdong launched several special enforcement actions against illegal collection, processing or infringement of consumers’ personal information protection. Other enforcement action: The number of administrative and criminal cases relating to the violation of the Personal Data Protection Regulations has increased in recent years. There have been some cases of individuals being imprisoned for selling personal data in violation of the Chinese Criminal Law provision outlined above. In addition, there have been some data protection and privacy related civil lawsuits brought by individuals and public interest litigations launched by local procuratorates and consumer associations.
_____________________________________________________________________ Top
ePrivacy | Marketing and cookies
_____________________________________________________________
National Legislation
ePrivacy laws
The principal regulation on ePrivacy is the Resolution of the Standing Committee of the National People’s Congress relating to Strengthening the Protection of Information on the internet which was issued at the end of 2012. This is the first general rule relating to ePrivacy. Some of the other Personal Data Protection Regulations issued by China’s other competent regulatory authorities (such as the MIIT) also include provisions that relate to electronic privacy. For example, the Measures for the Administration of Internet E-mail Services (promulgated in early 2006) include rules relating to marketing by e-mail, as does the Consumer Protection Law (collectively, the “Electronic Privacy Regulations”).
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
There are no specific requirements or conditions relating to the use of cookies under the Electronic Privacy Regulations.
Regulatory guidance on the use of cookies
The App Self-Assessment Guidelines provide that, where cookies (and other similar techniques) are used for collecting personal data, app users should be explicitly informed about the purpose and method of collection and the scope of personal data to be collected.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
The Electronic Privacy Regulations stipulate that an individual or institution may only send commercial electronic information by e-mail where: (i) it has obtained prior consent from the receiver or the e-mail is at the receiver’s request; (ii) the receiver has not explicitly refused to receive such information; and (iii) the subject heading of the e-mail includes the words “advertisement” or “AD” (or the equivalent in Chinese as prescribed by the regulations).
Furthermore, when sending commercial advertisements by e-mail, a sender must provide recipients with its contact information to allow recipients the ability to ‘opt out’ or ‘unsubscribe’.
Other Personal Data Protection Regulations include provisions relating to direct marketing irrespective of the means of communication used. For example, under the Personal Data Protection Regulations relating to the banking sector, a banking financial institution may not use personal data for marketing purposes other than for those marketing purposes for which the data was collected.
Conditions for direct marketing by e-mail to corporate subscribers
Although not entirely clear on the face of the Electronic Privacy Regulations, the MIIT seems to take the position that the regulations in respect of direct marketing by e-mail generally apply to corporate subscribers as well as individuals (since individuals similarly operate corporate e-mail accounts).
Exemptions and other issues
The Electronic Privacy Regulations do not include more detailed rules or exemptions except for the general requirements set out above.
_____________________________________________________________________ Top
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
The Electronic Privacy Regulations stipulate that an individual or institution may only send commercial electronic information through fixed line telephones or mobile phones where: (i) it has obtained the prior consent of the receiver or the call is at the receiver’s request; and (ii) the receiver has not explicitly refused to receive such information.
In addition, it is illegal to operate advertising text message services without obtaining a licence from the MIIT.
Other Personal Data Protection Regulations include provisions relating to direct marketing irrespective of the means of communication used. For example, under the Personal Data Protection Regulations relating to the banking sector, a banking financial institution may not use personal data for marketing purposes other than for those marketing purposes for which the data was collected.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
The Electronic Privacy Regulations, in respect of direct marketing by telephone, only apply to individuals and not corporate subscribers.
Exemptions and other issues
The effective Electronic Privacy Regulations do not include more detailed rules or exemptions except for the general requirements set out above.
On 31 August 2020, the MIIT promulgated the Draft Administrative Provisions on Communication SMS and Voice Call Services for public consultation, seeking to tighten telephone marketing regulation. In particular, the draft rules prohibit organisations from sending commercial SMS or making commercial calls without a user’s consent or request, or if the user expressly refuses. In addition, if a user does not explicitly agree, this will be deemed as a rejection, and if the user expressly refuses to accept after giving consent, the organisation must stop its activity. However, these draft rules are yet to be implemented.
_____________________________________________________________________ Top