China’s Data Protection and Privacy Laws | 2023 Update

China has witnessed massive growth in the last few decades. However, the rise of the digital economy comes with its own challenges, compromising individuals’ privacy and damaging business reputation. Russia topped the list of countries with the maximum number of accounts breached (104.8 million) in 2022, and China ranked second with 34 million accounts exposed in the examined year. In response to the surge in data breaches, China has enforced data protection and privacy laws to protect citizens’ confidential data. 

An Overview of China’s Regulatory Framework

China promulgated and implemented the Data Security Law (DSL) and Personal Information Protection Law (PIPL) in 2021, together with the Cybersecurity Law that was implemented in 2017. The three aforementioned laws comprise the legal framework for managing data in the country. The Cybersecurity Law and Data Security Law focus on protecting public interests and national security. However, the PIPL safeguards individuals’ rights and interests whilst processing confidential details.

Under the aforementioned regulatory framework, several regulatory bodies and legislative departments have issued implementation requirements. Moreover, industry-specific regulations are revised, and national standards are set to provide practical guidance. For instance, the Cybersecurity Review Measures were declared on January 4, 2022, and were implemented on February 15, 2022. Thus, the regulatory framework for managing data has taken shape with the evolving privacy laws and establishment of practical guidance. 

Suggested Read: China’s AML Framework and Regulatory Highlights of 2022

Main Regulator for Data Protection

In China, no single governing body or organisation is tasked with ensuring adherence to data protection laws. However, the regulatory bodies in charge of protecting confidential data under the PIPL include the Cyberspace Administration of China (CAC), relevant departments under the State Council, relevant provincial cyberspace administrations, and county-level or higher local government departments. In practice, the police are primarily responsible for carrying out practical enforcement, imposing administrative penalties and other crimes related to privacy breaches. 

Designated regulatory authorities will supervise sector-specific compliance. These industry-specific supervisory bodies include, but aren’t limited to: 

• China Banking and Insurance Regulatory Commission (CBIRC)
• National Medical Products Administration (NMPA)
• Ministry of Industry and Information Technology (MIIT) 
• National Health and Family Planning Commission (NHFPC)
• State Administration for Market Regulation (SAMR)
•  Ministry of Transportation (MOT)

If the data processing is related to China’s national security, the following bodies might assess the security based on the type of case.

• Ministry of State Security (MSS)
• China Securities Regulatory Commission (CSRC)
• Ministry of Finance (MOF)
• State Cipher Code Administration (SCCA)
• Ministry of Commerce (MOC)
• National Radio and Television Administration (NRTA)

Suggested Read: China Pledges “ZERO TOLERANCE” for Financial Fraud

Central Powers and their Responsibilities

Government agencies in charge of overseeing particular sectors are also tasked with monitoring adherence to data protection-related obligations within those sectors. The pertinent regulators oversee the relevant activity in their respective businesses.

Here are some of the central powers and their duties: 

• The CAC oversees extensive planning, coordination, supervision, and personal data protection work management.
• The pertinent State Council departments are tasked with protecting, supervising, and managing personal information within the respective scope.
• The relevant department of the country’s national and higher governments are responsible for protecting, supervising, and managing personal information according to pertinent provisions at the state levels.
• The MPS holds responsibility for overseeing and managing the security and testing of public information systems to regulate defined cybersecurity protection and punish cybercrime.
• The MIIT is irresponsible in monitoring the cybersecurity of internet companies and telecommunications.
• The CBIRC is in charge of ensuring that banks and other financial firms comply with data protection laws.
• The NHFPC is tasked with supervising compliance by medical institutions.
• The NMPA ensures that medical and healthcare products comply with China’s privacy laws.
• SAMR oversees data compliance in the consumer sector. 

Suggested Read: China’S Data Security and Personal Information Protection Laws [2022]

China Privacy Laws (2023 Update)

The CAC published the final version of the “Measures for the Standard Contract for Cross-border Transfer of Personal Information” (the Measures) and the “Standard Contractual Clauses for Cross-border Transfer of Personal Information” specified in the Personal Information Protection Law (PIPL SCCs) on February 22, 2023. Both the measures and (PIPL SCCs will take effect on June 1, 2023. The PIPL SCCs can transfer personal data outside China without undergoing a security assessment under the country’s PIPL.

China’s six-month grace period that gave businesses time to comply with the security assessment standards stated in the PIPL and the Measures expired on March 1, 2023. Only two businesses have officially gotten approval from the CAC to send data across borders. One was for a collaborative research project between a Chinese hospital and a Dutch medical facility, while the other was from a Chinese state-owned airline. International business applications have not received approval yet.

The State Council of China revealed plans on March 7, 2023, to merge the country’s privacy functions into a single National Data Bureau to resolve the anomalies in managing China’s data and security regulations.

Where Does Shufti Step in?

Shufti is GDPR compliant KYC solution provider that offers privacy and protects citizens’ Personally Identifiable Information (PII). Businesses operating in China need to invest in the KYC solution to abide by international and national standards and evolving regulations. As a result, this prevents them from paying hefty fines and reduces the risk of data breaches and other crimes in this age of digitisation.

Learn how a KYC solution helps your business abide by privacy laws and avoid heavy penalties.