Data Protection in China
On 1 May 2018, new standards will come into force that further clarifies the data protection rules of the Cyber Security Act.
The cybersecurity law came into force on 1 June 2017 and regulates the operation, maintenance and use of the Internet in China. On 1 May 2018, new standards will come into force and further clarify data protection rules of the Cyber Security Act. The following aspects are important:
- Online services, products, and commerce
- Internet providers
- Network name system for Wi-Fi or mobile ID
- Confidentiality of personal information
- Manage online information on your own website
Following the initial uncertainty and ambiguity caused by vague definitions, new requirements will come into force after 1 May 2018 to provide greater clarity.
National Standard for Data Protection
The cybersecurity law has so far created only a very rough legal framework for data security. The collection and processing of personal data, however, still lacks a set of clear rules.
A national standard for the protection of personal data should remedy this situation and affect both private and public organizations. As a result, new guidelines will apply to companies as well.
The standard was published on January 5, 2018, and will enter into force on May 1, 2018 (the Chinese version of the standard can be downloaded as a PDF here). In addition to data protection, it also specifies the processing of personal information.
It defines what is considered personal data, such as IP addresses, but also what is categorized as sensitive personal data.
What Type of Data is Protected?
Personal data includes:
- Basic data (e.g. name, gender, age)
- Identification numbers (e.g. ID number, passport number)
- Physiological and biological recognition features (e.g., DNA, fingerprints)
- Digital identification features (e.g. IP address, email address)
- Health data (e.g. medical records, genetic predisposition)
- Educational background and professional background (e.g. degrees, employment)
- Financial status (e.g., account data, real estate ownership)
- Communication data (e.g. call logs and – content, letter correspondences)
- Internet data (e.g. online history, browser behavior)
- Hardware information (e.g. MAC address, serial numbers)
- Geodata (for example GPS data, residential address)
- Other personal information (such as marital status, religious affiliation, sexual orientation)
Sensitive data includes any information from children under the age of 14 years as well as information about natural persons, which may have a negative impact on them if shared without permission. These include in particular:
- Financial status (e.g. account data, real estate ownership)
- Health data (e.g. medical records, genetic predisposition)
- Physiological and biological recognition features (e.g. DNA, fingerprints)
- Identification numbers (e.g. ID number, passport number)
- Internet data (e.g. online history, browser behavior)
- Other personal information (e.g. telephone number, sexual orientation)
In particular, the method of transmission is crucial for the protection. Should this data be compromised by either a data leak, illegal disclosure, or misuse, special criminal sanctions will apply.
OTHER SPECIFICATIONS FOR DATA PROTECTION
Further regulations of the cybersecurity law are also specified at the same time. These include, among other things, the appointment of a data protection officer, data usage, users’ right to information, and data storage.
Also, companies with more than 200 employees or an annual data volume of 50,000 individual datasets must appoint a data protection officer.
Furthermore, companies should limit their data collection to data necessary to achieve the business purpose. The user’s consent is required if the data is used for more than one specific purpose. In doing so, the Chinese government is aligning its standards with the OECD Guidelines on the Protection of Privacy.
Finally, the user should have the opportunity to view his personal data, make changes or delete it.
Businesses may be de-listed and have their business license revoked if they store or provide data from abroad. Apple, for example, has decided to relocate its data center for Chinese iCloud users to China to comply with cybersecurity law.
BENEFIT FROM OUR CYBERSECURITY-HEALTH CHECK
ECOVIS Heidelberg can provide you with a cybersecurity health check. We can verify if the website provider has qualified licenses or whether it qualifies for online payments. It is also possible to assess the cybersecurity of online trading or the security of the payment process. We can also review if the collection of personal information or the process of collecting, transmitting or storing data is lawful. Finally, we also evaluate whether the public and/or corporate server complies with the law.
If you have further questions about cybersecurity in China, feel free to visit our ECOVIS Heidelberg website or to contact us directly via heidelberg@ecovis.com at any time.