Provisions relating to personal data protection are found in various laws and regulations, but none of the provisions clearly define the scope of privacy rights. The main provisions are found in the General Principles of Civil Law and the Tort Liability Law, which define such rights as a right of reputation or right of privacy. A draft Personal Data Protection Law has been under review by the government for many years, but there is still no indication as to if and when such law will be passed.

The Ministry of Information and Industry of China ("MIIT") has published draft guidelines called the Information Security Technology – Guide for Personal Information Protection ("Draft Guidelines").

In 28 December 2012, the decision on strengthening online information protection (the "Decision") was adopted by the Standing Committee of the National People's Congress (NPC). The purpose of the Decision is to protect internet information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. The Decision has the same legal effect as a law.


Under the Draft Guidelines, personal data refers to any data or information in connection with a specific individual, which can be used, separately or in combination with other data, to identify the individual.

Personal data (which is referred to as 'personal information' in the Decision) means any electronic information which can enable you to identify citizen individual identity and relates to personal privacy.


There is currently no definition of "sensitive personal data" within existing or proposed laws or regulations.


There is no national data protection authority in the People's Republic of China ("PRC")


The PRC does not maintain a registration of personal data controllers, personal data processing activities, or databases containing personal information.


There is no requirement in the PRC for organisations to appoint a data protection officer.


Under the Draft Guidelines, data controllers may collect and process personal data when the following conditions are met:

  • laws and regulations explicitly authorise such collection or the data subject consents; and
  • the data controller has a specific, clear and reasonable purpose for doing so.

Before a data controller collects personal data, it should notify the data subject of the following:

  • the purpose, the scope of use and collection methods related to the collecting of the personal data;
  • the name, address and contact information of the data controller;
  • the consequences of not providing the requested personal data;
  • the rights of the data subject; and
  • channels for submitting complaints.

Data controllers are not allowed to collect personal data that has no direct relation with the stated purpose, and in particular data relating to race, religion, DNA, fingerprints, physical condition or sex life.

The data controller should process personal data for the stated purpose and within the scope that the data controller has notified to the data subject. The data controller should take measures to keep the collected personal data confidential during processing and storage of the data. If the data controller uses a third party to process the personal data, they should inform the data subject of this fact prior to collecting the data.

Under the Decision, network service providers and other enterprises may collect and use citizen personal information when the following conditions are met:

  • comply with the lawful, reasonable, necessary principle;
  • specify the purpose, method and scope regarding the collection and use of the citizen's personal information;
  • the personal information subject consents;
  • satisfy the requirements established by the laws, regulations and mutual agreement; and
  • disclose the rules regarding collection and use.


Under the Draft Guidelines, data controllers may transfer personal data to third parties (group companies are considered third parties) if the following conditions are met:

  • the data controller explains the purpose and subject of the data transfer to the data subject;
  • the data subject explicitly consents to such transfer; and
  • the data controller ensures the receiver has the capability to properly process the personal data and that the personal data will be safe during the transfer.

With respect to transfers, there are no specified requirements in the Decision.


Under the Draft Guidelines, data controllers must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction of, or damage to, personal data. The measures taken must ensure a level of security appropriate to the harm that may result from such unauthorised or unlawful processing, accidental loss, destruction or damage, and appropriate to the nature of the data.

Article 4 of the Decision has the same requirements as noted above.


There is no mandatory requirement in PRC law to report data security breaches or losses to any authority or to data subjects.


According to Articles 9 and 11 of the Decision, failure to comply with these requirements established in the Decision is an offence. Supervisory authorities can take considerable measures to punish or stop these illegal behaviours. Network service providers should cooperate and provide technical support when supervisory authorities perform their duties.

There is no enforcement provision or applicable penalties for non compliance with personal data protection requirements under other PRC laws and regulations.


Under the Decision, any organizations and individuals are forbidden from acquiring personal electronic information by theft or other illegal methods. Also, they are proscribed from selling or unlawfully providing personal electronic information to anyone else.

Network service providers will require users to provide genuine identification information when signing agreements to grant them access to the Internet, fixed-line telephone or mobile phone services or to permit users to make information publicly.

The Decision prohibits any organizations and personnel from sending commercial electronic information to a personal fixed-line telephone, mobile phone or email address without the consent or request of electronic information recipient, or where the recipient has explicitly declined to receive such information.


The Decision indicates that network service providers and other companies should ensure the privacy of personal information. They are not allowed to disclose, falsify, damage, as well as sell or unlawfully provide personal electronic information to anyone else.

Article 5 of the Decision indicates that network service providers should strengthen management of information issued by users. Also, network service providers should stop the transmission of unlawful information and take necessary measures to remove them and save relevant records, then report to supervisory authorities.

Once citizens find network information that discloses their identity or breaches their legal rights, or are harassed by commercial electronic information, they have the right to require that the network service provider delete related information or take measures to prevent such behaviours.

There are specific requirements regarding cookies and location data within existing laws or regulations in the PRC.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to