China

China Image
LEG-01:

Legislation enacted specifically for data privacy?
– Telecommunications and Internet Personal User Data
– Protection Regulations 2013 (TIPP)
– General Data Protection Law 2013

LEG-02:

Other legislation enacted that has sections that have some effect on data privacy?
– Constitution of the People’s Republic of China
– Law of the People’s Republic of China on Protection of Consumer Rights and Interests 1994
– The Decision of the Standing Committee of the National People’s Congress on Strengthening the Network Information Protection 2012 (SNIP)
– Regulations On Internet Email Services 2006

LEG-03:

The Country is a member of an organisation that implements guidelines for data privacy.
– APEC Cross-border Privacy Enforcement Arrangement (CPEA)
– APEC Privacy Framework.

LEG-04:

Local government has any Bills going through the legislative process.
– Personal Data Protection Law
РCybersecurity Law of the People’s Republic of China

LEG-05:

Regulations, standards or guidelines that are implemented and followed that have relation to data privacy.
– Information Security Technology Guidelines for Personal Information Protection on Public and Commercial Service Information Systems 2013 (PIP)

LEG-06:

Has other state laws related to privacy.Note: these will not be identified as too extensive.

PRI-01:

There is a requirement to establish a privacy authority to oversee privacy issues.

PRI-02:

There is a requirement to establish a privacy commissioner.
-Privacy Act 1988 Section 27

PRI-03:

The functions of the authority clearly set out.

PRI-04:

There is a requirement each company establishes their own privacy officer to ensure the company complies with policy.
Notes:This is not a requirement but it is recommended that a “Data Controller” is appointed

PRI-05:

Contact details of the privacy officer are made available.

PRI-06:

Each company to have an internal privacy policy proposed and displayed.
– TIPP Article 8
– PIP Section 5.1

PRI-07:

An internal audit process is outlined for each company.

PCP-01:

“Personal Information” is defined which gives examples and a clear outline .
– TIPP Article 8
– PIP Section 3.2

PCP-02:

“Sensitive Information” is defined which gives examples and a clear outline
– PIP Section 3.7

PCP-03:

Other types of information are defined that is viewed differently to personal or sensitive information.
– PIP Section 3.8. (Notes:Common personal information: “Personal information other than sensitive personal information”)

PCP-04:

Consent is required from the individual involved.
– PIP Section 4.2 d
– SNIP Article 2
– Consumer Rights and Interests Article 29

PCP-05:

Type of consent required is either explicit or implicit.

PCP-06:

Consent needs to be written or verbal.

PCP-07:

Level of consent different for different age groups .

PCP-08:

Consent may be withdrawn at any time.
– PIP Section 5.5.1
– SNIP Article 8
– TIPP Article 9

PCP-09:

The purpose is explained to the individual which must be a lawful purpose.
– PIP Section 4.2.a and 5.2.1
– SNIP Article 2
– TIPP Article 9
– Consumer Rights and Interests article 29

PRO-01:

Individual has the ability to access their data by request.
– TIPP Article 9
– PIP Section 5.3.7

PRO-02:

Individual has the ability to update or amend their data for accuracy.
– TIPP Article 9
– PIP Section 5.3.6

PRO-03:

Data can be sent to a third party for processing.
– TIPP Article 11
– PIP Section 5.4

PRO-04:

Data is only used for the purposed outlined at pre collection stage.
Note: Not including general exceptions that may apply, EG where safety or national security is involved.

– PIP Section 4.2.g
– SNIP Article 2
– TIPP Article 8
– Consumer Rights and Interests article 29

PRO-05:

Encryption used for processing of data to ensure anonymity
Notes:Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method. Encryption technology is regulated by the Office of State Commercial Cryptography Administration (OSCCA), and only OSCCA-approved products are sanctioned for use in China.

PRO-06:

Unique identifiers can be used .

PRO-07:

Information may not be disclosed, sold or interfered with.
Note: Not including general exceptions that may apply, EG where safety or national security is involved.

– PIP Section 5.3.3 and 5.3.4
– SNIP Article 3 and 9
– TIPP Article 10
– Consumer Rights and Interests article 29

PRO-08:

Offences are set out to deal with disclosure or other interference with data during the processing stage.
– SNIP Article 11
– TIPP Chapter V

PRO-09:

A complaints process is setup to deal with any breach of privacy.
– SNIP Article 11
– TIPP Article 12
– PIP Section 5.2.2.h

STO-01:

All data is stored with at least a “reasonable” level of security.
– SNIP Article 4
– PIP Section 4.2.f
– Consumer Rights and Interests article 29

STO-02:

Encryption techniques used to store data.
Notes:Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method

STO-03:

Data can be transferred to third-parties to use.
– TIPP Article 11
– PIP Section 5.4

STO-04:

Data can be stored off shore in different Country.

STO-05:

Data can be stored off site but in same Country.

STO-06:

Information is only kept by the collection agency for the least amount of time necessary needed for the outlined purpose to be fulfilled.
– TIPP Article 9
– PIP Section 4.2.5 and 5.5.2

STO-07:

Policies in place for destroying of data once consent is withdrawn or data is no longer needed.
– TIPP Article 13 (3)

STO-08:

Offences are set out to deal with disclosure or other interference with data while it is stored.
Notes:Not specific to storage
– SNIP Article 11
– TIPP Chapter V

STO-09:

Notification has to be given to individuals in case of a data breach.
Notes:This is not a requirement but a suggested action taken by Personal information administrators
– PIP Section 4.1.3

STO-10:

Policy in place in case data collection agency ceases to operate.
– PIP Section 5.5.4

STO-11:

Policy in place in case data collection agency is sold.

SPM-01:

Policy in place in case data collection agency is sold.
Notes:Does not mention an “unsubscribe feature”
– Regulations On Internet Email Services 2006 Article 14

SPM-02:

Commercial electronic messages contain clear and accurate contact information about the sender.
– Regulations On Internet Email Services 2006 Article 14

SPM-03:

Subject line to be clear and not misleading.
Notes:All commercial email must be labelled through the inclusion of “AD” (or in Chinese) in the subject line.
– Regulations On Internet Email Services 2006 Article 13 (3)

SPM-04:

Addresses are obtained legally, not using means such as address harvesting tools and other software to obtain them.
– Regulations On Internet Email Services 2006 Article 12 (2)

SPM-05:

A form of a “Do Not Call” register is in place.

SPM-06:

Unsolicited commercial electronic messages are prohibited within the country.
– SNIP Article 7 and 8
– Consumer Rights and Interests Article 29
– Regulations On Internet Email Services 2006 Article 11

SPM-07:

Unsolicited commercial electronic messages are prohibited to other countries.

INT-01:

A data collection agency required to notify the individual if they have been requested to hand over personal information.

INT-02:

A data collection agency can refuse to turn over personal information.

INT-03:

A warrant is needed to have the ability to intercept personal data.

INT-04:

Network operators and service providers have network design guidelines to follow to allow for interception execution.

INT-05:

External countries have the ability to intercept data with permission from the host country.