New America
Cybersecurity Initiative

The Evolution of China's Data Governance Regime: A Timeline

Tracking a rapidly evolving system and the debates behind it
Blog Post
Anton Balazh / Shutterstock
By 

Samm Sacks

Mingli Shi

, and 

Graham Webster

Feb. 8, 2019
Timeline

The Evolution of China's Data Governance Regime

January 2004
Resident Identity Card Law / 居民身份证法

§§ 6, 13, 19, 20: confidentiality of ID card information.

June 2007
Measures for the Multi-level Protection of Information Security / 信息安全等级保护管理办法

Creates a 5-level scale based on the potential consequences of damaged information system.

July 2010
Tort Liabilities Law / 侵权责任法

§ 2: “right of privacy”; § 36: tort liability if infringing upon the civil rights or interests of another person through a network.; § 62 (under Chapter VII Liability for Medical Malpractice): requires medical institutions and their medical staff to keep confidential the privacy of a patient

March 2012
Several Provisions on Regulating the Market Order of Internet Information Services / 规范互联网信息服务市场秩序若干规定

§§ 11, 12: protect “user personal information.”

October 2012
State Secrets Protection Law / 保守国家秘密法

December 2012
National People’s Congress Standing Committee Decision Concerning Strengthening Network Information Protection / 关于加强网络信息保护的决定

An ancestor of the Cybersecurity Law.

March 2013
Regulation on the Administration of Credit Investigation Industry / 征信业管理条例

§§13-24: regulates the collection and processing of personal information by credit reporters.

September 2013
Telecommunications and Internet User Personal Information Protection Regulations / 电信和互联网用户个人信息保护规定

March 2014
Consumer Rights Protection Law /消费者权益保护法 (latest amendment)

§§ 14, 29, 50, 56: protect personal information of consumers.

2015
Criminal Law / 刑法 (9th Amendment)

§ 253: illegal sale or provision of personal information; § 286 (a): inadequate cybersecurity management causing personal information breach

March 2015
Account Names of Internet Users Administration Regulations / 互联网用户账号名称管理规定

§ 5: requires internet service providers to implement real-ID registration of users.

July 2015
National Security Law / 国家安全法

January 2016
Counter-Terrorism Law / 反恐怖主义法

§§ 21, 86: require service providers to check user's ID in the industries of telecommunication, internet, finance, hospitality, long-distance transportation, and automobile lend-lease.

2016
*Big Data Industry Development Plan / 大数据产业发展规划

*Not legally binding

August 2016
Provisions on the Administration of Mobile Internet Applications Information Services / 移动互联网应用程序信息服务管理规定

§ 7: protects personal information; requires mobile app service providers to implement real-ID registration of users.

November 2016
Interim Measures for the Administration of Online Taxi Booking Business Operations and Services / 网络预约出租汽车经营服务管理暂行办法

§§ 26, 27, 30, 37: protect passengers’ personal information.

December 2016
*National Cyberspace Security Strategy / 国家网络空间安全战略

*Not legally binding

April 2017
[Draft] Personal Information and Important Data Cross Border Transfer Security Evaluation Measures (draft for comment) / 个人信息和重要数据出境安全评估办法 (征求意见稿)

[DigiChina analysis]

July 2017
Cybersecurity Law / 网络安全法

[DigiChina Full-text Translation]

Chapter 3: specifies cybersecurity and data security requirements; Chapter 4: specifies principles in collection and usage of personal information.

2017
[Draft] Critical Information Infrastructure Security Protection Regulations (Draft for comment) / 关键信息基础设施安全保护条例(征求意见稿)

[DigiChina analysis]

August 2017
[Draft] *Guidelines for Data Cross-Border Transfer Security Assessment (draft for comment) / 数据出境安全评估指南(征求意见稿)

*Not legally binding

[DigiChina analysis]

October 2017
General Provisions of Civil Law / 民法总则

§ 111: protect personal information of natural persons; forbid illegal collection, usage, processing, and transmission of others’ personal information; forbid illegally selling, providing, or publicizing others’ personal information.

2018
Constitution / 宪法 (last amended in 2018)

§ 38: personal dignity; § 39: no unlawful search in residences of citizens; § 40: Freedom and privacy of correspondence

2018
*Guidelines for the Data Management of Banking Financial Institutions / 银行业金融机构数据治理指引

*Not legally binding

May 2018
*Personal Information Security Specification / 个人信息安全规范

*Not legally binding

[DigiChina Translation]

June 2018
[Draft] Cybersecurity Multi-Level Protection Regulations (Draft for comment) / 网络安全等级保护条例 (征求意见稿)

2018
[Draft] *Guidelines for Internet Personal Information Security Protection (Draft for comment) / 互联网个人信息安全保护指引(征求意见稿)

*Not legally binding

January 2019
E-Commerce Law / 电子商务法

§ 5, 23, 25, 32, 79, 87: regulate e-commerce business operators that collect and use personal information.

2019 - 2023
[In drafting] Personal Information Protection Law / 个人信息保护法

2019 - 2023
[In drafting] Data Security Law / 数据安全法

Chinese scholars, journalists, and policy practitioners hailed 2018 as a pivotal year in data protection, not only around the world but also in China. China’s first personal data protection standard, called the “Personal Information Security Specification” (the “Specification,” translated by DigiChina here) entered force in May, the same month as the European Union’s General Data Protection Regulation (GDPR). Over the next three months, California passed its Consumer Privacy Act, a Personal Data Protection Law was introduced in India, and Brazil’s General Data Privacy Law was signed into law.

As governments around the world grapple with how to regulate data collection, use, and processing, Chinese policymakers have accelerated efforts to build China’s first cohesive data governance regime. The system is still in early stages, amid much debate and discussion inside China, but a framework is emerging for how different kinds of data should be collected, used, and shared.

So far, despite of the fact that China has not yet established a comprehensive legal regime around data, interagency government moves already restrict how the private sector collects and processes personal information, with legal authority based on the Cybersecurity Law and the Consumer Protection Law and greater detail laid out in the Specification.

The emerging data governance efforts, however, reach well beyond privacy protection and personal information handling. Especially since the 2017 Cybersecurity Law, data governance in China has distinguished two broad categories of data: “personal information” and “important data.”

The two concepts were neatly delineated in an essay on the Cyberspace Administration of China (CAC) website by Dr. Hong Yangqing, the lead drafter of the Specification. Hong wrote that protection of personal data refers to having “autonomy and control over one’s data,” aligning with the general understanding privacy in Western legal traditions. Distinct from individual concerns, he wrote, are interests “at the national level” that concern “important data affecting national security, the national economy, and people’s livelihood.”

In a sense, “personal information” governance is primarily a function of the interests of the individual, while “important data” governance touches on issues ranging from everyday cybersecurity needs to broader concerns about national security and prosperity. According to the Cybersecurity Law, both personal data and important data produced by “critical information infrastructure” (CII) operators must be stored within mainland China.

Timeline of Chinese Data Governance

The Chinese government’s formal documents governing data and personal information collection, processing, use, and handling have evolved over more than 15 years, but as the timeline below illustrates, a much more robust regime has come to fruition over the last few years. This timeline is a selection of key developments with specific attention to personal information.