In this second part of our look at China’s privacy and information security laws, we will provide an overview of the regulations applicable to key new economy sectors. If you missed our first part providing an overview of the regulatory landscape, check it out here.
Employee background checks
For most businesses looking to set up a presence in China, the most relevant activity will be conducting background checks on potential employees, particularly for senior roles that have financial responsibility. This is allowed through the Provisions on the Handling of Criminal Record Inquiry by Public Security Organs. According to Article 4 of the provisions, organizations are permitted to enquire about the criminal records of their current or prospective employees, provided they adhere to specific conditions related to specific procedural requirements and prohibitions.
Apps and Electronic marketing
For businesses looking to dip their toe into the marketplace through a digital presence, laws applicable to apps, marketing and internet platforms should be considered. Under the Administrative Provisions on the Information Services of Internet User Public Accounts for example, internet platforms are required to authenticate the real identity information of users applying to register public accounts using multi-factor authentication methods (Art 8). Those providing services to minors need to have a special emergency plan in case of a data breach (Regulations on the Online Protection of Minors, Art 35). Minors also need to have their identity authenticated, either individually or through their guardians (Art 31).
Automative Industries
With electric vehicles increasingly laden with new personalisation options, manufacturers processing personal information will need to submit annual reports detailing their data security management practices (Regulations on the Security Management of Automotive Data (Trial), Art 13 and 14). This may include:
- The type, scale, purpose, and necessity ofprocessing automotive data.
- The security protection and management measures for automotive data, including the storage location and period.
- The provision of automotive data to domestic third parties.
- Security incidents and handling of automotive data.
- User complaints and handling related to automotive data
- If automotive data is provided overseas, processors must report supplementary information, including details about the recipient, the type, scale and purpose of the data, and user complaints related to the data provision abroad.
Health Industry
As would be expected, industries involved in the health sector are subject to particularly strict operating conditions. Under the Detailed Rules for the Implementation of the Regulations on the Administration of Human Genetic Resources, any provision or open use of human genetic resources information to overseas entities must be reported in advance to government authorities (Art 36). Overseas organisations and entities established or actually controlled by overseas organisations or individuals may not collect or preserve human genetic resources within China or provide human genetic resources outside China (Art 11). Chinese scientific research institutions, universities, medical institutions or enterprises can however do so, including domestically funded entities with actual control based in Hong Kong or Macao.
AI Regulations
Like many other countries around the world, China has also been grappling with the impact of rapidly developing AI applications. It has done so by taking a multi-pronged approach. The first is through regulation of recommendation engines under the Administrative Provisions on the Recommended Management of Algorithms for Internet Information Services. Under the provision, providers of algorithmic recommendation services must provide users with options that do not target their personal characteristics, or with a convenient option to disable algorithmic recommendation services (Art 17). Special rights also exist for vulnerable members of the community (such as the minors and the elderly under Art 18 and 19) as well as workers with regards to work scheduling services (Art 20). In relation to Deep Fakes, the Administrative Provisions on the Deep Synthesis of Internet Information Services combines a number of measures to mitigate potential nefarious activities. Providers and users of platforms capable of facilitating deep fakes are not allowed to use deep synthesis services to produce, copy, publish or disseminate false news information (Art 6). The real identity of users who use such platforms must also be authenticated (Art 9) and records must be kept of illegal or objectionable material (Art 10). Mechanisms to refute false information and rumours (Art 11) and for accepting complaints must also be established (Art 12).
Traditional Industries such as Banking and Finance
It should finally be noted that traditional industries, like banking and finance, are also subject to a host of regulatory provisions. This includes the Administrative Measures for the Protection of Consumer Rights and Interests in Banking and Insurance Institutions, which provides a set of rules for consumer rights and interests protection (Art 5). The Measures for the Administration of Data Security of Banking and Insurance Institutions add an additional layer of data security governance to back-office operations. Even mobile apps are subject to strict rules under the Notice of the General Office of the China Banking and Insurance Regulatory Commission on Strengthening the Administration of Mobile Internet Applications in the Banking and Insurance Industries. It includes ensuring age-appropriate designs (Art 6), having testing regimes for third party software development kits (Art 8) and requiring strict risk management protocols for outsourced work (Art 14).
The above are complemented by regulations on credit reporting agencies (such as the Regulations on the Administration of the Credit Reporting Industry and Order No.4 [2021] Measures for the Administration of Credit Reporting Services by the People’s Bank of China) and the securities industry (such as the Administrative Measures for Network and Information Security in the Securities and Futures Industry by the China Securities Regulatory Commission).
We hope the above provides a good overview of the necessary considerations when looking at different sectors within China, with respect to privacy and information security regulations.