The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates
In China, the national legislature is considering a comprehensive personal information protection law. Currently, the Cybersecurity Law, which went into effect in 2017, sets out general data protection requirements for network operators. The nonbinding national guidelines for personal data protection provide detailed data protection rules. China’s civil and criminal laws, as well as laws and regulations relating to specific sectors, also contain provisions on privacy and data protection.
The data protection law generally requires consent from the data subjects to collect, store, process, disclose, and use their personal data. The personal data protection guidelines provide additional protection for sensitive personal data, which is defined to include location records and health records. For the purposes of prevention and control of the pandemic, however, authorized parties may collect personal data without the consent of data subjects.
The health code apps reportedly rely on a combination of self-reporting by the user, COVID-19 databases set up by government authorities, and data held by other sources, including the public transportation, telecommunication, and banking sectors. In response to data privacy concerns, the national health code guidelines, issued in April 2020, specify the requirements for the collection, processing, and use of personal health information.
The itinerary card app tracks places users have visited over the past 14 days and has the function of contact tracing using Bluetooth. This app asks for consent from the user to access travel history, but claims not to collect the national ID number, home address, or any other personal data of the user.
As of May 22, 2020, the National Health Commission of the People’s Republic of China (PRC or China) had reported 82,971 COVID-19 cases, with 82 active cases. China has been gradually easing COVID-19 restrictions as the cases decline, although there is still fear about the resurgence of the epidemic.
According to the market and consumer data provider Statista, China is the world’s largest smartphone market, with the number of smartphone users projected to reach about 780 million by 2020. As of September 2019, mobile phone subscriptions had reached about 1.6 billion.
Leakage of personal data has become a widespread problem in the country. In a survey done by a Chinese newspaper in 2019, 95% of respondents said their personal data had been stolen and almost 80% were concerned that their facial recognition data could be leaked from apps. A legal framework to strength the protection of personal data is being built, although there is still no significant protection of individual’s data privacy against government intrusion, a study comparing China’s approach on data privacy law with that of the US and EU finds.
II. Legal Framework
A. Privacy and Data Protection
China has not adopted comprehensive legislation focusing on the regulation of privacy and data protection. The National People’s Congress Standing Committee (NPCSC) has announced that a Personal Information Protection Law is on the national legislature’s 2020 legislative agenda. Currently, data protection requirements are found in a series of laws and regulations, outlined below.
1. Legislative Decision, Cybersecurity Law, and National Guidelines
The 2012 NPCSC Decision on Strengthening Network Information Protection provides high-level national rules relating to the protection of personal data in electronic form. The decision requires internet service providers and other enterprises and public institutions to (1) clearly indicate the purposes, methods, and scope of collection and use of citizens’ personal electronic data, abiding by the principles of “legality, legitimacy, and necessity”; (2) obtain consent from the persons whose personal electronic data is collected; and (3) make public their rules for collection and use of personal electronic data.
The PRC Cybersecurity Law, which was promulgated in 2016 and went into effect in 2017, sets out general rules of data protection requirements for network operators. Network operators under the Law include not only owners and administrators of a network, but also network service providers. The Law specifically requires network operators to provide technical support and assistance to the public security organs (the police) and the national security organs in the authorities’ activities of protecting national security and investigating crimes. It also contains an article prohibiting government authorities and their staff from leaking, selling, or otherwise illegally providing personal data they are aware of in performing cybersecurity supervision duties.
Detailed data protection rules are found in national and local guidelines, in particular the personal data protection guidelines that were first issued in 2017 and recently revised in March 2020 (Personal Data Protection Guidelines). The Personal Data Protection Guidelines, however, are recommended guidelines that lack the force of law.
2. Civil Law, Criminal Law, and Sector-Specific Laws
The PRC General Rules of Civil Law prescribe the rights that natural persons are entitled to, including the right to privacy and the right to have their personal data legally protected. Any organization or individual that needs to obtain the personal data of others must obtain such information pursuant to the law and ensure information security, and may neither illegally collect, use, process, or transmit the personal data of others, nor illegally trade, provide, or disclose the personal data of others. The new PRC Civil Code, which is expected to be passed in this year’s NPC annual session which opened on May 22, 2020, contains a chapter on privacy and personal data protection.
Under the PRC Criminal Law, an individual may be sentenced to imprisonment for up to seven years, if the circumstances are especially serious, for: (1) illegally selling or providing to others personal data; or (2) stealing or otherwise illegally obtaining personal data.
Requirements to collect, analyze, store, and share personal data can also be found in various laws and regulations relating to specific sectors such as the banking, insurance, medical, credit information, and telecommunications sectors. The new E-commerce Law passed in 2018 contains strong data protection requirements applicable to e-commerce operators.
B. Data Retention and Location Tracking
1. Requirements under Cybersecurity Law and National Guidelines
The data protection laws generally require consent from data subjects to collect, store, process, disclose, and use their personal data. The Cybersecurity Law provides that network operators may only collect, store, process, disclose, and use personal data if individuals are notified of the purpose, manner, and scope of such activities, and have consented to it. According to the Law, network operators must not collect personal data that are irrelevant to the services they provide and must dispose of the personal data they have stored in accordance with applicable laws, administrative regulations, and agreements with the user.
The Cybersecurity Law does not distinguish between personal data and sensitive personal data. The definition of “sensitive personal data” and its additional protection are found in the Personal Data Protection Guidelines. The Guidelines define sensitive personal data as personal data the leakage, illegal provision, or abuse of which may endanger the safety of life and property; easily damage the personal reputation or physical and mental health of a person; or easily cause discriminatory treatment. Identity card numbers, personal biometric information, bank account numbers, communication records and content, property information, credit information, location records (行踪轨迹), accommodation information, health and physiological information, transaction information, and the personal data of children at or under the age of 14 are sensitive personal data under the Guidelines.
The Guidelines provide additional protection for processing sensitive personal data. The explicit consent of the data subject must be obtained when collecting sensitive personal data. Security measures such as encryption must be implemented in transmitting and storing sensitive personal data.
2. Criminal Punishments
Illegally selling or providing to others location tracking data is criminally punishable under the PRC Criminal Law. The Law itself does not specify the scope of the personal data to be protected. In 2017, the Supreme People’s Court (the highest court) and the Supreme People’s Procuratorate (the prosecutor) jointly released a judicial interpretation on the infringement of personal data in criminal cases. The interpretation defines the scope of personal data: name, ID number, correspondence and telecommunications contact information, resident address, account name and password, property ownership, and whereabouts and tracking data (行踪信息).
3. Data Collection under Health Laws
The PRC Law of Prevention and Treatment of Infectious Diseases (Infectious Diseases Law) obliges all entities and individuals in China to “provide truthful information about diseases” to disease control agencies and medical institutions. The Law further requires disease control agencies to collect, analyze, investigate, and verify information of the epidemic, and report to relevant governments.
III. Electronic Measures to Fight COVID-19 Spread
A. Circular on Personal Data Protection and Big Data
China has deployed digital technologies, including artificial intelligence, big data, cloud computing, blockchain, and 5G, in fighting the COVID-19 spread, and these technologies “have effectively improved the efficiency of the country’s efforts in epidemic monitoring, virus tracking, prevention, control and treatment, and resource allocation,” according to an article authored by an official of the Cyberspace Administration of China.
In response to public concerns about numerous data leakage incidents that happened around the country during the outbreak of COVID-19, on February 4, 2020, the Cyberspace Administration of China released a circular on protecting personal data in fighting the pandemic.
1. Exception to the Requirement of Consent
The Circular states that those parties authorized by the health department of the State Council pursuant to the Cybersecurity Law, Law of Prevention and Treatment of Infectious Diseases, and Regulation on Responses to Public Health Emergencies may collect personal data for the purposes of prevention and control of the epidemic. Unless otherwise provided by relevant laws and administrative regulations, unauthorized parties may not collect data for pandemic prevention and control purposes without the consent of the data subjects.
2. Requirements for Data Collection
The Circular provides that the collection of personal data must refer to the Personal Data Protection Guidelines. Subjects whose personal data may be collected are limited to a key group comprised of confirmed carriers, suspected carriers, and close contacts. Personal data collected for preventing or treating epidemic diseases cannot be used for any other purpose and cannot be made public without the consent of the data subjects unless public disclosure is necessary for the prevention of the epidemic and the information is first redacted or anonymized. The Circular also requires entities that collect and possess personal data to have strict data security measures in place to prevent data breaches.
The Circular encourages capable enterprises to utilize big data to support the control and prevention of the pandemic and monitor the movement of confirmed carriers, suspected carriers, and close contacts.
B. Health Code Apps
Since February 2020, Chinese provinces and municipalities have started to introduce their own color-based health code systems to control people’s movements and curb the spread of the coronavirus. There is also a national health code system. The health code systems are largely operated as mini apps embedded in the popular social media app WeChat and the payment app Alipay. The mini apps automatically generate and assign quick response codes (QR codes) to citizens as an indicator of their health status. Most systems use three colors: users with a green code can move freely, users with a yellow code have to go into government quarantine or self-quarantine for up to seven days, and users with a red code will be quarantined for 14 days. 
The health code apps reportedly rely on a combination of self-reporting by the user, COVID-19 databases set up by government authorities, and data held by other sources including the public transportation, telecommunication, and banking sectors. Typically, the user is required to report his or her name, gender, cellphone number, national ID number, home address, and travel history; indicate whether he or she has been in contact with someone diagnosed with COVID-19; and complete a health survey. The apps also have access to data held by the public transportation systems, including the civil aviation, railroad, highway, electronic toll collection, and city bus systems; data from telecommunication operators; and payment data held by banks and other financial institutions.
Although the health code apps do not appear to have been made compulsory, in many cities, citizens without the code wouldn’t be able to leave their residential compounds or enter most public places. The apps may serve as a tracker for people’s movements in public areas, as users have their codes scanned as they enter public places.
Privacy experts have warned about the leakage and abuse of personal data associated with the health code apps and have urged Chinese authorities to make sure the health code apps meet data privacy principles. On April 29, 2020, the State Administration for Market Regulation and Standardization Administration of China released a series of national guidelines for personal health information codes, which specify requirements for the collection, processing, and use of personal health information and aim to help the provinces acknowledge health codes from each other and facilitate travel.
Under the guidelines, the collection, processing, and use of personal health information must comply with the Personal Data Protection Guidelines. Health codes must be encrypted and stored using an algorithm satisfying the requirements for national password management. Personal health information services and apps must obtain the express consent or authorized consent of users when collecting data, and must keep the private content confidential. The guidelines, however, are recommended guidelines that lack the force of law.
C. Itinerary Card App
Another COVID-19 app, the “communication big data-based itinerary card,” was launched by China’s Ministry of Industry and Information Technology with the aim of helping users “easily prove your itinerary, improve the efficiency of itinerary inspection of enterprises, communities, transportation departments and other agencies, and speed up the process of work resumption.”
The itinerary card app does not require self-reporting by users, but asks for consent from users to access their travel history. It tracks places users have visited over the past 14 days, including any domestic cities they stayed in for over four hours and any other countries visited. A color card will be assigned mainly based on the places the user visited.
Responding to data privacy concerns, the app claims that it does not collect the national ID numbers, home addresses, or any other personal data of users. An updated version of the app has the function of contact tracing using Bluetooth. A user will receive a risk alert when any other user who has been in close contact with him or her is diagnosed positive.
Prepared by Laney Zhang
Foreign Law Specialist
 Decision on Strengthening Network Information Protection (adopted by the NPCSC on Dec. 28, 2012, effective the same day) art. 2, https://perma.cc/L9KD-D9VE (in Chinese); Laney Zhang, China: NPC Decision on Network Information Protection, Global Legal Monitor (Law Library of Congress, Jan. 4, 2013), https://perma.cc/2B8Z-86J8.
 Id. art. 28.
 Id. art. 45.
 State Administration for Market Regulation & Standardization Administration of China, PRC National Guidelines, Information Security Technology—Personal Information Security Specification, GB/T 35273—2020 (Mar. 6, effective Oct. 1, 2020) (Personal Data Protection Guidelines), https://perma.cc/9XQ4-72GA (in Chinese).
 Id. art. 111.
 PRC Cybersecurity Law art. 41.
 Personal Data Protection Guidelines § 3.2.
 Id. § 5.4.
 Id. § 6.3.
 Supreme People’s Court & Supreme People’s Procuratorate, Judicial Interpretation on Several Issues Concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ Personal Information (May 8, 2017, effective June 1, 2017), https://perma.cc/S9SF-44J7 (in Chinese); Laney Zhang, China: Judicial Interpretation on Infringement of Personal Information Released, Global Legal Monitor (Law Library of Congress, Sept. 1, 2017), https://perma.cc/V3Q7-TH92.
 Id. art. 33.
 Cyberspace Administration of China, Circular on Ensuring Effective Personal Information Protection and Utilization of Big Data to Support Joint Efforts for Epidemic Prevention and Control (Feb. 4, 2020), https://perma.cc/6WUS-ZLQV (in Chinese).
 Id. art. 1.
 Id. art. 2.
 Id. art. 3.
 Id. art. 4.
 Id. art. 5.
 Where Are Health Codes Going in the Future?, The Paper (Apr. 24, 2020), https://perma.cc/68C3-XXTW (in Chinese); Nectar Gan & David Culver, China Is Fighting the Coronavirus with a Digital QR Code. Here’s How It Works, CNN Business (Apr. 16, 2020), https://perma.cc/9WBF-8NBF.
 Gan & Culver, supra note 32.
 Frequently Asked Questions on Personal National Guidelines for Personal Health Information Codes, China Electronics Standardization Institute (May 7, 2020), https://perma.cc/7SCE-CSB3 (in Chinese).
 How Can I Prove that I Have Not Been to Any Epidemic-Stricken Region or Country in the Past 14 Days? Use This!, China Academy of Information and Communications Technology, https://perma.cc/DB8V-QGTX.
Last Updated: 12/30/2020