China dives into data protection regulation
Although having a booming internet sector and possibly the world’s biggest internet population with 560 million internet users, Chinese legislation has been slow to catch up with technological developments, particularly in relation to privacy and data protection. While there are a few relevant provisions under the General Principles of Civil Code concerning privacy protection and the Criminal Law contains an offence by staff in special agencies (e.g. government, banks and telecom operators) of illegal disclosure of private information, there has been no systematic legal framework established concerning data protection. There have been various administrative rules created by different governmental agencies imposing obligations on data controllers and processors to ensure security in the cyber world, but these rules focus more on protecting “state interest” or “public interest”, rather than on protection of privacy. This resulted in rampant personal data abuses: spam mails and SMSs, harassing calls and personal information mining are widespread and have become an increasingly controversial issue attracting media headlines.
In 2008, the Personal Information Protection Law Proposal was submitted to the State Council for review but until recently, efforts to establish a national legal framework for data protection had seemingly come to a halt.
This chaotic situation will hopefully soon come to an end. The standing committee of China’s top legislator - the National People’s Congress (NPC) - rolled out its Decision on Strengthening Internet Information Protection (Decision) on 28 December 2012. The Decision became effective immediately. While the eleven general principle articles are not in the form of legislation, the Decision has binding effect and any foreign company with an operation in China will need to comply with it and watch for further developments.
Data to be protected: electronic personal information
Subject matter protected under the Decision is any “electronic information which can be used to identity an individual citizen or which concerns the privacy of a citizen”. A similar concept was first addressed by the industrial watchdog, the Ministry of Industry and Information Technology, under the non-binding Internet Information Services Market Order Provisions 2011.
The Decision stipulates that the collection and use of personal electronic information shall be “legitimate, proper and necessary”. These principles are very close to those of “transparency, legitimate purpose, proportionality” under the European Union Data Protection Directive (Directive 95/46/EC). The purpose, method and scope of information collection and use shall be expressly notified to the relevant individuals, which shall further be subject to such individual’s consent. The respective data collection and use rules shall be disclosed at the same time. Strict confidentiality shall be maintained with regard to personal electronic information of citizens collected, which shall not be disclosed, altered, sabotaged, sold or provided illegally to others. These obligations have a very broad application and will catch all entities involved in data collection and processing.
Additional requirements for businesses
Besides the normal requirements to protect both the data and the personal rights connected with such data, the Decision also covers the following areas relating to data protection which may potentially create a heavier compliance burden for online businesses:
The Decision prohibits a business operator from disseminating spam messages and mails whether on its own behalf or on behalf of others, without consent of the data subject. No organisation or individual may send unsolicited electronic information of a commercial nature to fixed-line phones, mobiles or personal email accounts. Whenever a citizen discovers that his personal information has been used or disclosed without his or her consent or receives unsolicited electronic communications of a commercial nature, he or she has the right to request that the relevant sender or internet service provider delete the personal data and/or take other preventive measures.
The Decision strengthens the system of user identification management, which is a quite unique feature different from data protection rules in the West but has to be followed in China. If an internet service operator offers network services such as website access, fixed-line telephone, mobile or provides an information dissemination service, the operator shall ask its customers to provide real identity information when concluding a service agreement or confirming provision of services. Such an identification registration system (“Shi Ming Zhi” in Chinese) is not new for mobile and fixed-line services since it was introduced years ago but is, for the first time, being extended officially to the internet sector. A business operator is required to take cooperative measures when the government finds something 'goes wrong'.
The Decision reiterates that the State protects personal electronic information. It stresses that no organisation or individual shall steal or use other illegal means to acquire personal electronic information of citizens, nor sell or illegally provide to others such personal electronic information. Any organisation or individual has the right to report such activities to the competent authorities which shall respond in a timely manner in accordance with applicable law.
New challenges for foreign companies
There are no criminal sanctions for breach of the principles set out in the Decision but it sets out administrative sanctions such as warnings, fines, confiscation of illegal gains, revocation of licence, shutting down of websites and prohibiting online businesses from using personal data. No detail regarding how these sanctions might be imposed is given in the Decision or elsewhere. From a company compliance point of view, there is no guidance to follow. In addition, the Decision does not create any new civil remedies for individuals, nor does it address issues such as cross-border data transfers and employee data protection (although these aspects might still be an issue under other regimes such as protection of State secrets).
On the other hand, the Decision itself is a pragmatic and positive step forward for data protection in China. According to Article 9 of the PRC Legislation Law of March 15, 2000, the standing committee of the NPC has the power to make decisions regarding matters which are not yet addressed by official legislation of NPC. Therefore, the Decision will function as the legal basis for the government to create administrative rules to regulate these matters for now. At the same time, it also provides an upper level legal basis for existing administrative rules relating to data protection topics. It is likely that various stakeholders will roll out more detailed administrative regulations to implement the principles spelled out by the Decision in the near future. Whether or not these new regulations will create more ‘order’ for the Chinese internet industry, or bring more potential hurdles for businesses in practice, remains to be seen. International players operating in China, should keep a close watch on this new legislation trend and be prepared for a potentially more challenging business environment in China with more stringent data protection requirements.
"The decision of the NPC paves the way for new data protection legislation which will have a long term impact on international companies operating in China. They need to keep a close eye on developments."