New Rules for Personal Data Protection in China

China does not yet have a comprehensive law or regulation for personal information protection. Although some provisions related to personal information protection exist in the Criminal Law, General Principles of Civil Law, Tort Liability Law and other laws and regulations, they are generally lacking in detail and are of questionable enforceability. In 2008, the Chinese Academy of Social Sciences submitted a draft Personal Information Protection Law to the State Council for consideration, but no further action on it has been reported. Instead, it appears that China is continuing to take a piecemeal approach to personal data protection.

Decision on Strengthening the Protection of Online Information

On December 28, 2012, the Standing Committee of the Chinese National People's Congress promulgated the Decision on Strengthening the Protection of Online Information (the decision). The decision sets out some rules for the internet service providers and other entities to follow in relation to electronic personal information. Highlights of the decision are listed below:

• Information Collection and Use: The decision prohibits the misappropriation of electronic personal information. When collecting electronic personal information from individuals, data collectors are required to expressly inform the individuals of the purpose, method and scope of information collection and obtain their consent. Internet service providers and other entities are also required to publicize their rules for collecting and using such data.
• Confidentiality Obligation: The decision prohibits Internet service providers and other entities from disclosing, distorting or damaging data collected from individuals, and from selling or providing such data to others in any manner not permitted by law. If data leakage or infringements occur, data collectors are required to take immediate remedies.
• Circulation of Electronic Commercial Messages: The decision prohibits entities or individuals from circulating electronic commercial messages to land lines, mobile phones or computer message systems of information receivers. If disturbed by such electronic commercial messages, information receivers are entitled to request their blockage or deletion.

Data collectors who commit violations of the decision will be subject to penalties, including warnings, fines, confiscation of illegal proceeds, license revocation, website shut-down, and prohibition of responsible staff from taking part in the Internet service business, etc. The penalties will be recorded in the social credit files and made public afterwards. Criminal liabilities may be triggered in serious circumstances, and civil liabilities may be imposed if the infringed individuals seek remedies via civil proceedings.

It is noteworthy that the decision also requires government authorities and their staff to follow its rules to protect electronic personal information.

First National Standard of Personal Information Protection

The Information Security Technology Guidelines for Personal Information Protection (the guidelines), China's first national standard for the personal information protection, became effective on February 1, 2013. Although the guidelines are only a recommended standard without penalties for noncompliance, they clarify many issues related to information protection and are expected to serve as a reference in the drafting of related laws and the handling of related court cases in the future.

The guidelines define a number of personal information protection concepts such as "subject of personal information," "administrator of personal information," "personal sensitive information," "personal general information," "tacit consent," and "expressed consent," and set out standards for the collection, processing, transfer and deletion of personal information as described below:

• Collection: Entities that collect, control and use personal information ("personal information administrators"), should inform the individuals to whom it relates ("personal information subjects") of the purpose of acquiring the information, the method of collecting it, the retention period for its use, the scope of its protection measures, etc. Expressed consent should be obtained for the collection of sensitive personal information (leakage of which will cause adverse consequences) while tacit consent is allowed for the collection of general personal information.
• Processing: Personal information administrators should process personal information in a manner consistent with the purpose and the method that have been disclosed to the personal information subjects. When such individuals inquire about their personal information, the personal information administrators should faithfully respond to such inquiries without charge, unless the frequency or cost of such inquiries exceed a reasonable number or amount.
• Transfer: Before transferring personal information to other entities, personal information administrators should evaluate whether receivers will handle the information in accordance with the standards set out in the guidelines. Personal information administrators should enter into contracts with receivers to protect the personal information. In the case of overseas information transfers (including transferring the information to individuals outside China or entities and organizations registered outside China), expressed consent from personal information subjects is required, unless such overseas transfer is permitted by relevant laws and rules or the competent authorities.
• Deletion: Personal information administrators should delete personal information after the purpose for acquiring such information has been achieved, the information retention period as previously advised to the personal information subjects has expired, or the personal information subjects request the deletion for valid reasons.

Implications

These developments show that the Chinese government is making an effort to strengthen the protection of personal information. As a consequence of these developments, companies should review their policies, and the policies of their business partners, for the collection, retention, processing and transfer of personal information data.