Jurisdiction - China
Reports and Analysis
China – New Developments In Legislation On Personal Electronic Information Protection.

26 April, 2013

 

 

The Resolution in Relation to Strengthening the Protection of Information on the Internet (《关于加强网络信息保的决定》) (the “Resolution” ) was promulgated by the Standing Committee of the National People’s Congress (the “NPC”) on December 28, 2012, and took effect on the same day. In addition, the Information Security Technology – Guidelines on Personal Information Protection within Information Systems for Public and Commercial Services (《信息安全技术公共及商 用服务信息系统个人信息保护指南(GB/Z 28828-2012)》) ( the “Guidelines”) were officially promulgated on November 5, 2012 and came into effect on February 1, 2013.

 

I. Background to Legislation

 

The internet has greatly facilitated the transmission of information. However, the internet has also amplified the adverse effects of the indiscriminate disclosure and use of personal information. In practice, there are many entities and individuals that illegally or improperly collect, use, disclose or sell personal electronic information. At the end of 2011, a serious hacking incident occurred in China, leading to the unauthorized disclosure of user data on many large websites. User IDs and passwords of approximately 50 million internet users were released to the public. Separately, China Central Television, widely known as CCTV, reported at the beginning of this year that certain internet service providers had been analyzing the interests, habits and preferences of internet users by illegally accessing internet accounts and tracking internet usage. These internet service providers would then
direct targeted commercial advertisements to such users. The hacking incident and the CCTV report have roused significant public concern in China.

  

Before the Resolution, there was no established, integrated legal system regarding the protection of personal information in China. There was only a disparate assortment of provisions that sought to protect specific types of personal information stipulated under various laws and regulations. The PRC Personal Information Protection Law (《个人信息保护法》), which attracted much attention, is still working its way through the legislative process. A bill, prepared by academics in 2005 and submitted to the State Council for discussion in 2008, remains in draft form.
The Resolution was promulgated by the Standing Committee of NPC and, pursuant to the PRC Legislative Law (《中华人民共和国立法法》), has equal standing with national laws. In this sense, the Resolution is the first law-equivalent legislative document in China that focuses on the protection of personal information.

 

Unlike the Resolution, which seeks to bring together the various laws, regulations and rules preceding it, the Guidelines are classed as a “guiding technical document” rather than a legislative document or a mandatory national standard. This means that the Guidelines are neither mandatory nor enforceable. In accordance with the PRC law, within three years of its promulgation, a guiding technical document must be revisited to (i) maintain its effectiveness; (ii) have it converted into a national standard; or (iii) have it revoked.

  

As the first guiding technical document regarding the protection of personal information, the Guidelines set out the general principles and specific technical requirements for the collection, processing, transmission and deletion of personal information through various information systems. The draft of the Guidelines, named the Information Security Technology – Guide to Personal Information Protection (《信息安全技术个人信息保护指南》(草案)), was released for public consideration two years ago on February 10, 2011. However, due to the wide scope of the Guidelines and disagreements over the basic definitions, the Guidelines have only recently been finalized. In its current form, the Guidelines apply only to personal information held on information systems used for public and commercial services, but do not apply to government authorities. It is highly likely that the Guidelines may, before a legally binding national standard is issued, be used as a reference in administrative and judicial practices to judge whether personal information is properly protected.

 

II. Primary Provisions & Influence on Practice

 

i. Scope of Protection

 

The Resolution specifies in Article 1 that “electronic information that enables the identification of an individual and electronic information that involves individual privacy” should be protected. “Personal information” is defined in the Guidelines as “any computer data associated with an individual, which can be processed by information systems and, either independently or when combined with other information, can enable the identification of such individual”. Therefore, both the Resolution and the Guidelines focus on the protection of “personal electronic information”.

 

Under the Guidelines, personal information consists of “personal sensitive information” and “personal general information” (i.e., non-sensitive personal information). If the subject of personal information may be adversely affected once certain personal information is disclosed or changed, then such personal information should be recognized as personal sensitive information. Personal sensitive information includes ID numbers, mobile phone numbers, race, political opinions, religion, genetic information, fingerprints etc. In accordance with the Guidelines, different rules should apply to different types of personal information. For instance, the collection of personal sensitive information must have the “express consent” of the subject of the personal information, while “implied consent” is sufficient for the collection of personal general information.

 

ii. Application of the Resolution and the Guidelines

 

Application of the Resolution

 

There are general prohibitive provisions in the Resolution applying to any entity and individual. Such provisions include prohibitions against the illegal collection, stealing, sale or provision of personal electronic information (as stipulated in Article 1) and sending spam email, mobile phone spam etc. (as stipulated in Article 7). These are all general provisions that seek to protect personal life and privacy.

 

With respect to internet service providers, other enterprises and public institutions, Articles 2 to 5 provide specific requirements for the collection, utilization, provision and storage of personal information by such entities and their staff in the course of business operation. In addition, where an internet service provider provides a user with network or information publication services, such provider should require the user to disclose and verify its identity.

 

As for government authorities and their staff, the Resolution requires that they should keep secret personal electronic information received by them during the performance of their duties, and may not disclose, change or destroy such information, or sell or illegally provide it to any third party.

 

Application of the Guidelines

 

The Guidelines provide guidance on the protection by various organizations and institutions of personal information within information systems. These organizations and institutions include service providers in relation to telecommunications, finance, medical services etc. However, entities performing public administration duties, such as government authorities, are expressly excluded from the scope of the Guidelines. Under the Guidelines, the protection of personal information involves four aspects: (i) the subject of the personal information, i.e., the individual to which such personal information relates; (ii) the administrator of the personal information, e.g., a service provider; (iii) the recipient of the personal information, e.g., a specialized data processing/management service provider; and (iv) the independent evaluation institution, which specializes in the attestation/evaluation of information and which is independent from the administrator of the personal information.

 

There are different responsibilities and duties for each role. For example, the requirements for the administrator of the personal information are particularly strict. Under the Guidelines, the administrator of the personal information should: (i) design and establish the process under which personal information is processed; (ii) formulate a management system for managing personal information; (iii) implement the management system mentioned in (ii); (iv) designate certain personnel to take charge of personal information protection and accept complaints and enquiries; (v) formulate an educating and training plan in relation to personal information protection and carry out such training; and (vi) establish internal controls for personal information protection and inspect, or evaluate by engaging an independent evaluation institution, the security and protection mechanisms of the information system. In addition, the administrator of the personal information is required to manage and control the risks that arise in the course of processing personal information. The administrator of the personal information should make plans for incidents that may occur, such as the disclosure, loss, damage, change, and improper use of personal information. Once any of the aforementioned incidents actually occurs, the administrator of the personal information should promptly take measures to mitigate the adverse effects of such incident, promptly give notice to the affected subject of the personal information, and, if the incident is serious, promptly report to the government administration on personal information protection.

 

While the Guidelines are currently not mandatory, they establish the basic requirements and standard regarding the protection and management of personal information. With greater public awareness of the importance of personal information protection, the Guidelines may be elevated to legal obligations in the future. In this sense, it is advisable that service providers that need to process large amounts of information gradually introduce and improve personal information protection mechanisms in a cost-efficient way, so that they can minimize the time and cost of adapting to future legislation and thereby gain a competitive advantage.

 

iii. Requirements for Information Processing

 

Both the Resolution and the Guidelines emphasize the importance of protecting personal information in the course of information processing.

 

General Principles

 

In accordance with the Resolution, internet service providers, other enterprises and public institutions should strictly comply with the general principles of “legitimacy, reasonableness and necessity” when they collect or use personal information in the course of business. Under the Guidelines, the processing of information consists of four steps, i.e., collection, processing, transmission and deletion. The Guidelines set forth the following eight principles to be observed in the processing of personal information: (i) have a reasonable and clear purpose for information processing; (ii) collect, process and use no more information than is necessary to fulfill the purpose; (iii) notify the subject of the purpose, the scope of collection and use, protection measures etc.; (iv) obtain consent from the subject; (v) keep the personal information complete, accurate, usable and up to date; (vi) guarantee the security of personal information; (vii) stop processing or using the personal information upon fulfillment of the purpose; (viii) clearly allocate and implement internal responsibilities in relation to the information.

 

Specific Provisions on Collection of Information

 

Pursuant to the Resolution, internet service providers, other enterprises and public institutions should publish their rules concerning the collection and use of personal information, give notice to and obtain consent from the subject of personal information about the purpose, method and scope of collection and use of his or her information. The relevant provisions under the Guidelines are more specific. No entity is allowed to collect personal information either secretively or indirectly. No entity may directly collect personal sensitive information from any person with limited or no legal capacity (e.g., minors under 16 years old) without the express consent of his or her guardian. It is foreseeable that service providers of instant messaging, e-commerce services and social networking services will face great pressure to reengineer their processing flow chart and upgrade their technology if the Guidelines become enforceable.

 

Specific Provisions on Transmission of Information

 

Under the Guidelines, without express consent from the subject of the personal information, or explicit authorization by laws or regulations, or approval of the competent authorities, the administrator of the personal information is not allowed to transmit any personal information to any overseas personal information recipient (including any overseas individual and any organization or institution registered overseas). This provision has already raised concerns among Chinese and multinational companies which, in the course of business, provide personal information to overseas persons or entities. This is a real issue and merits continued monitoring for any developments in administrative and judicial practice and future legislation.

 

In addition, we note that some multinational companies have raised concerns about the applicability of the Resolution and Guidelines to the collection, storage and processing by employers of employees’ personal electronic information. If the Resolutions and Guidelines apply, employee management costs will increase significantly and employees may use any non-compliance in this connection as a bargaining chip if there are labor disputes. Based on the content and legislative purpose of the Resolution, the Resolution may be unlikely to apply to the protection of employees’ personal information against their employers. However, it is not clear if we can say the same for the Guidelines. Given that there has been no official judicial interpretation or precedent since the promulgation of the Resolution and Guidelines, it is difficult to reach a conclusive interpretation at this stage.

 

III. Legal Liabilities

 

If an entity or individual breaches the Resolution, such entity or individual may face civil, administrative or even criminal liabilities.

 

Civil Liability

 

The Resolution generally provides that where an entity or individual violates the protection of personal electronic information under the Resolution and infringes another person’s civil rights and interests, such entity or individual should bear civil liability. This help specify that the personal electronic information is one type of civil rights and interests defined to be protectable under the PRC Tort Liability Law (《侵权责任法》).

 

Administrative Liability

 

Pursuant to the Resolution, any entity or individual that violates the Resolution may face administrative penalties imposed by the competent government authorities, including but not limited to warnings, monetary penalties, confiscation of illegitimate gains obtained from such violation, revocation of permits or cancellation of registrations, suspension of websites, prohibiting the responsible person from engaging in internet service provision and noting such violation on the social creditability records of the entity in question and making such noting public. Among these penalties, the final two had never been stipulated as administrative penalties in any law-equivalent legislative document before the Resolution. It is probable that the penalties, including the new ones, may be introduced into the draft PRC Personal Information Protection Law and other regulations and rules in this connection.

 

Criminal Liability

 

Under the PRC Criminal Law, government authorities and entities in the fields of finance, telecommunications, transportation, education or medical treatment and the staff of such authorities or entities are prohibited from selling or illegally providing personal information to others where such information is obtained during the performance of duties or provision of services by such authority, entity or staff member. If the circumstances are serious, penalties may include imprisonment of no more than three years or criminal detention and fines. It is worth noting that, given the fact that more and more internet service providers are providing services to numerous, non-specific persons, there has been much debate about whether an internet service provider can be accused of such crime.

 

In addition, any entity or individual that illegally obtains personal information by stealing or any other means may, if the circumstances are serious, also be charged under the PRC Criminal Law.

 

In short, the promulgation of the Resolution and the Guidelines marks a milestone in the development of legislation on personal information protection in China. How the Resolution and the Guidelines will be implemented in practice would be continuously monitored by us. Risk assessment and solution formulation in this connection would also be the value we as lawyers could provide to our clients.

 

Jun He 5

 

For further information, please contact:

 

Feng Rui, Partner, Jun He
fengr@junhe.com

 

Zhuo Hui, Jun He
zhuoh@junhe.com

 

Zou Xiaoqian, Jun He
zouxq@junhe.com

 

Min Nana, Jun He
minnn@junhe.com

 

 
 
 

Comments are closed.