26 January, 2013

On December 28, 2012, the Standing Committee of the National People’s Congress (“NPC”), China’s legislature, weighed in on the subject of data privacy with its promulgation of the Decision on Reinforcing the Protection of Network Information (《全国人民代表大会常务委员会关于加强网络信息保护的决定》, the “Decision”).  For the most part, the Decision merely affirms legal obligations already put in place by prior legislation. The most significant aspect of the Decision in regard to data privacy is the fact it was issued by the NPC, as China’s legislature, signaling the importance being placed on data privacy at the highest level of China’s law making system.  More notable however are provisions unrelated to data privacy, which seek to enhance governmental control on freedom of communications over the internet.  

This article briefly introduces the main provisions of the Decision and then highlights some other recent developments in China in regard to data privacy.  

DECISION

Scope of Parties Covered

The Decision includes a broad statement of principle that no organization or individual shall steal or otherwise unlawfully obtain a citizen’s electronic information or sell or illegally provide the same to third parties. More substantive provisions of the Decision govern “network service providers” and “other enterprises and organizations”. 

The term “network service provider” is not defined in the Decision but would seem in the context to be broad enough to capture not only companies that would count as internet service providers as that term is used in other jurisdictions but also telephone companies and indeed companies operating websites. The Decision’s use of this broad term, and its reference also to “other enterprises and organizations”, means that the scope of application of the Decision is very broad.  

Prior regulations issued by China’s Ministry of Industry and Information 
Technology (“MIIT”), the Several Regulations on Standardizing Market Order for Internet Information Services (《规范互联网信息服务市场秩序若干规定》, the “Internet Regulations”), issued on December 29, 2011, govern so-called “Internet Information Service Providers”, which include only operators of websites. Our understanding is that the Decision casts a wider net than the Internet Regulations.

Obligations Under the Decision

The Decision provides for a number of obligations that governed entities must comply with in the course of their business, including:

• Adopting a similar approach to the Internet Regulations, the Decision provides that the collection and use of citizens’ electronic personal data must be on the basis of informed consent and individuals must be notified about the purpose of data collection, the method and the scope. Policies in relation to the collection and use of electronic personal information must be publicly available.  
• Commercial information may not be sent to individuals via telephone, mobile phone or personal email without the concerned person’s consent or request or if the person has expressly refused such delivery.  This provision expands upon rules already in place governing email spam. 
• Like the Internet Regulations, the Decision imposes an obligation to keep electronic personal data in strict confidence and not to illegally disclose or sell such information to any third party.
• Governed entities must take technical and other measures to ensure the security of electronic personal data, and in the event of the leakage or destruction of such data, take remedial measures.  This provision mirrors language of 2005 regulations governing operators of computer networks connected to the internet.  

Take-Down and Other Compliance Requests

The Decision provides that if a citizen identifies information available online that infringes on his or her privacy, such citizen person has the right to ask the network service provider to delete the relevant information or take any other necessary measures to stop such infringement.

Internet Censorship

The Decision affirms existing obligations on governed entities to police information posted on a website or transmitted over a network.  It also affirms the obligation to require users to register for service using their true identities.

Penalties

The Decision provides broadly that competent authorities have the authority to take enforcement actions for breaches of the Decision, including warnings and/or fines, confiscation of illegal gains, revocation of licenses and shut down of websites.  MIIT has these powers in relation to analogous provisions of the Internet Regulations and we anticipate that MIIT, Ministry of Public Security and other agencies will issue further administrative regulations implementing these regulatory powers in regard to the broader circumstances provided for by the Decision.  

OTHER LEGAL DEVELOPMENTS ON PERSONAL INFORMATION PROTECTION

Recent months have also seen moves to legislate on matters of protection of personal information at a local level.  Xiamen City, Hebei Province, Hunan Province and Guangdong Province have joined Jiangsu Province in enacting local measures to protect personal information.

• On November 19, 2012, Xiamen Regulation on Personal Information Protection in Software and Information Service Industry (《厦门市软件和信息服务业个人信息保护管理办法》) was passed at  the 14th meeting of the Xiamen government and will take effect on April 1, 2013. 
• On September 26, 2012, Hebei Province Informatization Measures (《河北省信息化条例》) was passed at  the 32nd session of the 11th Standing Committee of Hebei People’s Congress and took effect on January 1, 2013. 
• On May 31, 2012, the Amendment to Hunan Province Informatization Measures (《湖南省信息化条例(2012修订)》) was passed at  the 29th session of the 11th standing committee of Hunan People’s Congress and took effect on September 1, 2012. 
• On May 24, 2012, Guangdong Province Informatization Promotion Measures (Draft) (《广东省信息化促进条例(送审稿)》) was published for public comment.

Each of these local regulations adopt a broadly similar approach to that taken by the Decision and the Internet Regulations in regard to protection of personal information and require informed consent for the collection and use of personal information and also prohibit unauthorized disclosure of the same.

 
It was previously reported that a December 2011 statement by the Shenzhen municipal government indicating its intention to issue local regulations governing personal information protection. According to a news report, a year later, on December 12, 2012, the survey conducted by Shenzhen Lawyers Association for the purpose of drafting such regulations was discussed at a meeting of the Standing Committee of the Shenzhen People’s Congress.  According to that news report, drafting of the regulations is still at a consultation stage and enactment of the regulation may still be two years away.