Overview

The Chinese Government published two instruments which set a standard for the protection of  personal data. A first set of guidelines was published in November 2012 and entered into force on 1 February 2013. A second decision was issued end 2012 and contains binding rules limiting the collection and use of personal information.

Highlights

The Chinese authorities have issued binding and non-binding rules which govern the processing of personal data by organisations operating in China. According to the new rules, any entities collecting personal information, should:

• inform the data subjects on the purposes of the processing and obtain consent for the processing of personal data and sensitive information
• maintain strict confidentiality and security measures
• refrain from direct marketing activities unless they have the express consent of the data subject
• obtain the real names of data subjects and stop the provision of services to users which cannot be identified.

Certain rules can be enforced and may lead to a variety of penalties.

Combined, these instruments are an important step towards a general data protection legislation framework in China, and, even though certain rules are only soft law, they are expected to be followed by all relevant data collecting entities.

The Real Name Decision

On 28 December 2012, the Standing Committee of the National People’s Congress, China’s highest legislative body, passed the Decision on Strengthening Internet Information Protection (the “Decision”) which includes articles which are said to protect Internet information security, safeguard the legitimate rights and interests of citizens, legal persons and other organizations, and maintain national security and the public interest.

Under the Decision, internet service providers (“ISPs”), landline and mobile phone providers and any other enterprises and institutions that collect or use citizens’ personal electronic information in the course of their business, must:

• explicitly state the purpose, method and scope of collection and use of the information and make this publicly available
• not collect or use information without the approval of the data subjects
• strictly maintain the confidentiality of data subject’s information collected during the course of their business and not disclose, falsify, damage, sell or illegally provide it to others
• adopt technical and other necessary measures, ensure information security, and prevent the disclosure, damage or loss of citizens’ personal electronic information collected during the course of their business
• upon discovery of a breach of the rules, immediately cease transmitting the information and adopt measures, retain relevant records, and report to the relevant competent authority
• require a user to provide his/her real identity when entering into an agreement with the user or confirming the services to be provided
• refrain from sending electronic messages by e-mail or telephone without consent.

Violations of the Decision can lead to warnings, fines, confiscation of unlawful gains, revocation of licenses, cancellation of registrations, termination of websites, as well as civil liability towards the data subject.

Voices were raised as to the consequences of this Decision, which is said to stifle freedom of speech and enhance the Government’s possibilities to shape public opinion and exercise control.

The Guideline For Personal Information Protection Within Information System For Public And Commercial Services

The Chinese Ministry of Industry and Information Technology (“MIIT”) issued a non binding guideline (the “Guideline”) in November 2012 which became effective on 1 February 2013. The guideline is applicable to all organisations that process personal data.

First, the Guidelines is only applicable to processing of personal data by means of information systems. As such, a number of processing activities will not be envisaged.

Also, the Guideline creates a division between sensitive and general personal data. Where general data may be collected and used by an information collector as long as the data subject does not object, sensitive data may only be used with express consent of the data subject. In addition only necessary data may be collected for specific and clear purposes, and must be deleted once the intended use has been fulfilled.

In addition, the Guidelines sets forth that data subjects should be notified in the event their data have been affected by a security breach, and the authorities should be informed in case of major security breaches.

For further information, please contact:

Kening Li, Partner, Pinsent Masons
[email protected]

Peter Bullock, Partner, Pinsent Masons
[email protected] 

Marc Dautlich, Partner, Pinsent Masons

[email protected]

Homegrown TMT Law Firms in China