I. What Is Personal Information and What Is Individual Privacy
Generally speaking, “personal information” refers to all the information relevant to an individual, which, once saved on computers or networks, shall be known as “personal data”. On the other hand, “individual privacy” refers to the information that an individual is not willing to disclose or the information that if disclosed, will cause adverse influence to the individual.
The right that protects an individual’s privacy is known as the right to privacy. It is a right of personality that protects the peace of one’s personal life and the private information irrelevant to public interest from illegal harassment, acknowledgement, collection, utilization or publication. The concept of right to privacy was raised by United States attorneys Samuel D. Warren and Louis D. Brandeis (future United States Supreme Court Justice) in their paper entitled The Right to Privacy published in the fourth issue of the Harvard Law Review on December 15th 1890. In his dissenting opinion in Olmstead v. United States (1928), Justice Brandeis wrote that a citizen enjoys the “right to be let alone”, which has later been recognized as the classical dissertation on the right to privacy. The case initiated wide discussion among the society in the United States at the time, and generated profound impact on the protection over individual’s privacy.
The Big Data era has witnessed the wide access to network by mobile phones, computers, TVs and wearable devices. The “Internet of Things” has become the inevitable developing trend. Along with the unceasing collections of personal information by various operators, the commercialization of Big Data has achieved the collection, mining and analysis of the seemingly discrete data. As a result, each one of us is becoming transparent. Facing the possible illegitimate utilization, disclosure or leakage of the personal data, the public is growing concerns towards the invasion of right to privacy.
As a matter of fact, precedents have already existed to prove that the public is not worried for nothing. As per the Legal Daily report on April 7th 2015 (http://epaper.legaldaily.com.cn/fzrb/content/20150407/Articel07001GN.htm), information of tens of thousands of newborns was leaked on December 22nd 2011. The official website of Guangdong Exit & Entry Administration Department leaked the names, passport numbers and other data on December 29th 2011, involving over 4 million web users. In October 2014, as exposed by media, some Chinese chain hotels leaked the personal information of around 20 million guests. Later that year, the authentic information including names, IDs, e-mails, mobiles and passwords of up to 130 thousand users was reported to be leaked by the China on-line train ticket booking system.
II. The State of Personal Information Abuse in China
1. The Excessive Collection of Personal Information
Citizens are almost requested to provide personal identity information on daily basis under various occasions. Usually, telecommunication companies, websites, banks, insurance companies, educational institutes and even government agencies and hospitals tend to request personal data such as ID number, mobile numbers, home address and e-mail addresses. Sometimes spousal information is also required by banks when one is applying for credit cards.
2. Unauthorized Disclosure and Offering of Personal Information
It is widely known that some institutes disclose the collected personal information illegitimately without the individual’s consent or beyond necessity. As an example, banks, insurance companies, airlines and other institutes would exchange the information of their own customers without or beyond authorization.
What’s even worse, huge amounts of personal information are transacted illegally. Information transactions of property owners, shareholders, business persons, car owners, telecommunication users and patients emerged so badly that an illegal industry has formed. For instance, after an individual went through necessary procedures for hospital admission, property or car purchasing, his or her information would be sold by the relevant entities or their employees to property agencies, insurance companies, mother and baby products suppliers, advertisers, and etc.
As mentioned by the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry of Public Security in the Notification on Legally Punishing Criminal Activities that Infringe upon Citizens’ Personal Information that they jointly promulgated on April 23rd 2013, “Currently, criminals are found to be selling citizens’ personal information through internet in an excessive manner in pursuit of illegal benefits. An enormous ‘underground industry’ and black profit chain has been formed”.
3. How Personal Information Gets Leaked
One possible cause is the intentional or inadvertent disclosure by the entities or individuals having access to the personal information. For example, during the period from July to October 2008, someone named Tang, the chief of Monitoring Center of Network Operation Department at China Unicom, Beijing Branch, took advantage of his position to gain illegal benefits by selling large amounts of personal information.
Database vulnerability caused by administration and technology deficiency could also lead to information leakage. As per the report in Economic Information Daily of April 22nd 2015, the social security system has become one of the hard-hit areas of personal information leakage. The report believed that high-risk vulnerabilities widely existed in the health and social security systems in several provinces and cities, including Chongqing, Shanghai, Shanxi, Shenyang, Guizhou and Henan. As a result, the social security information belonging to tens of millions of users is possible to be leaked.
III. Relevant Laws and Regulations in China
The current protection over individual privacy rendered by the laws and regulations in China is far from sufficiency. In the absence of an independent law protecting personal information, the rules concerning personal information are discretely regulated with limited systematization. The legal concept of “personal information” was formally raised for the first time on April 23rd 2013 in the Notification on Legally Punishing Criminal Activities that Infringe upon Citizens’ Personal Information jointly promulgated by the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry of Public Security. The Notification expressly defined that “a citizen’s personal information shall include the citizen’s name, age, valid ID number, marital status, place of work, education background, resume, home address, telephone number and other information and data that is able to identify the citizen’s personal identity or involves his/her individual privacy”.
The laws and regulations that directly protects personal information mainly include the Amendment Ⅶ to the Criminal Law, China Tort Law, Administrative Measures Governing Internet Information Services, Decision on Strengthening Network Information Protection, Law on Penalties for Administration of Public Security, Telecommunications Regulations, Law on the Protection of Minors, Law on the Protection of Rights and Interests of Women, Law on Licensed Doctors, Law on the Protection of Consumer Rights and Interests and etc. Also, the Constitution, General Principles of the Civil Law and other laws provide indirect protection over personal information. According to incomplete statistics, personal information is mentioned and stipulated by 40 laws, more than 30 regulations and nearly 200 departmental stipulations (including stipulations and administrative measures governing internet information, medical information and individual credit). In addition to these, there are also several regional rules and regulations, such as the Preliminary Measures on Individual Credit Investigation of Shanghai promulgated in 2003.
Among the relevant laws and national standards, the following should be paid extra attention to:
1. The Amendment Ⅶ to the Criminal Law
On February 28th 2009, the Standing Committee of the National People’s Congress passed rules on protecting individual’s personal information by adding 2 crimes, i.e., the crime of selling or illegally providing citizens’ personal information and the crime of illegally obtaining citizens’ personal information.
The crime of selling or illegally providing citizens’ personal information refers to the crime committed by any staff member of a state organ, or an organization of finance, telecommunication, transportation, education or health care, etc., who violates the state regulations by selling or illegally providing the citizens’ personal information obtained during the course of performing duties or providing services. Where the circumstances are serious, such staff member shall be sentenced to a fixed-term imprisonment of no more than three years or criminal detention with a fine imposed concurrently or shall be only subject to a fine.
The crime of illegally obtaining citizens’ personal information refers to obtaining the above-mentioned information illegally by theft or through other means. Where the circumstances are serious, the person committed the crime shall be sentenced to a fixed-term imprisonment of no more than three years or criminal detention with a fine imposed concurrently or shall be only subject to a fine.
Where an organization commits either of the above 2 crimes, a fine shall be imposed on the organization, and the persons who are directly in charge of the organization and other persons who are directly responsible for the crime shall be punished respectively in accordance with the provisions of the corresponding crime.
Prior to implementation of the Criminal Law Amendment, the activities of illegal obtaining citizens’ personal information and the activities of selling or illegally providing the same reaching a certain serious extent were usually convicted and punished per the crime of illegal business operation. For instance, during the period from April 2007 to October 2008, a person named Zhang obtained and sold large amounts of citizens’ personal information for illegal benefits, by taking advantage of his position as middle customer service maintenance at the Yizhuang Center of China Mobile Beijing branch. The Court held that Zhang knowingly facilitated the investigation company’s illegal business operation by purchasing or using his position to illegally obtain information, and providing or selling the same to the investigation company for the purpose of their illegal business operation. As such, Zhang should be convicted on the count of accomplice to illegal business operation.
Upon implementation of the Criminal Law Amendment, the Courts have unified to render judgments under the newly-added crimes. In one case, 7 out of the 23 defendants, being staff members from China Mobile Beijing branch, China Unicom Beijing Branch and China Telecom Beijing Branch, took advantage of their telecommunication working platforms during the period from March to December 2009, and sold or illegally provided citizens’ personal information that they obtained during the course of performing duties or providing services to others. Among these 7, Defendant Xie, being the operation and maintenance manager at Beijing Jing Chi Wu Xian Communication Technology Co., Ltd., one vendor of China Mobile Beijing branch, repeatedly provided mobile phone positioning information for more than 90 mobile numbers requested by others, by using the authorization rendered by China Mobile Beijing branch to his company. From March to December 2009, his illegal benefits reached as high as RMB 90,000. He was the first one in China being convicted of illegally providing mobile phone positioning information. Defendants Huang and Zhou, being staff members dispatched to customer service center at the China Mobile Beijing branch, repeatedly sold citizens’ personal information obtained during the course of providing services in their company for profits.
After the trial, 14 defendants were sentenced to imprisonment with the terms varying from half year to 2.5 years. 9 defendants were granted probation considering that the circumstances of their crimes were less serious. The defendants were respectively convicted of “selling or illegally providing citizens’ personal information” and “illegally obtaining citizens’ personal information”.
2. Decision on Strengthening Network Information Protection by the Standing Committee of the National People’s Congress
Considering the lack of protection by higher level law over network information, and the constantly emerging events of personal information infringements through internet, Microblog, BBS and other tools, the Standing Committee of the National People’s Congress passed through the Decision on Strengthening Network Information Protection on December 28th 2012, with the attempt to regulate the activities of network service providers and other legal entities to use, collect, protect and operate citizens’ electronic information. The Decision established the legal principle of “protection by the state over the electronic information that can be used to identify a citizen and involves a citizen’s privacy”. The Decision provides expressly that no organization or individual shall obtain a citizen’s personal electronic information by theft or other illegal means. Nor shall anyone sell or illegally provide a citizen’s personal electronic information to others.
The Decision sets forth several obligations for network service providers and other legal entities, including the obligation not to utilize users’ information, the obligation to take measures for information security, the obligation to properly administrate the information released by the users, the obligation to cooperate with the measures taken to enforce the legal rights, and the obligation to make their rules for collecting information public.
The infringer’s legal liabilities under the Decision include civil, administrative and criminal liabilities. The applicable administrative liabilities may include warnings, fines, confiscating illegal gains, revoking licenses or cancelling record-filings, shutting down the websites concerned, barring the liable persons from engaging in network services business, etc. In addition, such persons’ violations shall be recorded in the social credit files and be made public. The conducts that constitute violations of public security administration shall be given public security administration punishments in accordance with the law.
The Decision also stipulates that the network service providers and other legal entities shall follow the principles of legitimate, proper and necessary collection and use of citizens’ personal information, and make their collection purposes, methods and scope public. Without the information holders’ consents, they shall not collect or use such information against the laws or regulations, or against their mutual agreements.
Network service providers and other legal entities shall take technical measures and other necessary measures to ensure information security, and prevent the citizens’ personal electronic information as collected during business activities from being leaked, damaged or lost. Remedial measures shall be immediately taken in the event that such information may be or has been leaked, damaged or lost.
3. Guidelines on Personal Information Protection
In the absence of a unified regulation like the Personal Information Protection Law, the frequently-occurred events of personal information leakage and using personal information for illegal benefits are highly calling for a guideline document to regulate the business operation activities involving citizens’ personal information. In light of this, the Information Security Technology - Guidelines on Personal Information Protection of Public and Commercial Service Information Systems (GB/Z 28828-2012) were promulgated by the General Administration of Quality Supervision, Inspection and Quarantine jointly with the Standardization Administration of the People’s Republic of China on November 5th 2012.
- The Guidelines make clear the terminologies and definitions relating to personal information.
For instance, personal information is defined as the “computer data that can be handled by information systems, can be related to specific natural persons, and can be used, either alone or in combination with other information, to identify the specific natural persons.” Personal information is divided into sensitive personal information and general personal information, between which sensitive personal information refers to the personal information that, once leaked or modified, will adversely affect the subject of personal information labeled. In addition, the subject of the personal information, administrator of personal information, receiver of personal information and third party testing and evaluation agency are also defined in the Guidelines.
- The Guidelines raise 8 principles for handling personal information for the first time, including the principles of clear purposes, minimum and necessary, public notification, personal consent, quality assurance, security guarantee, good faith performance, and clear responsibilities.
The principle of clear purposes – personal information shall be handled for specific, clear and reasonable purposes without expansion, and without changing the purposes in the absence of the subject’s acknowledgement.
The principle of minimum and necessary – only the minimum information relating to the handling purposes will be handled and shall be deleted within the shortest period of time after the purposes are fulfilled.
The principle of public notification – the administrator of personal information shall perform the obligations of informing, explanation and alerts to the subjects and shall, in a clear, straightforward and appropriate manner, truthfully notify the subjects of the purposes, scope of collection and use, safety measures for personal information protection, etc.
The principle of personal consent – prior consent shall be obtained from the subject of the personal information before handling.
The principle of quality assurance – the personal information shall be assured of confidentiality, integrity, availability and being up-to-date during handling.
The principle of security guarantee – administration measures and technical means which are appropriate and match the likelihood and severity of damages that the personal information may incur shall be adopted, in order to protect the security of personal information, and prevent personal information from being searched or disclosed without its authorization, as well as from being lost, leaked, damaged or tampered.
The principle of good faith performance – the administrator of personal information shall, according to the commitments made when collecting or based on statutory grounds, cease to handle personal information upon fulfillment of purposes.
The principle of clear responsibilities – the administrator of personal information shall specify the responsibilities during personal information handling, take measures to enforce corresponding responsibilities, and record the handling of personal information for future reference.
- The Guidelines specify the rights of the subjects of the personal information, which include the rights to confidentiality, acknowledgement, choice making, modification and prohibition.
- The Guidelines protect personal information in the stages of collection, processing, transferring and deletion.
- Reference and Enlightenment to Legal Entities
The Guidelines set forth norms of conducts to legal entities when handling personal information. Where a legal entity has to utilize personal information, it shall collect directly from the subjects of personal information with the explicit authorizations by laws and regulations or by the subjects’ personal consents. It shall only process personal information within the purposes and scope acknowledged by the subjects. When it is necessary to transfer the personal information to other institutes, the legal entity shall inform the subject of the purposes and objectives of transfer, and obtain the subject’s explicit consents.
The Guidelines, being of recommended and leading use, may only play a limited role in protecting personal information security. It remains to be seen what the judicial stands towards the contents therein. Though not likely to be mandatory, the Guideline, through long term of adequate researching, will facilitate the future legislation positively. Meanwhile, given that the Guidelines are only of leading use, no penalty measure is contained therein.
4. The Amended Law on the Protection of Consumer Rights and Interests
The Law on the Protection of Consumer Rights and Interests as amended on October 25th 2013 has made it clear that the personal information shall be protected as one of the consumer’s rights. As Article 14 of the Law goes, “Consumers shall, in purchasing or using goods and receiving services, be entitled to respect for their human dignity, ethnic customs and habits, as well as protection of their personal information in accordance with the law.”.
The amended Law also provides obligations that the business operators shall perform in Article 29, “Business operators shall follow the principles of legitimate, proper and necessary collection and use of the consumers’ personal information. They shall expressly state the purposes, methods and scope of information collection and use, and obtain the consent of the consumers whose information is to be collected. Business operators shall make their rules for collecting and using consumers’ personal information public, and shall not collect or use personal information in violation of laws or regulations, or in breach of their mutual agreements. Business operators and their staff members shall strictly keep the consumers’ personal information as collected confidential, and shall not divulge, sell or illegally provide others with the same. Business operators shall take technical measures and other necessary measures to ensure information security and prevent the consumers’ personal information from being leaked or lost. They shall immediately take remedial measures where information has been or may be leaked or lost. Business operators shall not send commercial information to consumers without their consent or request, or after the consumers have expressly refused to receive such information”.
Where there is any infringement upon the consumers’ legally-protected rights over personal information, the infringer may, in addition to civil liabilities, incur administrative penalties by the authorities, such as imposition of a fine not less than one time but not more than ten times the illegal gains, or imposition of a fine up to RMB 500,000 yuan where there is no illegal gains. And if the circumstances are serious, they shall be ordered to suspend business for rectification, and their business licenses shall be revoked (Article 56 of the Law).
5. Provisions on Protecting the Personal Information of Telecommunication and Internet Users
In light of the fact that the personal information security was not properly valued by some telecommunication operators and internet information service providers for their users, as well as the insufficiency of safety protection measures, administration mechanisms and security liabilities, the Ministry of Industry and Information Technology promulgated the Provisions on Protecting the Personal Information of Telecommunication and Internet Users on July 16th 2013, with the attempt to further improve the legal protection over users’ personal information, and to regulate the conducts of collecting and using users’ personal information during telecommunication and internet information services.
The Provisions mainly provide the following:
- The scope of telecommunication and internet users’ personal information under protection. The Provisions specify that the “information collected by telecommunication business operators and internet information service providers during the provision of services that may be used for identifying the users either independently or in combination with other information, including the name, date of birth, identity document number, address, phone number, account number, password, etc. of a user, as well as the information showing when and where the users enjoy the services” shall be protected.
- The principle of collection and use of the users’ personal information. The Provisions specify that the telecommunication business operators and internet information service providers shall follow the principles of legitimate, proper and necessary when collecting and using users’ personal information, and take responsibilities for the security of users’ personal information.
- The rules for collecting and using personal information. The Provisions provide that telecommunication business operators and internet information service providers shall abide by the rules of information collection and use as follows: the rules of information collection and use shall be formulated and made public; no user’s personal information shall be collected or used without the user’s consent; users shall be informed of the purposes, methods, scope and other matters of information collection and use; no personal information shall be collected from the users out of necessity of the services as provided; the collection and use of a user’s personal information shall be ceased upon termination of the user’s services, and services for deregistering relevant phone numbers or account numbers shall be provided; no user’s personal information shall be leaked, tampered, damaged, sold or illegally provided to others.
- Administration on agents. The provisions, under the principles of “the party operates shall be the party having responsibility” and “the party who entrusts others shall be the party having responsibility”, pursuant to the agency rules in civil law, stipulate that the telecommunication business operators and internet information service providers shall take responsibilities for administrating their agencies on personal information protection. Article 11 sets out that, when other parties are entrusted by telecommunication business operators or internet information service providers to provide services such as market sales and technical services and other services that are directly user-facing, and when the collection or use of users’ personal information is involved therein, the telecommunication business operators or internet information service providers shall supervise and administrate the work carried out by the entrusted parties with respect to the protection over users’ personal information, and shall not entrust parties who are unable to meet the requirements herein on the protection of users’ personal information with relevant services.
- Security protection rules. The Provisions sets out measures that the telecommunication business operators and internet information service providers shall take in order to protect users’ personal information from being leaked, damaged, tampered or lost, from different aspects of work duty responsibilities, administration mechanism, authority control, storage medium, information system, operating records, safety protection and others. In addition, the Provisions also have stipulations on self-inspection, training and others relating to users’ personal information.
- Supervision and inspection rules. It is required by the Provisions that the telecommunication authorities shall supervise and inspect the protection of users’ personal information, and that the telecommunication business operators and internet information service providers shall cooperate. It is also specified by the Provisions that the telecommunication authorities shall review the condition of users’ personal information protection in granting license and conducting annual inspection relating to telecommunication business. The violations of the Provisions by telecommunication business operators and internet information service providers shall be recorded into their social credit files.
6. Measures on the Administration of Online Transactions
On January 26th 2014, the State Administration for Industry and Commerce promulgated the Measures on the Administration of Online Transactions. With regard to personal information protection, the Measures requires online product business operators, relevant service providers and their staff members to strictly keep the consumers’ personal information that they collect confidential, and refrain from leaking, selling or illegally providing such information to others. The afore-said parties shall also take technical measures and other necessary measures to ensure information security to prevent leakage or loss. Remedial measures shall be immediately taken when information leakage or loss occurs or is about to occur.
Moreover, Article 18 of the Measures expressly provides that, online product business operators or relevant service providers shall not send electronic commercial information to consumers without their consent or request, or after the consumers have expressly refused to receive such information.
7. Administrative Provisions on Short Message Services for Communication
The Decision on Strengthening Network Information Protection by the Standing Committee of the National People’s Congress expressly provides that “business operators shall not send commercial electronic information to consumers without their consent or request, or after the consumers have expressly refused to receive such information”, laying legal basis for administrating junk short messages. Despite of such regulation, there still lacks explicit rules on several issues, such as the methods for users to reject receipts of short messages, the obligations of short message service (“SMS”) providers, administration measures and the corresponding legal liabilities, resulting in lots of difficulties in dealing with junk short messages. In the efforts to effectively cope with junk short massages, protect legal rights of the wide range of users and regulate SMS, the Ministry of Industry and Information Technology promulgated the Administrative Provisions on Short Message Services for Communication on May 19th 2015. The Provisions specify the obligations of SMS providers in details, and set forth administration rules and punitive measures concerning commercial short messages.
With respect to the commercial short messages, the Provisions explicitly requires that the SMS providers and short message content providers shall not send commercial short messages to users without the latter’s consent or request, and shall explain the types, frequency, duration and other relevant information of the commercial short messages to a user when they request such user to agree with receiving the commercial short messages. In addition, the ports for sending messages with business management and service nature shall not be used for sending commercial short messages. The users shall be provided with convenient and effective methods to refuse the short messages. SMS providers shall establish management and monitoring mechanisms.
The Provisions set forth that “12321 Center Accepting Complaints against Internet Harmful and Junk Messages” can accept SMS complaints. Meanwhile, the Provisions also include procedures of how to handle complaints against commercial short messages harassments and illegal activities, and procedures of how to handle illegal messages by SMS providers.
8. Draft Network Security Law
The 15th Session of the 12th Standing Committee of the National People’s Congress discussed and reviewed the PRC Network Security Law (Draft) for the first time, and published to society for opinion solicitation in June 2015.
Personal information protection is also involved in the Draft. In the Annex, “citizen’s personal information” is defined as the citizen’s name, date of birth, ID number, personal biological identification information, occupation, address, telephone number and other personal identity information that is recorded electronically or in other methods, and various other information that can be used, either alone or in combination with other information, to identify the citizen”.
The protection over personal information is mainly embodied in Articles 34-39 of Chapter 4 on “Network Information Security”. In addition, Article 17 of the Draft provides network operators’ obligations to ensure security of personal information. Article 31 requires the “operators of Key Information Infrastructures” to store the important data including citizens’ personal information within PRC. In the circumstance that the information has to be stored overseas or provided to overseas, the operators shall be under security evaluation per relevant regulations.
Overall, from a positive perspective, the Draft Network Security Law, with reference to the personal information legislation and practice domestically and internationally, has managed to embody the following principles:
- The principle of network operators’ security guarantee principle (Article 17)
- The principle of personal consent (Articles 18 and 35)
- The principle of clear purposes (Article 35)
- The principle of minimum and necessary (Article 35)
- The principle of public notification (Article 35)
- The principle of quality assurance (Article 36)
- The requirement on noticing leakage (Article 36).
Nevertheless, the legislative purpose of the law is mainly to “ensure network security, maintain network space sovereignty, state security and social welfare” (Article 1). Considering that it is not a specific personal information security law, personal information protection is only briefly mentioned by a few articles in the Draft. Compared to the mature foreign laws, the Draft still reveals several deficiencies, such as:
- Limited scope of protection. The Draft only regulates the “network operators that build, operate, maintain and use network within China”, including infrastructure telecommunication operators, network information service providers, and important information system operators. The forgoing is obviously not sufficient to cover all the “operators that engaged in collection and handling of personal information and other matters”.
- Inadequate right to information. The Draft, with the effort to regulate network operators, has only limited reference to the protection over citizens’ personal information within public power. It only has a principal regulation in Article 39, i.e., “the authorities having network security supervision and administration duties shall strictly keep confidential of the citizens’ personal information, privacy and trade secrets that become known to them when they perform their legal duties, and shall not leak, sell or illegally provide the same to others”. Other than this, the handling of personal information by governmental authorities is not well regulated. There still lacks more detailed rules on the collection, use, publication, confidentiality and other issues. The balance between public interest and personal privacy is not reflected enough.
- Lack of solution for the contradiction between commercialization of Big Data and personal privacy protection. In South Korea, operators are required to delete or substitute all or part personal information by deleting, making anonymous of, aggregating, classifying, shielding or taking other measures when collecting data, so that the data as collected will not be associated with the specific information owner. This process is also known as “the anonymous handling of personal information”. As long as such handling method is duly taken, the operators may, even in the absence of users’ consents, proceed to collect and develop users’ personal information, providing the same to third parties, and use the same internally for the purpose of providing service, unless the users have expressly refused so. But if, after the handling method, the information is still found to contain data that can be associated with the specific information owner, the operators shall immediately destroy such information, or take additional measures so that the specific information owner will not be identified.
- Lack of rules on the processing and transfer of personal information. The Draft, by Article 31 only, requires that “the operators of Key Information Infrastructures shall store the citizens’ personal information and other important data as collected and generated in operation within the People’s Republic of China. Out of the operator’s business need, where it is indeed necessary to store the aforesaid data overseas or provide them to overseas entities and individuals, security evaluation shall be conducted in accordance with the measures formulated by the national ministry of internet information jointly with relevant ministries of the State Council”. The aforesaid regulation only concerns the storage of personal information by the operators of Key Information Infrastructures. Other than this, there is no rule on the processing or transfer of personal information by various operators (including the operators of Key Information Infrastructures).
- Issues of inadequate penalty method and low cost of violation. All activities in violation of the Draft will be ordered for correction and warned by relevant governing authorities, and will only be imposed of a fine ranging from RMB 50,000 yuan to RMB 500,000 yuan when the subject of violation refuses to correct, or when the illegal activities lead to endangerment of network security or other consequences. The severest penalty is imposed upon the operators of Key Information Infrastructures with the fine of RMB 1 million yuan only. Meanwhile, the fine imposed upon the direct principals in charge or other directly liable staff members ranges from RMB 5,000 yuan to RMB 100,000 yuan. In comparison, under the General Data Protection Regulation (GDPR) formulated by the European Union (EU) in November 2012, the illegal activity is possible to incur penalty with the highest amount up to 2% of the operator’s annual global turnover. In the Relevant Law on Cloud Computing Development and User Protection promulgated by South Korea on March 27th 2015, the activities of using the users’ information or providing to others, knowingly accepting such users’ information and leaking personal information illegally will all possibly incur criminal liabilities.
- Lack of unified enforcement administration. Article 6 of the Draft provides that “the national ministry of internet information shall be responsible for comprehensive arrangement and coordination of network security governance and relevant supervision and administration. The ministry of industry information technology and public security as well as other relevant ministries of the State Council shall be responsible for the work concerning the protection, supervision and administration of network security within their respective duties in accordance with the provisions of this Law, relevant laws and administrative regulations”. The said regulation is not explicit on the enforcement authorities protecting personal information. In contrast, EU has established the post of “European Data Protection Supervisor” since 2001 to ensure that the citizen’s right to privacy is duly respected when being handled by all EU institutions and organizations. In addition, Article 29 of the Data Protection Directive created the “Article 29 Data Protection Working Party”, commonly known as the “Article 29 Working Party” or Data Protection Working Party. The Office of the Privacy Commissioner of Canada, along with the provincial privacy enforcement authorities and similar institutions across the country, are responsible for personal information protection of the Canadian Confederation.
- Inadequate legal remedies for citizens. Article 63 of the Draft simply regulates in principle that “whoever violates the provisions of the Law, causing damage to others, shall undertake civil liabilities in accordance with the law”. In the South Korean Relevant Law on Cloud Computing Development and User Protection, it is explicitly provided that the user is entitled to remedies when they incur damages due to the cloud service provider’s violation. Under such circumstance, the burden of proof shall be upon the service provider.
9. Specific Law on Personal Information Protection
Compared to the fast-evolving technologies of cloud computing and big data, the legislation of personal information protection in China obviously falls far behind. We still have no unified legislation program or unified institution enforcing data protection, resulting in the inadequate protection over personal data under current laws and regulations. On the other hand, the rapidly developing era of cloud computing and Big Data is not given enough attention. Neither is the globalization of data protection. In view thereof, a specific law on personal information protection is in great need, even after the future promulgation of Network Security Law.
It is understood that the Informatization Office of the State Council initiated researching program on personal information legislation as early as 2003. By 2005, the Personal Information Protection Law (Experts’ Draft) took shape. By 2008, the Draft was submitted to the State Council. Nonetheless, the formal legislation procedure has not started by far.
The future Personal Information Protection Law is expected to fix the deficiencies in legal protection over personal information in China to a large extent, and is placed with high hopes.
IV. How to Cope with Issues of Personal Information Protection
Under the current legal frameworks, the business entities are suggested to take measures to cope with personal information protection from the following perspectives:
1. Staying updated for the legislation trends domestically and internationally. Foreign invested enterprises are advised to pay attention to the legislation trends in China and in the countries where the parent companies are located. Chinese domestic companies “going internationally” are advised to pay attention to the legal trends in the target countries. The “right to be forgotten” under EU law is a typical example. In May 2014, the European Court of Justice ruled against Google in a case brought by a Spanish citizen Mario Costeja González, and decided Google should remove a link with reference to the citizen. The ruling is deemed as recognition to the “right to be forgotten” by allowing users to delete their own names or relevant histories from the search engine results page (SERP). Subsequently, the EU Article 29 Working Party issued corresponding implementing regulation to ensure the realization of the “right to be forgotten”. Per the latest EU directive relating to cookies (Directive 2009/136/EC), the storing of information (cookies), or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. Considering that the proposed penalty imposed upon illegal activities could be very severe (up to 2% of the annual global turnover), the operator’s prudence is highly recommended.
2. Timely revising the policies on collecting information and protecting privacy. To ensure the legal compliance in the business entity’s own country and the extending countries, the entity shall review and timely revise its own policies and business procedures. To this end, it should be noted that the EU General Data Protection Regulation (GDPR) proposes to not only apply when the data controller or processor (organization) or the data subject (person) is based in the EU, but also apply to organizations based outside the European Union if they process personal data of EU residents.
3. Conducting due diligence on personal information protection. Due diligence shall be conducted against suppliers and business partners on their policies and practical operation of personal information protection, with the attempt to avoid legal risks. In other words, business entities shall not only focus on their own personal information protection policies and processes, but also pay close attention to the personal information protection of their suppliers and business partners. As an example, EU tends to be very cautious when regulating the collection and handling of personal data. The Data Protection Directive implemented in 1998 forbids transmission of personal data to the countries or regions beneath EU standard. The General Data Protection Regulation (GDPR) also forbids transmission of personal data to countries or organizations not able to ensure sufficient data protection. Russia has requirements on data operators (including internet companies) to use servers within the Russian Federation to store citizens’ personal data, otherwise the operators’ networks could be blocked. In addition, foreign companies that are not able to guarantee storage of personal information within Russia will face injunction when sending data outside of Russia.
4. Adopting high level security protection and administration measures to prevent personal information leakage. The business entities are recommended to, with reference to the Draft Network Security Law and the requirements in foreign laws and regulations, pay high attention to the personal information protection, by formulating internal administration rules and operation procedures, and taking technical measures to defend activities endangering network security, such as virus, network attack and network invasion. Further, it is also recommendable to take technical measures to record and track the state of network, monitor and record network security events, save web logs per relevant regulations, and ensure classification of data, backup and encryption of important data.
5. Fulfillment of Data Breach Notification Obligation. When there occurs or will possibly occur information leakage, damage or loss, the responsible business entity shall take immediate remedial measures and notify the same to the users that will be impacted, so that they can timely take measures. In addition, the entity shall report to the governing authorities per the relevant rules. In some countries, such as South Korea, the users’ information shall be returned and deserted thereafter upon termination of the service as provided. These should raise awareness of business entities.
6. Anonymous handling of personal information as collected. For the entities engaged in cloud computing and Big Data commercialization, it is advisable to take the approach of “anonymous handling of personal information”, to avoid disclosing of personal information and data. It is known as an effective security measure, and is also required by law in several countries.
7. Strengthening communications with enforcement authorities. Considering the deficiency of laws and regulations on personal information in China, it could be rather effective for business entities to positively communicate with enforcement authorities. Especially in cases of personal information leakage or possible leakage, or interruption of service, the efforts to fully cooperate with the investigations by authorities and take remedial measures could be very rewarding and gain some leverage for the business entity.