A new law in China taking affect in March of this year will provide businesses with a clearer understanding of what types of information are protected as consumer personal information in China. This new definition will clarify companies’ obligations with respect to the use and processing of that information under other Chinese laws and regulations. A failure by businesses to recognise these new requirements can lead to onerous penalties including fines.
The Current Definition of Personal Information
Currently in China, personal information, as referred to in various PRC regulations covering data protection, is defined in broad terms as any identifying information. Or, to be more precise, the rules define it as “any information associated with a user, which, either independently or when combined with other information, is able to identify such user.”
The essence of this definition, albeit with some minor variations, is found in various PRC laws and regulations which include data privacy provisions:
- the Decision on Strengthening Network Information Protection (effective from 28 December 2012) issued by the Standing Committee of the National People’s Congress;
- the Several Provisions on Regulating the Internet Information Service Market Order (effective 15 March 2012) issued by the Ministry of Information and Internet Technology (MIIT), which is charged with regulating data privacy online; and
- the non-binding Guidelines for Personal Information Protection within Information Systems for Public and Commercial Services on Information Security Technology (dated as effective from 1 February 2013, the Guidelines) issued by China’s Standardization Administration.
Additionally, the Law on the Protection of Consumer Rights and Interests (effective from 15 March 2014) (Consumer Rights Protection Law) issued by the State Administration of Industry and Commerce ((SAIC) which is charged with consumer protection covering both online and offline transactions) uses the term personal information but fails to define it.
To date, the definitions of personal information in binding PRC law have never been further described through the use of lists of categories or examples. However, the Guidelines, which are not binding, provided a definition of ”sensitive personal information” which is information that:
“will have an adverse impact on the subject of the information if disclosed or altered; [as] determined on the basis of the wishes of the subject of personal information who receives services and the characteristics of [a given] industry,”
and may include, for example – and here comes a partial list – “identity card numbers, mobile phone numbers, race, political views, religion, genetic information, and fingerprints.” The Guidelines do not though provide a list of “general” personal information, which is defined only in distinction from sensitive personal information.
The Changes Brought by the 2015 SAIC Measures
The lack of a list of data categories and the lack of any definition of personal information in the Consumer Rights Protection Law is about to change. On 15 March 2015 – Consumer Protection Day in China – the SAIC’s Measures for Punishments against Infringements on Consumer Rights and Interests (the SAIC Measures) will take effect. The SAIC Measures define personal information in the context of consumer transactions both online and offline and provide, for the first time ever in binding PRC law, a list of data categories.
The SAIC Measures reflect the approach under current law by defining personal information as identifying information. But the SAIC Measures then continue to list specific categories of personal information, such as: “a consumer’s name, gender, occupation, date of birth, identification card number, address, contact information, status of income and assets, health status, and consumption habits.”
This is the clearest statement to date in any binding PRC law concerning what categories of information are “personal information,” and while obviously applicable within the consumer protection sphere, this list is expected to act as an important point of reference in other spheres.
Requirements for the Collection and Use of Personal Information
The definition of personal information is a matter of particular significance because businesses must treat personal information they collect and use in accordance with their obligations under applicable law. Specifically, under the SAIC Measures and the Consumer Rights Protection Law, businesses must, when collecting and using personal information:
- Observe the principles of lawfulness, rationality and necessity;
- Expressly state the purposes, methods and scope of collection and use;
- Obtain the consumer’s consent;
- Adopt measures to keep personal information secure;
- Take immediate remedial action in the case of any disclosure or loss of personal information;
- Make public the rules of data collection and use adopted by the business; and
- Observe the provisions of applicable laws and regulations and any additional terms separately agreed between the consumer and business.
Businesses must not:
- Collect or use personal information without the consumer’s consent;
- Disclose, sell, or illegally transfer personal information to third parties; or
- Send commercial information to the consumer if the consumer has neither agreed to receive it, nor asked for it, or the consumer has communicated clearly that it does not want to receive it.
These SAIC consumer protection data privacy requirements are generally consistent with, though do not completely reflect, the requirements found in other data privacy legislation in China.
Penalties for Getting It Wrong
A failure to comply with the above requirements, whether stemming from the Consumer Rights Protection Law or the SAIC Measures, is subject to the varied and potentially onerous penalties set out in Article 56 of the Consumer Rights Protection Law (except in those situations where the penalty for a failure to comply is set out in another relevant law or regulation).
Under Article 56, the SAIC can punish non-compliant businesses with an order for remediation and one or more of the following penalties:
- A warning;
- Confiscation of illegal gains;
- A fine of 1 to 10 times the amount of illegal gains, or if there are no illegal gains, up to a maximum of RMB 500,000 (approx. USD 80,000 or GBP 52,500); and
- In serious circumstances, closure of the business for remediation or revocation of the company’s business license.
Such penalties are separate from any civil liabilities that may also arise due to the compliance failure.
Due to the SAIC Measures, it has become clearer which categories of information are protected as consumer personal information in China. It is an expansive list that covers more categories, but not exactly the same categories, as the Guidelines. Businesses selling to consumers in China should therefore keep both lists in mind. In any event, the categories set out in the Guidelines and the SAIC Measures fall within the SAIC Measures’ general definition of personal information – and the definition used in other statutes – as information that by itself or in combination with other data can identify a consumer.
Business should keep up to date with developments in this area of law and be vigilant in adopting and implementing compliant data collection and use policies. This will help them meet the government’s call to protect consumers’ rights and interests and also avoid the potentially harsh penalties for non-compliance.