On August 5, 2016, China's State Administration for Industry and Commerce (SAIC) published the draft Implementation Regulation for the Consumer Rights Protection Law (CRPL), and asked for public comments by September 5, 2016. The draft Regulation includes 70 articles, detailing issues surrounding the implementation and enforcement of the CRPL, such as consumer rights and business obligations, government and social organizations' protection of consumer rights, dispute resolution, and legal liabilities. This alert focuses on provisions regarding consumer data privacy in the draft Implementation Regulation.
The CRPL was most recently amended in 2013, which made it clear for the first time that Chinese consumers' personal information is subject to legal protection. The term "personal information" is more specifically defined in the Implementation Regulation - "information that is collected by business operators when providing goods or services and can be used alone or with other information to identify consumers, including name, gender, occupation, date of birth, ID number, home address, contact method, income and asset information, health condition, transaction information, as well as biometric identifiers."
Article 22 of the Implementation Regulation requires business operators to establish a sound information confidentiality and management system to guarantee that consumers' personal information is protected. More specifically, business operators must not disclose, alter, or destroy consumers' personal information they collect, or provide such information to third parties without consent from the consumer. However, if the processed information cannot be recovered and would not reveal consumer identity, these rules would not apply.
Business operators also are banned from collecting information that is unrelated to the business or through unjustified means. Moreover, business operators must keep the documentation that demonstrates informed consent from consumers for at least five years.
With regard to enforcement, Article 57 of the Implementation Regulation makes it clear that violation of Article 22 will subject business operators to the administrative penalties as specified under Article 56 of the CRPL, which includes administrative warnings, confiscation of illegal income, as well as fines ranging from one to ten times the illegal income (up to 500,000 RMB if there is no illegal income). In serious situations, the authorities may order the business to close down or/and revoke its business license.
In short, the Implementation Regulation imposes further restrictions on the commercial use of consumers' personal information. It is also worth noting that Article 2 of the draft Regulation explicitly states that consumers who purchase goods or services (except financial products) to earn commercial gain (rather than for daily consumption) are not protected by the Regulation. This would affect the so-called "professional consumers" in China who knowingly purchase defective products in an effort to obtain compensation by suing (or threatening to sue) companies who allegedly do not comply with various consumer product laws and regulations. The immediate consequence of this carve-out is that professional consumers will no longer be entitled to rights that belong to consumers, e.g., the right to the protection of privacy data as well as the right to get punitive damages under Article 55 of the CRPL.
Establishing consent mechanisms will be an important component of managing consumer data in China going forward.