Although China has yet to enact a national data protection law, certain provincial-level rules implementing national consumer protection laws impact the collection and use of personal data. These provincial regulations may warrant specific attention by entities doing business in the relevant Chinese provinces.
The impact of each of these will often be limited, both because they affect only enterprises doing business in the respective provinces and because the actual requirements of each of these regulations are typically modest. Also, the potential penalties for violation are manageable in most cases. In addition, these provincial regulations could be superseded by national-level data protection legislation, depending on its terms.
However, the provincial regulations have importance of their own, since they do have to be complied with by enterprises doing business in their localities. The provincial regulations also have potential importance as a harbinger of the directions in which data protection laws may develop in China.
These data protection-like regulations have typically been enacted as individual clauses within wider-ranging provincial-level enabling regulations to help put consumer protection laws into actual practice. All of them require that a commercial enterprise may not disclose a consumer’s personal information to a third person without the consumer’s consent, and that a commercial enterprise must not collect personal information that is unrelated to the consumer’s purchase of goods or services. One of the more far-reaching of the provincial regulations is the one enacted in Henan Province, which reads as follows.
Article 16 When providing goods or services, an enterprise must not request that a consumer provide personal information that has no relation to the consumption [of goods or services].
Without having obtained the consent of the consumer, [an enterprise] must not disclose personal information of the consumer, such as name, gender, profession, age, residential address, identification card number, educational history, contact information, marital status, workplace, income and property status, fingerprints, blood type, history of illness and so forth, or his/her related household information to a third party or use it for another purpose. If [applicable] law or regulation provides otherwise, their provisions shall [instead] be followed.
The most interesting aspects of these provincial rules include the following:
- A data user whose operations already comply with the APEC Privacy Principles or the EU Directive would appear to be in very little, if any, risk of violating one of these provincial regulations.
- They take the form of consumer protection regulations. These provincial authorities have therefore accepted data protection as a consumer protection issue. This is in contrast to the amendment to the PRC Criminal Law, passed this past March, in which the nationallevel legislature framed the issue of personal information protection as one of potential criminal violations, and therefore as a law and order issue. In the past, other regulations have framed the issue as a banking regulation.
- They provide definitions of personal information. While the definitions vary from province to province, when a national data protection law is finally passed, it could draw its definition of personal information from one or more of these provincial-level regulations.
- They impose collection limitations. As shown above, the regulations for Henan Province prohibit a commercial enterprise from collecting personal information that is not related to the consumption of goods or services. The regulations do not provide clarification of what constitutes information that is related to the consumption. (Some of the regulations impose limitations on the forcible or compelled collection of personal information that is not related to the consumption of goods or services.)
- A few of the provinces (Henan, Shandong and Guizhou) also impose a use limitation. Some of the provinces (Shandong, Fujian, Anhui, Inner Mongolia and Shanghai) actually expressly cite a “right to privacy” (???) or “individual privacy” (????) as interests that are protected by the regulations. However, these terms are not further defined.
- A data user avoids a violation of one of these provincial regulations by inactions rather than by affirmatively required actions. For example, the regulations require data users not to disclose personal information to third parties, or not to request personal information that is not related to the consumption of goods or services, and do not as yet impose any obligation to put security safeguards in place, to actively register with a data protection office, or to actively inform consumers or obtain their consent (unless disclosure to a third party is involved). In other words, the provincial regulations do not actually require data users to affirmatively do much of anything yet.
- The penalties for violations of the personal information protection aspects of these provincial consumer protection regulations range from warnings; to an order to rectify; to an order to issue an apology, restore the injured party’s reputation and remove any negative impacts; to confiscation of illegal income; to a fine of less than RMB 10,000. The magnitude of most of the penalties seems to be unlikely to threaten serious damage to most business organizations. There is however the prospect of large penalties if the misuse of personal information results in a substantial amount of illegal income, because the penalties allow the imposition of a fine of up to five times the illegal income. Also, in serious instances, the regulations sometimes allow temporary shutdown of a business while it overhauls its actions, and the terms of the national-level Consumer Protection Law also allow a theoretical prospect of a complete shutdown of the business. Criminal penalties may also apply if the misuse involves criminal actions.
- A private right of action is established for violations of the personal information protection aspects of these provincial consumer protection regulations. Injured private citizens are typically given a range of remedial actions, which can include settlement talks, mediation by the local consumer association, arbitration, administrative lawsuits before an administrative agency or lawsuits in a People’s Court.
- It is possible that no central-level data protection law will be enacted, at least for the near and foreseeable future, in which case data protection laws in China will continue to exist in a scattered, piece-by-piece form. If so, provincial regulations like these consumer protection regulations will be one part of an evergrowing, overall jigsaw puzzle of requirements that enterprises doing business in China will have to comply with.
Among China’s 31 provinces, 13 are known to have included consumer data protection obligations in their consumer protection regulations. They include Henan, Sichuan, Hunan, Fujian, Inner Mongolia, Tianjin, Shanghai, Yunnan, Anhui, Shandong, Guangxi, Guizhou and Liaoning.
While not every enterprise doing business in China will be materially affected by a provincial data protection regulation, enterprises would be well advised to find out whether the consumer protection regulations of provinces where they conduct business may affect their operations, and to take any action that may be necessary or prudent to comply with them.