On 1 February 2013, China's first set of Personal Data Protection guidelines, the Guidelines for Personal Information Protection in Information Security Technology Public and Commercial Service Systems (the “Guidelines”), came into effect. The Guidelines were issued by the Ministry of Industry and Information Technology (“MIIT”), and apply to all organizations and entities in China except government administrative authorities.
Although not binding, the Guidelines nevertheless clarify key procedures for relevant organisations collecting personal information, and provide an accepted regulatory standard outlining how personal information should be collected, processed, transferred, and deleted.
The Guidelines propose eight principles, namely: (1) a clear purpose for collection, (2) possible minimum amount of data, (3) public notification of the collection, (4) user consent, (5) quality assurance, (6) security assurance, (7) good faith and (8) accountability. The Guidelines define personal information, differentiating between “personal sensitive information” and “personal general information,” similar to provisions in the EU Data Protection Direction 95/46/EC.
Although silent on how it is to be obtained, the Guidelines require consent to be obtained from the data subject before personal information can be collected and processed. For general personal information, implied consent is sufficient, whereas for sensitive personal information, express consent is required. Furthermore, data subjects must be informed of the purpose of collection, means of collection, security protection measures implemented, and scope of use of the personal information prior to the collection.
Under the Guidelines, organisations will be required to delete personal information once the purpose for its collection has been met. Additionally, the collection of sensitive personal information of minors under 16 years of age without their guardian’s consent is prohibited.
The Guidelines prohibit unauthorized transfers of personal information from China to an offshore individual or organization. Cross-border transmission of personal information is permitted only upon express consent by the subject, specific authorisation by national laws and regulations, or approval by relevant and competent authorities.