On August 5, 2016, the State Administration of Industry and Commerce (SAIC) in China released for public comments draft Implementing Regulations for the Consumer Rights Protection Law (“Draft Regulations”) which include specific provisions on data privacy. With respect to data privacy, the Draft Regulations largely reiterate and reinforce the existing rules under the 2013 Consumer Rights Protection Law (“2013 CRPL”) (see our November 12, 2013, blog post) but with certain additional details and clarifications, as well as certain new requirements.
The Draft Regulations reiterate that consumer business operators must: obtain the consent of consumers when collecting personal information and notify consumers of the purpose, means, and proposed use of such personal information; keep consumers’ personal information confidential and not transfer, sell, or illegally disclose the same without consent; and adopt appropriate technical and other measures to ensure security and take immediate remedial action in the event of any unauthorized disclosure, theft, or loss of information.
The Draft Regulations include new and complementary information and requirements. For example, business operators may only collect personal information which is relevant to their business operations; must retain for at least five years evidence that a consumer has been duly notified and given consent regarding the collection of personal information; and are prohibited from doing commercial marketing through electronic messages or telemarketing calls unless the consumer has consented to this. The scope of what is treated as “personal information” of consumers is also expanded to expressly include biometric data.
There is one important and clear new exception in that business operators may transfer personal information without consent if such information has been irreversibly processed and desensitized so that it is impossible to identify the specific individual consumer.
TIP: The Draft Regulations have not yet been finally approved and issued. There could be further changes, although the current draft fits neatly with the 2013 CRPL and seems to emphasize the drive for more detailed and unified laws relating to data privacy in China, especially in the consumer space. Penalties for non-compliance are significant, especially by China standards. Foreign businesses operating in China should ensure that they are meeting the current requirements and aware of any further changes in both law and practice.