China’s first national standard on personal information protection, namely the Guide of Personal Information Protection on Information Security Technology, Public and Commercial Information Service System (the “Guide”) became effect on February 1, 2013. Only about one month earlier, the Decision on Strengthening Online Information Protection (the “Decision”) was adopted by Standing Committee of the National People’s Congress on December 28, 2012 and became effective on the same day. Both of the moves show China has taken the significant first step on enhancing personal information protection.
The Decision, which has the force of law, provides fairly broad guiding principles and requirements for not only the internet service providers but also other entities in collecting and using personal electronic information, such as, explicitly indicating the purpose, manner and scope of collecting and using such information and obtaining the consent of the citizen whose information is collected, publishing their policies for collecting and using such information, not divulging, distorting or destroying such information, and not selling or illegally providing others with such information, and etc. In very general terms, violators may face penalties including, but not limited to, warnings, fines, confiscation of illegal gains, license revocations, filing cancellations and website closures. Responsible individuals can potentially be subject to a ban on engaging in web-related business activities, as well as administrative, civil and even criminal punishments.
The Guide, although it lacks the force of law, still represents a significant step forward in the fight for personal information protection in China and serves as an important guidepost for China’s future lawmaking. According to the Guide, handling (including collecting, processing, transferring and deleting) of personal information must be for specific, clear and reasonable purposes, and should be subject to the permission of the individual who has been well-informed. Such information should be deleted once its intended use has been fulfilled. In addition, express consent of the individual concerned is required when transferring his or her personal information outside of China.
Both the Decision and the Guide take a relatively restrictive position on the transfer of personal information between data processors and could create difficulties for multinational corporations relying on third party data processing companies or routinely sharing information between affiliates. Additionally, companies will need to pay more attention to their compliance of business activities under e-commerce environments.