Data protection is a hot topic globally, not least in the People's Republic of China (PRC) which has seen a flurry of related legislative activity in recent years. This was kicked off by the rolling out of the Decision on Strengthening Internet Information Protection (Decision) by the Standing Committee of National People's Congress (NPC) in December 2012, which took immediate effect. Although the eleven general principle articles outlined by the Decision are not in the form of law, they are binding and they lay down the cornerstone for further development of the Chinese data protection regime. As we discussed in an earlier article, the Decision forms the basis for the government to create more detailed administrative rules and, as predicted, since the Decision was instituted, several new regulations have been made which add more substance to the legal framework on data protection in China.
On 1 September 2013, the Ministry of Industry and Information Technology (MIIT) rolled out the Telecom and Internet Users' Personal Data Protection Regulations (Regulations) which set out legal requirements for data protection in the telecoms sector. These Regulations govern the collection and use of personal information of customers for those providing telecoms or Internet information services within the PRC.
The Regulations reiterate the general data protection principles of being "legitimate, proper and necessary", in particular, the requirement for prior disclosure and consent. With regard to prior disclosure, the Regulations require a service provider to disclose not only the purpose, method and scope of collection and use of the data, but also the channels for inquiry, making corrections and the consequence of refusal to provide required information. Use of the information is limited to what is necessary to supply the requested services. No fraudulent, misleading or coercive means (in particular those violating any applicable laws or agreements) may be employed to collect and use personal information. In addition, the Regulations impose an obligation on service providers to stop collection and use of personal information after the requested service is terminated, and to provide their customers with a 'right to be forgotten'. The MIIT Regulations also set out detailed data security requirements.
It should be noted that the legal definition of "Internet information services" is very broad in China. According to the latest Telecommunication Business Classification Catalogue issued by MIIT in May 2013, this term covers activities via the Internet which conduct publication and dissemination of information (e.g. news websites, bulletin board systems, app stores), information search and inquiries (e.g. search engines), social media platforms, spontaneous information exchanges (e.g. VoIP or Video over IP), and information protection and processing (e.g. cloud based anti-virus solutions). This broad definition means that almost all major internet-based business models will be caught by the Regulations.
Another major data protection related development has taken place in the consumer protection area. The NPC revised theConsumer Protection Act (Act) in October 2013, which took effect on 15 March 2014. The amended Act extends consumer protection to cover the protection of personal information (including of name and image) and the right to privacy. The Act outlines the following principles of personal information protection,
- the collection and use of consumers' personal information shall be "legitimate, proper and necessary" and shall not violate laws and regulations or agreements between the parties;
- the purpose, method, scope and related rules of information collection and use shall be disclosed and consented to by the data subject prior to the data collection;
- a business operator and its staff shall keep the personal information collected strictly confidential and secure and shall take remedial measures immediately in case of data breach; and
- a business operator shall not spam consumers with electronic information of a commercial nature without the consumer's request or consent, or if expressly requested not to do so.
The wording of the above general principles looks quite close if not identical to that of the NPC Decision, except that it does not differentiate between whether the personal information is in electronic form or not. The same principles were further restated under the Internet Trading Administrative Measure, rolled out on 15 March 2014, by the State Administration for Industry and Commerce (SAIC), which provides more detailed guidelines regarding consumer protection in online transactions.
A striking development in the Act is the introduction of legal sanctions in relation to consumer data breaches. In addition to the normal civil remedies such as compensation or damages, the Act introduces administrative sanctions for consumer data breach cases for the first time in China. These include being ordered to rectify the breach, issuing warnings, confiscation of illegal gains, a fine up to ten times any illegal gain (or up to RMB 500,000 if none) and, in extreme cases, shutting down and de-registering the business.
With the exception of the introduction of specific sanctions for data breaches, the new data protection related legal developments do not go beyond the general principles outlined under the earlier NPC Decision. They do, however, continue to pave the way for further implementation of a substantive data protection framework in China. Although the areas of focus are similar to those dealt with by the under the EU data protection framework, the whole data protection regime still has a number of China-specific features.
First, there is no systematic approach to data protection regulation and no national data protection law yet. Attempts begun in 2008 to formulate a unified Personal Information Protection Law did not lead to anything. Although the NPC Decision functions as some sort of general framework, it does not provide an equivalent to the European Data Protection Directive. This leads to a complicated data protection regime. The same topic and principle may be addressed by different laws and regulations with different emphases, creating potential conflicts and grey areas. In addition, many areas which are typically of concern in the West, e.g. employee data protection, remain un-regulated in the general context of data protection in China.
The situation becomes even more convoluted when one looks at the aspect of law enforcement. In contrast to more developed jurisdictions, there is not yet a dedicated government agency or regulator dealing with data protection issues. Instead, areas of responsibilities are spread across various authorities e.g. MIIT deals more with technical issues while SAIC only comes into play when consumer protection issues arise. The result tends to be a lack of consistency and even competition between the regulators as to their areas of competency.
These issues are typical of the legal environment in China and they make legal compliance in China a complicated and challenging task. Although, in general, China has less developed data protection laws than many Western countries, the Chinese data protection regime is beginning to show its teeth now that there are specific sanctions for non-compliance. The very broad coverage of existing laws and regulations make business operations in China vulnerable to potential legal challenges. This is particularly true of consumer facing and online business models. Certainly all businesses operating in China which process significant amounts of personal data should take note of the current position and of any future developments in order to minimise risks associated with non-compliance.