On January 11 2018, following a media report that certain mobile phone application software was infringing user privacy, the Ministry of Industry and Information Technology organised talks with three internet companies. The ministry pointed out that all three companies had collected and used users' personal information without fully disclosing to the users the purpose of its use in advance. The three companies must now conduct immediate rectifications to fully protect users' rights to be informed and have a choice regarding the collection and use of their personal information.
On November 1 2015 Amendment IX to the Criminal Law integrated the crimes of "selling and illegally providing personal information of citizens" and "illegal acquisition of personal information of citizens" into "crimes of infringement of citizens' personal information" and specifically broadened the subject scope of the infringement of individual citizens. In this new legislation, these crimes can be conducted by both natural persons and units. A unit crime also applies to the person in charge who is directly responsible for the unit and to other directly responsible personnel. The Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Handling Several Issues Concerning the Application of Law in Criminal Cases of Infringement of Citizen's Personal Information (implemented on June 1 2017) further clarify the scope of what is considered to be 'personal information' by summarising and enumerating methods and incorporating personal movement. Regarding protection of personal information, the standards for determining the crime of infringing citizens' personal information and the applicable sentencing standards are also defined.
According to the Cybersecurity Law (effective as of June 1 2017), internet companies that illegally deal with users' personal information will be ordered by the relevant competent authorities to make corrections. Internet companies may be punished by:
- a single or simultaneous warning;
- confiscation of illegal income; and
- fines of:
- more than double but fewer than 10 times the illegal proceeds;
- more than once but fewer than 10 times the illegal proceeds;
- less than Rmb1 million if there is no illegal gain; and
- between Rmb10,000 and Rmb100,000 for the person directly in charge and other directly liable persons.
If the circumstances are serious, the relevant competent authority may:
- suspend the relevant business;
- suspend the business for rectification; and
- close the website or revoke its relevant business permit or business licence.
In addition, relevant victims may:
- make a claim that the infringing subject cease the infringement;
- request compensation for damages; and
- request an apology and compensation for mental damage according to the Tort Liability Law.
The Information Security Technology Personal Information Security Specification (GB/T 35273-2017, due to be implemented on May 1 2018) is based on the personal information processing lifecycle and security management and sets out a path to solve typical problems. The specification is enacted by referring to international regulations, including:
- the Organisation for Economic Cooperation and Development Privacy Framework;
- the Asia-Pacific Economic Cooperation Privacy Framework;
- the EU General Data Protection Regulation (GDPR);
- the EU-US Privacy Shield Framework;
- the US Consumer Privacy Bill of Rights; and
- other personal information protection legislation which lists best practices for enterprises to meet personal information protection requirements.
In terms of the document nature, the Personal Information Security Specification is a national recommended standard rather than a mandatory standard. The state encourages enterprises to adopt it voluntarily. Although the specification is not mandatory, its fundamental source is based on laws such as the implementation of Article 111 of the General Rules on the Civil Law of the People's Republic of China (effective as of October 1 2017), which stipulates that:
"The personal information of a natural person shall be protected by laws. Any organization or individual that needs to obtain the personal information of others shall obtain such information pursuant to the law and ensure information security, and may neither illegally collect, use, process or transmit the personal information of others, nor illegally trade, provide or disclose the personal information of others."
It is also based on Article 41 of the Cybersecurity Law, which stipulates that:
"When collecting or using the personal information, network operators shall comply with the principles of legality, justification and necessity, publicize the rules for collection and use, clearly indicate the purposes, methods and scope of the information collection and use, and obtain the consent of those from whom the information is collected."
The establishment of a strict and sound corporate compliance system for collecting and processing personal information is an important guarantee for companies engaging in international business and is highly recommended. Enterprises should pay attention to relevant domestic legislations and to the development of important international markets. Taking the European Union as an example, the GDPR will officially apply to EU countries on May 25 2018. The GDPR is one of the most stringent laws to date in the field of personal information protection, with broad jurisdictional reach and severe punishment. The maximum penalty under the GDPR is €20 million or 4% of a company's annual global revenue, whichever is higher.
From the perspective of the lifecycle and safety management of personal information, enterprises should build separate compliance guidelines (eg, a 'red line' and 'green line' for typical problems combined with their own conditions) and cut off the interest chain, fundamentally eliminating the illegal behaviours of "personal information on the black industry chain" and bringing compliance to common information handling issues (eg, indefinite storage, over-collection, opt-in box checking by default, package agreement, deletion and logout difficulties, unretractable consent, filing complaints and issues on the fringes of the rules).
A sound management mechanism is necessary where information compliance is not merely IT department business. It is also vital to ensure that the company's decision makers, direct supervisors and responsible personnel are aware of the new privacy laws and technologies.
Enterprises should make corresponding arrangements for, among others:
- personal information protection system construction;
- key department and position setup;
- personnel training;
- access control mechanisms;
- security assessment and auditing systems; and
- security incident handling mechanisms.
For further information on this topic please contact Ying Song, Ma Chenghao or Sharif Hendry at AnJie Law Firm by telephone (+86 10 8567 5988) or email (email@example.com, firstname.lastname@example.org or email@example.com). The AnJie Law Firm website can be accessed at www.anjielaw.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.