China’s first national standard for the protection of personal information, the Information Security Technology – Guidance for Personal Information Protection ("Guidance"), became effective on February 1, 2013. This alert explains how the Guidance clarifies Chinese information protection law and what that means for companies operating in China.
China has no comprehensive national data protection law. The country’s information protection regime consists of a patchwork of sector-specific laws and guidelines, stand-alone provisions in broader laws, and regional laws. The Guidance was prepared under China’s national standardization system, and is only a voluntary guideline that lacks the force of law.
The Standardization Administration has not released the official text of the Guidance yet. This alert is based on Chinese media articles and copies of the Guidance posted on local government websites.
WHAT IS PERSONAL INFORMATION?
According to the Guidance, personal information is information on an information system (i.e. computer information system) associated with a specific individual that can be used to identify that individual ("personal information subject"). The Guidance separates personal information into two categories:
- "General personal information" is broadly described as all personal information outside of sensitive personal information.
- "Sensitive personal information" refers to information that, if disclosed or modified, could have adverse effects on the personal information subject. Examples include ID card numbers, mobile phone numbers, race, political views, religious beliefs, genes, and fingerprints.
WHAT IS CONSENT?
The Guidance provides that either tacit or express consent should be obtained from the personal information subject before handling personal information.
- "Tacit consent" is given when the personal information subject does not explicitly oppose the collection of their personal information.
- "Express consent" is given when the personal information subject expressly grants his consent. Express consent must be obtained before the collection of sensitive personal information.
WHO HANDLES PERSONAL INFORMATION?
The Guidance defines the parties involved in the protection of personal information on information systems. These include the personal information subject, the personal information administrator, the personal information receiver, and independent evaluation agencies. Personal information administrators and receivers are defined as follows:
- "Personal information administrators" are organizations and institutions that decide the purpose and method of handling personal information, actually control the personal information, and use an information system to handle the personal information.
- "Personal information receivers" are individuals, organizations or institutions that obtain personal information from an information system, and handle the personal information in accordance with the consent of the personal information subject.
HOW SHOULD COMPANIES HANDLE PERSONAL INFORMATION?
The Guidance separates handling personal information stages into collection, processing, transfer, and removal, and stipulates how companies should handle each stage. For example:
- Collection: Personal information subjects should be explicitly notified and warned of several issues prior to the collection of their personal information. These include but are not limited to the purpose of handling the personal information, the contact information of the personal information administrator, and potential risks for the personal information subject after they provide personal information.
- Processing: During processing, personal information should not be disclosed to other individuals, organizations, and institutions without express consent from the personal information subject.
- Transfer: Personal information administrators may not transfer personal information to personal information receivers outside China (including individuals outside China or organizations and institutions registered outside China) without the express consent of the personal information subject, authorization under explicit provisions in law or regulations, or consent from governing authorities.
- Deletion: Once the purpose of handling personal information is achieved, such information should be immediately deleted. If further handling is needed, content which can identify the specific individual should be deleted. If further handling is needed for sensitive personal information, expressed consent from the subject of personal information is needed.
In addition to handling procedures, the Guidance includes eight basic principles that personal information administrators should follow. The principles include having a specific and reasonable purpose for handling personal information, and only handling the minimum amount of information which is sufficient for such purpose.
HOW DOES THE GUIDANCE IMPACT COMPANIES IN CHINA?
Companies operating in China are not legally required to implement the Guidance. Nonetheless, companies should re-examine their privacy policies and agreements in accordance with the Guidance and consider their information protection measures from two perspectives:
- Consider the risk: China lacks a comprehensive data privacy law, but companies may still be liable for privacy violations. China’s Tort Law includes the right to privacy in its definition of civil rights and interests. Infringing such right makes any violator liable for damages in accordance with the Law. The 2009 Amendment to the Criminal Law includes criminal punishment for private organizations, their employees and "responsible persons in charge" that sell or illegally provide personal information to others. Companies should weigh these potential risks against the burden of harmonizing information protection policies with the Guidance.
- Plan proactively: Previous attempts at passing national information protection laws have failed in China, but recent developments suggest a government push for information protection. On December 28, 2012, the Standing Committee passed the Decision on Strengthening the Protection of Online Information ("Decision"). The Decision mainly focuses on network service providers, but also provides broader protection for online personal information.
It is impossible to know whether the Guidance is an experimental shift forward or a temporary stop-gap measure. Regardless, companies should take action to proactively guard against the risks and strategically position themselves for future legislation. Implementing all or part of the Guidance could be a positive step in this regard.