On November 27, 2013, the State Post Bureau of the People’s Republic of China (the “SPBC”) released five draft normative rules for solicitation of public comment. Three of these rules, respectively entitled Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users (the “Draft Provisions”), Provisions on the Reporting and Handling of Security Information in the Postal Sector (the “Reporting and Handling Provisions”), and Provisions on the Management of Undeliverable Express Mail Items (the “Management Provisions”) contain significant requirements regarding the protection of personal information. The deadline for submitting comments on the rules is December 27, 2013.
Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users
The Draft Provisions were formulated in accordance with the Postal Law of the People’s Republic of China, the Measures for the Supervision and Administration of Security of the Postal Industry, and other relevant laws and regulations. The purposes of the Draft Provisions are to (1) strengthen the management of the security of users’ personal information in postal and delivery services, (2) protect the legitimate rights and interests of postal and delivery service users, (3) maintain the safety of postal correspondence and information, and (4) promote the sound development of the postal industry. The Draft Provisions apply to the supervision, administration, operation and use of postal and delivery services in China which involve the security of users’ personal information.
The Draft Provisions first define “personal information of postal and delivery service users” (the “Users’ Information”) as information used in the course of postal and delivery services. These include the name, address, ID number, telephone number and company name of the sender (and of the recipient), and the order number, delivery time and item details.
Second, the Draft Provisions set forth a number of general requirements for the protection of Users’ Information. These include:
- Franchised express delivery enterprises must agree to clauses in the franchise agreement which establish safeguards for Users’ Information and specify security responsibilities of the franchisee and franchisor. When a franchisor incurs an information security incident, the franchisee must be required to undertake responsibilities of its own for the incident response;
- A postal or express delivery enterprise must sign a confidentiality agreement with its operational staff to clarify confidentiality obligations in relation to Users’ Information, and must provide continuing training and education to develop the knowledge and skills of its operational staff with respect to the security of Users’ Information;
- A postal or express delivery enterprise must establish a mechanism for handling complaints relating to the security of Users’ Information;
- Whenever a postal or express delivery enterprise is engaged by operators (such as e-commerce operators and TV shopping operators) to provide delivery services, the agreement between the parties must include security clauses for the protection of Users’ Information, which specify the scope of information use, security protection measures for information exchanges and allocation of responsibilities in the event of information security incidents;
- When entrusting a third party to input Users’ Information, a postal or express delivery enterprise must ensure that the third party is qualified to undertake information security safeguards, and must bear responsibility for information security incidents caused by the third party; and
- No postal or express delivery enterprise, or operational staff thereof, may transfer any Users’ Information to any third party without express authorization under law, or without the users’ written consent.
Third, in addition to the foregoing requirements above, postal or express delivery enterprises are required to strengthen the management of the security of physical and electronic information appearing on the waybill, for example:
- A postal or express delivery enterprise must strengthen the management of its business and processing locations and physically isolate the user service area from the mail (or express mail) processing and storage sites. To prevent the physical information from being stolen or leaked, non-staff must be strictly forbidden from entering such sites or reading over mail items (or express mails).
- To prevent malicious code from destroying information systems and networks, and to avoid disclosure or alteration of information, postal and express delivery enterprises must install necessary antivirus software and hardware, set up measures to encrypt the delivery of Users’ Information through public networks, and strengthen their management of system passwords and of the security of electronic Users’ Information storage.
Finally, violations of the Draft Provisions may result in penalties including administrative warnings, fines and (under certain circumstances) even criminal liability.
Provisions on the Reporting and Handling of Security Information in the Postal Sector
The Reporting and Handling Provisions define “security information which should be reported and handled” as emergency and operational information relating to the security of the daily processes of postal or express delivery enterprises. The Reporting and Handling Provisions apply to the reporting and handling of this security information by postal or express delivery enterprises, or by postal administration authorities.
Under the Reporting and Handling Provisions, when Users’ Information has been illegally disclosed, postal or express delivery enterprises are required to report security information without delay to their local postal administration authorities and public security departments. If more than 500 items of Users’ Information have been illegally disclosed, local authorities must report the incident to the provincial postal administration authorities within two hours after they receive the report.
Provisions on the Management of Undeliverable Express Mail Items
The Management Provisions are intended to promote the freedom and privacy of correspondence and to protect the legitimate rights and interests of express delivery clients and their correspondents. The Management Provisions emphasize that, at times when undeliverable express items are held in custody and are being processed, no express delivery information may be misappropriated or illegally provided to others.
The three draft rules contain specific provisions on the protection of personal information in the postal industry. Once promulgated, the rules will have nationwide effect. The promulgation of these rules will likely alleviate problems arising from the misappropriation of personal information that is used in postal and express delivery services. In light of the emergence of markets that trade in personal information in a variety of fields, however, imposing regulations on the handling of personal information solely in the postal sector is insufficient and regulation of other sectors where opportunities to sell personal information is needed. Until an integrated, national Personal Data Protection Act that governs the handling of data protection in all industry sectors is adopted, markets for trading in personal information in China are likely to persist.