The PRC State Administration of Industry and Commerce (“SAIC”) recently issued Measures for Penalties for Infringing Upon the Rights and Interest of the Consumers (“Measures”). The Measures are a further indication that China is taking data privacy seriously; they interpret and enhance China’s relatively new Consumer Rights Law (2014) and provide further clarity on definitions and scope, as well as the penalties that may be imposed for failure to comply.
As it relates to privacy rights, the Consumer Rights Law requires business operators in China to:
- State the purpose, method, scope, and rules of collection of personal information of consumers;
- Keep personal information of consumers confidential and not disclose, sell, or illegally provide this to others;
- Have mechanisms in place to ensure the security of information collected; and
- Not send unsolicited communications to consumers.
However, there is no definition of “personal information” under the Consumer Rights Law. Now, under Article 11 of the Measures, “personal information” is defined as a consumer’s name, gender, occupation, date of birth, identification document number, residential address, contact information, information on income and assets, health status, consumption habits, and other information collected by business operators during their provision of goods or services that may independently, or in combination with other information, identify the consumer. Both the Measures and Consumer Rights Law are silent on the definition of “business operator,” although in the PRC AntiUnfair Competition Law, this is defined as “a legal person or any other economic organization or individual engaged in commodities marketing or profitmaking services,” which is very broad.
Failure to comply with the Consumer Protection Law can result in: confiscation of illegal gains; fines of between one and 10 times the amount of any illegal gain; if there has been no illegal gain, a fine of up to RMB 500,000 (approximately US $80,000); suspension of business operations; or, in serious circumstances, revocation of business license and the right to do business.
Tip: While the overall regime on data privacy in China remains fragmented and is enshrined in various different regulations issued by different regulatory authorities, the Measures are helpful regarding consumerfacing issues and indicate how some data privacy items may be defined and interpreted in other contexts.