Data privacy in China is governed by a series of laws and regulations, which can be called "Data Privacy Regime", although there is not a special personal information protection law.
The most notable laws and regulations under the Data Privacy Regime may include the Decision on Strengthening the Protection of Online Information issued by China's top legislature in 2012; the Provisions on the Protection of Personal Information of Telecommunications and Internet Users issued by the Ministry of Industry and Information Technology (MIIT) in 2013 and the 2014 Revised Law on the Protection of Consumer Rights and Interests.
According to the Data Privacy Regime, "personal information" is rather broadly defined as any information that relates to a person and that separately or in combination with any other information may be used to identify the person, and expressly includes specific data such as the time at which and the location from which services are used or received, an important point given the explosion of location based services. The collection and use of personal information is allowed subject to certain requirements, including without limitation:
- Collection and use of any personal information should be in a lawful and proper manner by following the principle of necessity;
- Full disclosure is given of the purpose, method and scope of the collection and use;
- Prior consent should be obtained where the personal information is collected or used;
- Personal information must be kept secure and confidential; and
- Remedial measures must be taken where personal information may be leaked or lost.
Liabilities that businesses can accrue for infringing consumers’ rights generally, include ceasing the infringement, eliminating any ill-effects, issuing an apology and compensating the consumer for their losses. Where the reputation of the consumer has been damages, the business can be ordered to restore that reputation. Businesses can also be administratively liable for infringement of consumers’ rights. Cases will be handled by the Administration for Industry & Commerce (AIC) and in terms of penalties include fines up to ten times illegal gains or up to CNY500,000 (about US$78,000).
Although the Chinese data privacy regime is increasingly comprehensive, there are notable areas of absence from regulations. These include an individual’s right to access and correction of the personal data held by another; explicit provisions regarding the deletion of data (beyond the requirement that collection and use of data must be ‘necessary’); provisions regarding the transfer or processing of data overseas; and validity and effect of user agreement.
The absence of regulations should not stop international businesses from considering these issues, though. Adopting international best practice in China as elsewhere is something international business should seriously consider as we can only expect more regulation to come given the continued development of the issues driven by the progress of technology and the accompanying keen interest from the PRC Government.