1. Background of Personal Data Protection in China
Despite the apparent sidelining of the draft Personal Data Protection Law, which has been circulating since 2006, but appears to have little prospect of becoming law in the foreseeable future, China has nonetheless been very busy stepping up the battle against the abuse of personal data from a legislative perspective in recent years.
As is well known, China does not have a single comprehensive data protection law and hence historically many actions that actually relate to personal data protection have been brought under different guises, such as actions for infringement of rights to reputation or rights to image under the General Principles of Civil Law first effective 1 January 1987 (as amended) ("GPCC"). In fact, rights to privacy can be traced back to the People's Republic of China Constitution (the "PRC Constitution") which treats a citizen's communications (e.g. telephone conversations, letters, emails) as private information. Article 40 of the PRC constitution stipulates that neither any organization nor individual is permitted to infringe upon, among other things, the confidentiality of a citizen's communications for any reason, except in the case of national security, investigation of a criminal offence, or monitoring by the public security or prosecutorial authorities in accordance with legally-prescribed procedures.
Article 66 of the PRC Telecommunications Regulations ("Telecoms Regulations") effective 25 September 2000 re-iterated over a decade ago the principles of Article 40 of the PRC Constitution with reference to the telecommunications industry,1 using similar language. Article 66 of the Telecoms Regulations provides that the freedom and privacy of communications of lawful users of telecommunications is protected by law. Furthermore, apart from the needs of State security or the investigation of crimes (whereby public security organs or the people's procuratorate can examine the contents of telecommunications in accordance with legally defined procedures), no entity or individual is permitted under any pretext to examine the contents of telecommunications. Operators of telecoms services and their staff must not, without authorisation, disclose to others the contents of information transmitted by users of telecoms services using telecoms networks.2
Until recently, those whose rights to privacy had been infringed were limited to relying on Article 140 of the Opinions of the Supreme People’s Court on Several Issues Concerning the Implementation of the General Principles of PRC Civil Code (Trial) ("Supreme Court Opinions"), which provides that "disseminating the privacy of another person" is regarded as damage to that person's right to reputation (rather than a direct infringement or invasion of privacy) as well as various disparate provisions here and there in laws administrative regulations and other rules relating to areas as diverse as banking, medical services, the protection of minors and HIV-infected persons. Many of the provisions that come closest to general data protection provisions are set out in rules related to consumer protection such as the Shanghai Municipality Protection of the Interests of Consumers Regulations effective 1 January 2003.
2. Key Recent Legislative Developments
In terms of employers' data protection obligations towards their employees, the main set of rules is the People's Republic of China Regulations on Employment Service and Employment Management (the "Employment Information Regulations")3 which govern the protection of personal information of employees. Employers in China now have an obligation to maintain the confidentiality of its employee's personal information. According to the Employment Information Regulations, an employer must keep its employees' personal information confidential and must obtain an employee's written consent if the employer wants to make the employee's personal information public.4
The Employment Information Regulations do not clearly define what is personal information of an employee, and the term itself appears to vary by industry. When we contacted the local Ministry of Human Resources and Social Security in Shanghai for clarification on the issue, according to the official with whom we spoke, there is no generally-applicable statutory definition of the term "personal data", and determining the scope of that term will be left to the discretion of the labour authorities on a case-by-case basis. We note, however, that in late 2011 the MIIT promulgated rules defining "personal information" within the telecoms space (see three paragraphs below), and a set of non-mandatory guidelines (not statutory in nature) were issued in early 2013 to define personal information on computer information systems (see several paragraphs below).
A legislative landmark was achieved when China amended the People's Republic of China Criminal Law (the "Criminal Law") in 2009, such that it is now a criminal offence for "government or private sector employees in the financial, telecommunications, transportation, medical or other such like sectors to sell or otherwise unlawfully provide the personal data that has been obtained by them in the course of performing their work duties to third parties, or for any person to obtain such information by means of this or other unlawful means". This section of the Criminal Law does not provide guidance on how to construe "personal data" or what would constitute the "unlawful provision" of personal data.5 Furthermore, subsequent to this China went a step further when the People's Republic of China Tortious Liability Law effective 1 July 2010 (the "Tort Law") specifically cited rights to privacy as one of the group of protected personal and property rights on which a tortious claim can be based.
In December 2011, the MIIT, the Chinese internet and telecommunications industry regulator, promulgated the Regulating the Internet Information Service Market Order Several Provisions (the "Internet Information Service Provisions") which became effective on 15 March 2012. The Internet Information Service Provisions apply to entities in China providing information services through the internet (also known as Internet Content Providers or "ICPs") or engaging in related activities, and have a special focus on protecting internet users’ legitimate expectation of privacy from perceived abuses.
The relevant provisions of the Internet Information Service Provisions involve the treatment of “users’ personal information,” which is defined as "any information associated with a user, which, either independently or when combined with other information, is able to identify such user.” Providers caught by the rules, among other things, are:
- Prohibited from collecting personal information without the prior consent of the user;
- Required to clearly inform users of the method, content and purpose of collecting personal information;
- Prohibited from collecting personal information other than as is necessary in connection with the product or service provided by them;
- Prohibited from disclosing user personal information to a third party absent the consent of the user, except where laws or administrative regulations provide otherwise; and
- Prohibited from deceiving, misleading or coercing a user into transferring any information that the user has uploaded.
More recently China passed the Guidelines of Personal Information Protection within Information System for Public and Commercial Services on Information Security Technology (the "Guidelines")6, governing the protection of personal information in general.
The Guidelines are intended to regulate all organizations and entities on the protection of personal information (except for government bodies that exercise any public administration function). The Guidelines contain a set of rules and principles for the collection, processing, transferring and deletion of personal information on "computer information systems" (as opposed to other data storage media in hard copy form).7 The Guidelines constitute recommended standards rather than mandatory standards and a company may choose to adopt the Guidance in whole or in part. However, they are as close as China currently gets to data protection best practices and hence worthy of consideration by companies with operations in China, as they give a foretaste of things to come.
Under the Guidelines, personal information is defined very broadly to be "any computer data relating to a specific natural person which can be processed by an information system and which is capable of identifying such natural person, either individually or in conjunction with other information".8 The Guidelines set out two categories of personal information: Sensitive Personal Information (information that, if divulged, may have negative implications on the owner of the information)9 and General Personal Information (everything other than Sensitive Information)10. The collection and use of Sensitive Personal Information requires the owner's express consent, and evidence of such consent must be kept. The collection and use of General Personal Information requires implied consent (that is, where the owner raises no objection to its collection). In either case, express consent is required to transfer any personal information outside of the PRC11under these non-mandatory guidelines.
In parallel to these developments, there has been a notable trend for local legislation such as the Jiangsu Province Information Regulations12 which seems to be designed to fill in the perceived gap in the law left by the failure of the draft Personal Data Protection Law to gain traction.
It is against this background that two additional major pieces of legislation on the collection and use of personal data by network services providers, enterprises other institutions and even individuals have emerged. It is notable how the emphasis remains very much on regulating the conduct of service providers despite the raft of prior legislation in this regard, suggesting the problem persists.
3. What Do the Personal Information Provisions and Network Information Protection Say and Do?
The Provisions on Protection of Personal Information of Telecommunications and Internet Users (the "Personal Information Provisions") were released by the Ministry of Industry and Information Technology, the Internet and telecommunications industry regulator on July 16, 2013. The Personal Information Provisions will come into force on September 1, 2013. The Personal Information Provisions follow on from a National People's Congress Standing Committee Decision, the Decision by the Standing Committee of the National People's Congress on the Strengthening of the Protection of Network Information (the "Network Information Protection Decision") that came into force on 28 December 2012. In terms of their relationship, the Network Information Protection Decision is a top-down 'helicopter' view that sets out the framework and provides overarching principles with regard to personal data protection. The Personal Information Provisions follows the same principles, but is much more detailed.
The Personal Information Provisions address collection and use of personal information of individual users such as passwords, names, date of birth, addresses, account numbers and so forth by providers of telecommunications services and internet information services within the Peoples' Republic of China ("Service Providers"). The Personal Information Provisions include standards, security measures and penalties concerning collection, use of information and violations in respect thereof by Service Providers and third parties engaged to handle collection and use of such information (i.e. outsourcing).
4. What Obligations are Imposed with Respect to Personal Data collection and use?
The Personal Information Provisions set out a number of security measures regarding collection and use of personal information which Service Providers must adopt to prevent disclosure, damage and loss of personal information. These measures include:
- Limiting the right to access to users' personal information to certain employees only
- Ensuring safe storage
- Maintaining records of staff who handle user information
- Establishing internal policies on data collection and use
- Providing staff training on personal information protection
Service Providers are also required to formulate rules on the collection and use of personal information of users, which must be displayed at their business premises, websites etc. These rules must include the following:
- Not collecting or using personal information without the consent of the user
- Clearly informing the user of the purpose for which the information is being collected or used
- Only collecting/using information that is necessary in order to provide the services
- When collecting/using personal information, not violating any laws or agreements with the user nor using it in a fraudulent, misleading or coercive manner
- Service Providers and their employees must keep strictly confidential all personal information which they collect and use during the course of providing services and must not divulge, alter, destroy or sell such information, or unlawfully provide such information to third parties
- The need for Service Providers to monitor and regulate the performance of third parties that are engaged to offer marketing, technical and other agency services to users, which involve the collection and use of personal information
5. What are the penalties for Non-compliance?
It is interesting to compare the punitive provisions for non-compliance as between the Personal Information Provisions and the Network Information Protection Decision. The latter are, in line with the general top-down approach of the Network Information Protection Decision, rather more vague, although they do allude to a right for those parties who suffer a loss as a result of a violation to seek damages:
"For those acts in violation of this decision, punishments such as giving a warning, a fine, confiscation of unlawful income, cancellation of permits or record filings, closing down of websites, prohibitions on the relevant persons in charge from engaging in network service business and so forth will be imposed in accordance with law, as well as records being made in their social creditworthiness files and published; where an act violates public order administration, it shall be dealt with and sanctioned by the public order administration in accordance with law; where a crime is committed, criminal liability shall be pursued in accordance with law. Where other persons' civil law rights and interests are infringed, civil liability shall be assumed [by the infringing party] in accordance with law."
It is not clear whether the Network Information Protection Decision is enough by itself to allow imposition of all these punishments, such as cancellation of permits, or whether further legislation will be needed in this regard. The most common view seems to be that a decision by the Standing Committee of the National People's Congress has the status of a normative document which comes quite low in the legislative hierarchy. The Personal Information Provisions do not mention cancellation of permits at all as a punishment. The Personal Information Provisions are, however, more specific and concrete overall in terms of punishments. The penalties are tied to the Service Providers' level of implementation of rules and security measures. Breach of the Personal Information Provisions may result in a fine of up to RMB 10,000 for failure to formulate or display rules or to set up a mechanism for dealing with user complaints, and fines of between RMB 10,000 and RMB 30,000 for all other breaches. The Personal Information Provisions also refer to potential criminal liability if the activities are found to constitute a crime. Criminal liability for data protection violations is already set out in the Criminal Law, so presumably the reference to criminal liability simply refers back to that.
6. Conclusion: What are the practical implications of the new rules?
It has been suggested that one of the reasons why the Personal Data Protection Law appears to have been sidelined and has dropped off the legislative calendar is because there was no consensus among key stakeholders as to whether China was ready for, or even needed, a 'full-on' law on data protection. Those who live daily with the very high levels of spam on mobile telephones and to email accounts (even when filtered) may beg to differ. China's legislative machine appears to have gone into overdrive in recent years in response to the issue, although there seems to be substantial overlap between parts of the legislation. China's decision to enforce the Criminal Law provisions on data protection in certain recent high-profile cases is the clearest indication that China increasingly views data protection as a serious issue.
Why China is issuing so much legislation in this area needs to be seen against the background of a much wider, but closely linked issue of public discontent with the way in which some Service Providers have handled their personal data in the past: the reference to Service Providers being required to comply with their own contract entered into with data subjects under both the Personal Information Provisions and the Network Information Protection Decision speaks volumes in this regard: it should be self-evident that as a matter of basic business ethics, a Service Provider should not violate its own contract with a data subject, but the fact it now needs to be mandated by law suggests the reality is otherwise. The issue that some data protection specialists would identify with the Personal Information Provisions in is the 'lack of teeth': a RMB 30,000 fine is no deterrent at all to a major operator with revenues in the billions of Renminbi. Perhaps one of the purposes of passing the Network Information Protection Decision and the Personal Information Provisions was more to head off public disquiet and discontent, rather than provide a deterrent that would give Service Providers serious pause for thought, although damage to reputation (as alluded to in the 'name and shame' provisions of the Network Information Protection Decision) may act as a more potent deterrent.
From a compliance perspective, the Personal Information Provisions clearly have important business implications for those who fall within the definition of 'Service Provider'. However the Network Information Protection Decision in particular has implications for all enterprises who collect data in China who will henceforth be held to comply with the core principles of "lawfulness, appropriateness and necessity" when collecting personal electronic data of individuals while engaging in business activities. They will also, henceforth, need to specify the method and scope of collection and use and must now obtain the consent of the data subject from whom the data is collected. That, in itself, is perhaps the single most important and radical change brought about by the recent legislation and may mean an adjustment is needed to the data collection model and practices of many foreign-invested businesses in China.