Prospects for a Personal Information Protection Law

Given the borderless nature of the way in which information flows, issues arising from personal information protection law are often multi-jurisdictional. Typically, the way in which laws from several states, or several nations, affect personal information must be considered all at once and in relation to one another. Personal information protection laws are already in place in Europe, Australia, Japan, Canada and other jurisdictions, including Hong Kong.

Flows of information, particularly over the Internet and other electronic means, have become essential features of today's global economy. The main challenge in implementing a personal information protection law is to create a framework that safeguards individuals from harm through the misuse of personal information, but also does not overly stifle economic activity dependent on such information flows. This is also the case in China, with additional challenges within the context of China's historic and on-going re-opening to the world. Whether and to what extent to allow personal information to enter China, to be processed in China, and to be transferred to places outside of China, is an important element in China's national policy.

The content and direction of an eventual Chinese personal information protection law could have significant implications for China's potential as a destination for the international flow of information. It could also significantly affect the Chinese economy, such as whether Chinese enterprises will be able to present information-intensive outsourcing proposals that are competitive in the rest of the world, or whether Chinese banks and credit card issuers will be able to offer financial products and services that are competitive with those of foreign banks.

Multinational companies with operations in China are by no means immune to the effects of the enactment of such a law. Its passage will directly affect corporations with data processing functions in China by imposing regulatory requirements on how that data processing may proceed, and whether the same information may be transferred to other destinations outside of China and be processed there. Moreover, data processing functions in China are already affected by the question, determined under the European personal information protection law [EU Directive] and the personal information protection legislation of other countries, of whether personal information from other countries may be transferred to China for processing there.

The EU Directive is particularly important. A key aspect of this law is that it imposes special restrictions on data transfers to a non-EU country determined by whether an “adequate level” of data protection exists in the recipient country. Given that data transfers nowadays routinely take place across borders in many different ways [including for purposes of operation of a worldwide human resources database, for purposes of outsourcing, or for purposes of research, marketing and other functions], overly onerous restrictions on international data transfers can threaten a business organisation's informational life blood.¹

ISSUES PRESENTED BY THE 2005 DRAFT

The following issues would be of great concern to data users and processors in China if the 2005 draft personal information protection law were to be passed in exactly the form in which it was published in October 2006:

Registration. The 2005 draft required that all users of personal information, whether governmental authorities or private sector users, register with agencies in charge of information resources [Articles 12 and 36]. The registration requirement presents a significant issue. As an illustration, private sector data users would be required to disclose by way of registration the purpose of their use of the personal information, the main content of the personal information, the method by which the personal information was collected, and most importantly, the security protection measures for the personal information [Article 36]. If each and every private sector data user duly complied with this registration requirement, it would impose significant burdens on private companies that would have to register their data processing with a data protection authority.

Restrictions on outbound data transfers. The 2005 draft permits Chinese government agencies in charge of information resources to impose restrictions on the conduct of cross-border transfers of personal information by private sector users in instances [among others] where the country or area which receives the personal information “cannot give sufficient legal protection towards the personal information” [Article 48]. The standard of what constitutes “sufficient legal protection” is not defined. The standard would be determined later, perhaps by implementing regulations or by regulations promulgated by the regulatory authority that is given the mandate to interpret and enforce the law. In any case, no standard is provided now, and the eventual standard could well impede transfers of data to destinations outside of China.

Regulatory authority. The draft law refers to “government agencies in charge of information resources” without defining which ministry, commission or agency this will be. As has been the case with other laws in China in the past, which agency receives the mandate for implementing and enforcing the law could have a significant impact on how it is administered in practice. Also as with other laws in the past, a lack of clarity on this point could foster rivalries and tensions among different Chinese ministries, commissions and agencies over which should be the proper one to interpret and enforce the law.

ISSUES FACED BY DRAFTERS OF THE LEGISLATION

The following are some of the issues that have been identified or discussed during a consultative dialogue involving the drafters of the new law. The decisions of China's lawmakers on these issues will determine a lot of the final shape and content of the eventual Chinese personal information protection law.

Registration. It was made very clear to the Chinese lawmakers during the consultative dialogue that a registration requirement not only imposes risks on data users and data subjects [the individuals to whom the personal information pertains]; it in fact also burdens business while bringing no benefit to attaining the goal of protecting personal information.

Purpose. Personal information protection laws in the West are sometimes based on a philosophical or cultural concept of privacy derived from historical and cultural circumstances. Individualistic concepts of privacy rooted in Western traditions may not transfer well into China's more community-oriented culture. In order to transplant genuine Western legal principles of personal information protection, Western cultural concepts of privacy would first have to be adopted by the Chinese – but this of course is not likely to happen any time soon. On the other hand, China does not necessarily have to adopt the entirety of Western legal and cultural concepts of privacy – it could instead separate the concept of personal information protection law from privacy law, and enact a personal information protection law that solely performs a consumer protection function, without having to emulate Western concepts of privacy.

What degree of regulation to pursue. One objective for lawmakers will be to enact a personal information protection law that protects consumers without stifling economic growth or innovation. The existing draft law is perhaps too heavy on regulation and could stifle growth, and drafters of the new law may decide to invest the time and effort in learning and understanding other models that are less heavy on regulation, before actually enacting a law.

Adequacy finding under the EU Directive. Another objective may be to achieve a finding by the EU that an “adequate level” of data protection exists in China. If this were to be achieved, transfers of personal information to China from the EU would be subject to much fewer restrictions. In practice, it may be hard to achieve this. Only a few countries [such as Canada, Argentina, and the US safe harbor system] have achieved “adequacy” findings by the EU.² An alternative, and more sensible, objective may be to achieve interoperability with the legal regimes of other nations, in such a fashion that as a practical matter personal information can be transferred into China for processing there, and out of China for processing elsewhere.

Possible central-level regulatory authority. The question of which ministry, commission or agency receives the mandate for implementing and enforcing the law may be answered by establishing an entirely new, central-level agency to hold this mandate. If so, additional concerns may arise, such as whether the new, central-level agency will have sufficient resources to be able to attend to all matters arising from databases everywhere in China, and whether the law will actually be implemented and enforced by this central agency itself or by branch offices at provincial levels. While provincial enforcement is currently the norm in China [for example, in the context of environmental laws], the borderless nature of information flows may recommend a departure from this norm.

TIMELINE FOR THE NEW LAW

It is not entirely impossible that a new personal information protection law will be passed next year. It is also a strong possibility that it may actually take a few years before one is enacted, and it is understandable that drafters would want to take more time to enact a law.

There is a possibility, though, that the draft law is to be “enlisted” next year, placing it onto the legislative agenda of the Standing Committee of the National People's Congress, which would take place before it can be “enacted.” After being enlisted, the law must go through several readings before a final version is prepared and presented to the Standing Committee – or, if deemed appropriate, the full National People's Congress. For a law as complex and abstract as a personal information protection law, there is a prospect of the law requiring a few years to wind its way through this process.

Still, there is a possibility that the law could be enacted swiftly, particularly if there is a strong consensus about the law. Laws and regulations can be enacted in China through any one of several channels. In this instance, besides the National People's Congress, the State Council could enact an “administrative regulation” governing personal information protection at any time before the National People's Congress or its Standing Committee does so. And the Standing Committee could, despite its internal process of conducting several readings, move more quickly if it sensed urgency in the need for a new personal information protection law in China.

There could be pressures both ways. There could be a desire to “get it right,” to take the time necessary to pass a law that serves the role of providing information security while also permitting innovation and growth. However, time-consuming study and analysis would be required before such a law could be arrived at. At the same time, there could be pressure to do something soon, because the rapid changes and advances in the Chinese economy have created a need for an earlier enactment of a personal information protection law. While some might want to move slowly and take five years to enact a law that “gets it right,” there is an open question as to whether the demands of rapid economic growth leave China with an extra five years to spare on the matter.

About the author

Manuel E. Maisog is a partner at the U.S. – based law firm of Hunton & Williams, and Chief Representative of its Beijing office. Hunton & Williams is a full-service international law firm that is known for (among other things) its leading data protection and privacy practice. The firm and its Center for Information Policy Leadership have, over the past two years, participated in a dialogue with experts in China on issues surrounding the preparation of a personal information protection law. The dialogue continues today.

Endnotes

1 Christopher Kuner, European Data Protection Law ¡ì 4.01 et seq. [Oxford University Press 2d ed. 2007].

2 Christopher Kuner, European Data Protection Law ¡ì 4.48 et seq. [Oxford University Press 2d ed. 2007].