Building a new data protection framework
February 26, 2013 | BY
clpstaffLegislation from China's top legislator means that a nationwide legal framework for data protection could soon be a reality. Michael Tan and Sherry Duan consider the effects this will have on international companies
The standing committee of China's top legislator, the National People's Congress (NPC), approved the Decision on Strengthening the Protection of Online Information (关于加强网络信息保护的决定) on December 28 2012. The Decision became effective on the same day and contains only eleven articles. From the outset, it does not appear like a typical law, but it does have the same character because the NPC is the highest state body and legislative house. The Decision stresses the protection of private information online, with the media reporting it as a step forward in data protection. But what impact will this new legislation have on international companies with operations in or connected with China?
|
Resuming the process 
According to statistics from the China Internet Network Information Center (CNNIC), there were about 546 million people using the internet as of January 2013. This accounts for approximately 42.1% of China's population. Such a large customer base contributes to the country's booming internet sector, but legislation has lagged behind industrial development, in particular privacy and data protection. Although provisions exist under the PRC General Principles of the Civil Law (中华人民共和国民法通则) concerning privacy protection and the PRC Criminal Law (中华人民共和国刑法) over offences by staff in special agencies (like government, banks and telecom operators) for illegal disclosures of private information, no systematic legal framework for data protection has been established. There have been various administrative rules from different governmental agencies imposing commitments on data controllers and processors to ensure security, but these rules focus more on protecting state or public interests and less on the protection of private rights attached to information.
The legislative situation has created rampant data abuse in recent years. Widespread spam mail, text messages, harassing calls and personal information mining have raised social concerns and have been a controversial topic in media headlines. Statistics from the CNNIC in 2012 (see figure 1) reflect the difficult situation a Chinese internet user faces when it comes to data protection and the few legal remedies available.
Although the Law on the Protection of Personal Information (Draft) (个人信息保护法 (草案)) was submitted to the State Council in 2008, efforts to establish a nationwide legal framework for data protection came to a halt, but there are signs of this resuming with the issuance of the Decision.
|
Data collection and use
Personal information addressed under the Decision refers to “electronic information which can be used to specify the personal identity of a citizen or concerns privacy of a citizen”. This definition is similar to the one found in the German Federal Data Protection Act (BDSG). The principles for collection and use of personal electronic information are also similar to those in the “transparency, legitimate purpose and proportionality” principles of the European Union Data Protection Directive (see figure 2).
The principles and obligations in figure 2 apply to internet service providers, enterprises and institutions. This application scope is broad and has the potential to cover all entities involved in the data collection and processing business. Entities are required to use technical and other necessary means to ensure information security and immediately take remedial measures when the related information is divulged, sabotaged or lost. A similar obligation is imposed on government agencies and staff that are required to keep confidential, refrain from disclosing, alternating, sabotaging, selling or illegally providing to others the personal electronic information within their awareness when performing their duties.
|
Cracking down on data theft
The Decision mentions that the State protects personal electronic information. It stresses that no organisations or individuals shall steal or use other illegal means to acquire personal electronic information of citizens, nor shall they sell or illegally provide to others personal electronic information. Any organisation or individual has the right to report these activities to the competent authorities who can then handle the issue in a timely manner according to law. The victim may go on to file an action. This just reiterates what already exists under present laws like the PRC Tort Liability Law (中华人民共和国侵权责任法) and the Criminal Law.
The Decision outlines a crackdown on spam messages. It stipulates that, without consent, or request of, or when explicitly declined by the recipients, any organisation or individual should not send electronic information of a commercial nature to fixed line phones, mobiles or personal e-mail accounts. Whenever a citizen discovers internet information divulging their personal identification or privacy, or when they are harassed by electronic information of a commercial nature, they have the right to request the respective internet service provider to delete the related information or to take other preventative measures. In the past, this principle has never been addressed under national-level legislation and corresponds to the driving factor behind the Decision – the desire to curb spam messages and the related abuse of private data.
|
Tightened user and information control
It is worth noting that the Decision strengthens the system of user identification management. If an internet service operator offers network services like website access, fixed-line telephone services, mobile services or provides information dissemination services, the operator shall ask its customers to provide real identity information when concluding a service agreement or confirming provision of services. Such an identification registration system is not new for mobile and fixed line services – it was already introduced years ago, but for the first time has been extended to the internet sector.
This may be a controversial development for the industry and is a quite unique feature of the Chinese data protection regime. At the same time, when stressing the importance of private rights protection and judicial remedies, it reflects the tendency to resort to administrative power and control to regulate protection. This system becomes even trickier when the Decision pushes down responsibility (see figure 3) to data service operators to strengthen management of the information publicised by its users.
This tone is in line with the Chinese government's desire to strengthen regulation of the internet sector. It also reflects a United Nations telecommunications conference at the end of 2012 when China, together with Russia and some other countries, backed the UAE's proposal of a stronger government say in internet affairs. The proposal was strongly opposed by the US. The Decision potentially provides a legal basis for the Chinese authorities to fortify its existing content censorship system in the internet sector. This system already creates a practical hurdle for international players like Google or Facebook to expand their business in the China market.
|
Outlook
The few principles laid out by the Decision cannot be used to try data protection cases. They mainly touch upon administrative legal consequences by referring to administrative punishments like warnings, fines, confiscation of illegal gains, revocation of licence, shutting down of websites and prohibiting relevant personnel from engagement in internet service business. No details regarding how these punishments shall be imposed is further specified. From a company compliance perspective, it does not provide detailed guidance for industrial players to follow. More importantly, it does not create any new civil remedies for private data subjects, nor does it address some popular issues in the West like cross-border data transfer and employee data protection.
The Decision itself, however, is a pragmatic step forward for data protection legislation in China. According to Article 9 of the PRC Legislation Law (中华人民共和国立法法) promulgated on March 15 2000, the standing committee of the NPC has the power to make decisions regarding matters which are not yet addressed by official legislation of the NPC. The Decision will function as a legal basis for the national-level government to create administrative rules to regulate these matters according to practical demands. It also provides an upper-level legal basis for existing administrative rules regulating data protection topics. It is foreseeable that various stakeholders will issue detailed administrative regulations to implement the principles in the Decision. Whether these new regulations will create order for the Chinese internet industry or bring more potential hurdles for businesses remains to be seen. International players who have a stake in China should keep a close eye on this new legislation trend and be prepared for a potentially more challenging business environment, with more stringent data protection requirements.
Michael Tan and Sherry Duan, Taylor Wessing, Shanghai
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now