Progress on privacy

Principle of voluntariness

The Personal Information Provisions require that service providers seek individuals' consent to the collection and use of personal information. Coupled with a notification requirement, it is clear that consent to personal information collection must be fair, fully informed and voluntary in order to be compliant. The Personal Information Provisions do not specify whether consent must be express by way of opt-in or whether an opt-out mechanism is acceptable. It is noteworthy that the voluntary Personal Information Guideline draws a distinction on this issue, prescribing that an opt-in is required for collection of sensitive information (of which identity card numbers, telephone numbers, biometric information and religious affiliations are given as examples), whereas an opt-out would suffice in relation to the collection of general personal information.

Principle of transparency

The Online Information Decision has a general requirement that service providers disclose their rules for collecting and using personal information, a move which would bring Chinese websites in line with their counterparts in Europe and other jurisdictions where the OECD Principles have been enshrined. The Personal Information Provisions require that service providers make adequate disclosure of: the protocols for the collection and use of personal information; the purpose, method and scope of collection; the channels available for viewing and updating personal information, the consequences they face should they decline to provide the personal information being requested; and the protocols for dealing with users' reports of misuses of personal information. The Personal Information Guideline suggests that these protocols be written in a clear and reader-friendly manner to facilitate users' reading and understanding.

Principle of necessity

The Online Information Decision brought forward a principle of necessity for collection of personal information. Service providers must not collect personal information that is excessive given the purposes of collection. The Personal Information Provisions also provide that service providers are required, once a user ceases to receive the relevant service, to stop collecting and using such users' personal information and to assist the user in deleting their account, should they choose to do so.

Principle of security

The Online Information Decision requires that service providers maintain a secure system for collecting and processing personal information. The Personal Information Provisions go into greater detail as to types of security measures that must be applied to data processing. These measures include: having clear internal allocations of administration responsibilities for security, establishing management systems and security protocols for the collection and processing of personal information, the supervision and management of third party processors; and the installation of proper security programs such as firewall and anti-virus programs.

It is noteworthy that the Personal Information Provisions provide for the MIIT (or its local counterparts) to have rights of inspection at service provider's operations to assess the adequacy of security arrangements.

In some respects, the Personal Information Provisions are even more specific in setting down internal policy requirements for handing personal data than other data privacy regimes based on the OECD Principles, making the preparation of written policies for handling personal information critical to compliance.

|

Practical points for compliance

The Personal Information Provisions will affect various business sectors in China. Obviously, online business such as e-commerce and social media service providers are governed by this regulation. Other businesses with an online presence in China, such as online insurance, financial services and medical services will also be affected by this regulation in a number of significant ways. For businesses with both an online and an offline presence, compliance by the online component of the business with the Personal Information Provisions may, in practical terms, raise the offline business to the same standard. The principles reflected in the Personal Information Provisions may, therefore, become reference standards in cases where personal information is collected and used offline, broadening the impact of the Personal Information Provisions beyond telecommunications and internet business.

Many of the requirements noted above will be familiar to businesses with web pages and online services operating in Europe and America. For multinational businesses, much of the compliance exercise may prove to be a task of bringing the China business's practices in line with practices applied by the business elsewhere in the world. There are certain areas, however, where the Personal Information Provisions, whether on their own or in conjunction with other relevant Chinese laws and regulations, impose requirements which are above and beyond those typically seen elsewhere.

|

Opt-in requirements

Direct marketing emails in China are already subject to strict opt-in consent requirements under the Standing Committee of the National People's Congress, Measures for the Administration of Internet Electronic Mail Services(信息产业部互联网电子邮件服务管理办法) implemented in 2006.

Processing more generally is now subject to consent requirements under the Personal Information Provisions, although it is not clear whether an opt-in or opt-out standard will apply.

|

Regulation of the processing of log details

The reference to log details in the definition of personal information signals an intention to regulate the use of mobile location data, page views and other information which is proving to be increasingly important and valuable to e-commerce businesses, advertisers and others commercialising personal data collected from online and mobile sources.

As is the case in other jurisdictions, there will be some debate as to whether or not this information is necessarily personally identifiable information (i.e., information from which it is possible to identify an individual). For example, the information collected by cookies may or may not be linkable to a specific individual. In some jurisdictions, cookies are separately regulated. In China, this is not the case, and so it may be that Personal Information Provisions are being positioned to regulate beyond the four corners of personally identifiable information.

The inclusion of log details in the scope of personal information may reflect recent complaints that mobile apps collect personal location and other behavioural information without notifying users. This is not yet the case in China, but it remains to be seen whether or not the Personal Information Provisions are implicitly seeking to do so.

The key point for e-commerce businesses, social media and other online businesses which rely heavily on personal data for their business models is to make sure that they have published policies which adequately explain the types of personal data being processed and the manner and purpose for which it is processed.

|

Response procedure

While data privacy laws following the OECD Principles typically provide an explicit right for data subjects to access their personal information, the Personal Information Provisions oblige service providers to respond to reports of misuse of personal information within 15 days. This requirement will necessitate that service providers have adequate procedures in place to track and respond to requests in the required timeframe.

|

Data security breach notification

Few jurisdictions have as yet adopted mandatory data breach notification procedures, although many countries adopting OECD Principles based laws have voluntary or recommended codes of practice in the area. In this respect, China has leapt ahead with a requirement that where serious consequences may result from a data security breach, the service provider must notify the MIIT or its local counterpart and cooperate with other regulators as needed.

|

Secure processing requirements

As noted above, the Personal Information Provisions go farther than most data privacy regimes in specifying the internal processes service providers must implement to ensure compliance with the requirements of the Personal Information Provisions. In this respect, the Personal Information Provisions require businesses to make sure that their published privacy policies are backed up by concrete measures. Formal written compliance policies are highly recommended for businesses caught by the new regulation. Given that the MIIT has broad powers to inspect service providers for compliance, it is all the more essential to have effective written policies in place and make sure that these are being adhered to.

|

Consequences of non-compliance

The Personal Information Provisions provide for penalties for non-compliance, although these can only be described as being comparatively light:

(1) Service providers failing to publish protocols for collection and use of personal information or failing to report misuse of personal information may be subject to a fine of up to Rmb10,000 ($1,650).

(2) Service providers failing to obtain consent to the collection of personal information, misusing personal information, or failing to implement proper measures for protecting personal information face fines ranging from Rmb10,000 to Rmb30,000.

The Personal Information Provisions refer to the fact that prosecution is possible where a breach of the regulation constitutes a crime.

Equally important, Chinese authorities can be expected to seek to rely on the threat of adverse publicity to make their point. Article 20 of the Personal Information Provisions call for the MIIT to log and publish details of incidents of non-compliance with the regulation. The Privacy Commissioner for Personal Data in Hong Kong has come to be very effective in using adverse publicity as a tool in pushing businesses to comply with the law. It seems likely that the MIIT will do the same.

The Personal Information Provisions mark an important step forward for data privacy regulation in China. Superficially, the change in the law will be most evident in the data privacy policies which online businesses will be obliged to publish on their web sites from September 1. However, the regulation goes much further than this, calling for a change in the culture of compliance in relation to data privacy that will force businesses with an online presence to develop and enforce internal policies and procedures that ensure that the published rules are adhered to.

Mark Parsons and Yang Xun, Freshfields Bruckhaus Deringer, Hong Kong