How to design a data privacy strategy in China

To finish off a busy 12 months in the world of data privacy, the Standing Committee of National People's Congress (NPC) has issued another Decision that enhances the protection of consumers' personal data and, most importantly, clearly establishes their right to sue businesses that infringe their rights. Passed on October 25 2013 and coming into force on March 15 2014, the provisions have been introduced as part of wider amendments to the PRC Law on the Protection of the Rights and Interests of Consumers (2nd Revision) (中华人民共和国消费者权益保护法 (第二次修正)) (Consumer Protection Law).

Following the NPC's Online Information Decision in late 2012 and the Ministry of Industry and Information Technology's (MIIT's) Provisions on the Protection of Personal Information of Telecommunications and Internet Users (电信和互联网用户个人信息保护规定) (MIIT's Personal Information Provisions), which took effect on September 1 2013, the new Consumer Protection Law rounds out the civil and administrative data privacy landscape in China.

What we have in China now is a data privacy regime that looks and feels much like those of developed jurisdictions such as the EU. There are one or two places where it falls short of international best practice, but the regime is something that simply cannot be ignored. For any international business operating online in China, if you have not yet digested and responded to these changes, now is the time for a complete review of how the personal data of your customers is collected, protected and used.

The foundations of data privacy

To understand exactly where the NPC's Decision on Amending the “PRC Law on the Protection of the Rights and Interests of Consumers” (全国人民代表大会常务委员会关于修改《中华人民共和国消费者权益保护法》的决定) (the Amendments to the Consumer Protection Law) fits within the flurry of regulatory and legislative activity in 2013, it is worth looking back briefly at the foundations of the whole data privacy regime in China and how the modern system has been built.

Rights of personal dignity and privacy in personal correspondence for citizens have been part of the PRC Constitution (中华人民共和国宪法) since 1982. These rights were further developed in the PRC General Principles of the Civil Law (中华人民共和国民法通则) in 1986, and, until the introduction of the PRC Tort Liability Law (中华人民共和国侵权责任法) in 2009, it was on the basis of these principles that judges decided civil cases concerning private complaints of abuse of their rights. The rights established in the Civil Law are directed more at protecting the reputation of individual citizens and giving remedy against defamation and libel, but it is in these core civil and constitutional rights that the roots of the modern data privacy regime can be found.

In the mid-2000s, substantial efforts were made by the PRC government to put in place a comprehensive Personal Information Protection Law. A group of experts, led by CASS (the Chinese Academy of Social Sciences) produced a draft PRC Law on the Protection of Personal Information (个人信息保护法 (草案)) that was submitted to the State Council but went no further.

What has happened since then is the development of a regime in a somewhat piecemeal fashion. Nevertheless, the level of activity in recent years demonstrates a clear intention from the PRC government to meet international standards.

Building the modern system

The first express recognition of a general civil right of privacy came in the PRC Tort Liability Law in 2009. The Law recognised private rights to (among others) “name, reputation, honour, portrait, privacy…and other rights related to the person or property”. Importantly, it also created the express right for citizens to sue ISPs that infringed those rights.

Also in 2009, the PRC Criminal Law (中华人民共和国刑法) established certain offences relating to illegal disclosures of private information, but this only applies to staff in government or key state-owned or state-controlled entities like banks and telecommunications operators.

On the administrative front, a smattering of rules from different government agencies that had created discrete obligations for some data controllers and processors was generally upgraded and consolidated through regulations – a process that begin in 2011. Issued by MIIT, China's regulator in relation to telecoms and technology matters, these regulations established clear administrative liability for what were called “Internet Information Service Providers”, including e-commerce operators and mobile service providers.