How to design a data privacy strategy in China

To understand exactly where the NPC's Decision on Amending the “PRC Law on the Protection of the Rights and Interests of Consumers” (全国人民代表大会常务委员会关于修改《中华人民共和国消费者权益保护法》的决定) (the Amendments to the Consumer Protection Law) fits within the flurry of regulatory and legislative activity in 2013, it is worth looking back briefly at the foundations of the whole data privacy regime in China and how the modern system has been built.

Rights of personal dignity and privacy in personal correspondence for citizens have been part of the PRC Constitution (中华人民共和国宪法) since 1982. These rights were further developed in the PRC General Principles of the Civil Law (中华人民共和国民法通则) in 1986, and, until the introduction of the PRC Tort Liability Law (中华人民共和国侵权责任法) in 2009, it was on the basis of these principles that judges decided civil cases concerning private complaints of abuse of their rights. The rights established in the Civil Law are directed more at protecting the reputation of individual citizens and giving remedy against defamation and libel, but it is in these core civil and constitutional rights that the roots of the modern data privacy regime can be found.

In the mid-2000s, substantial efforts were made by the PRC government to put in place a comprehensive Personal Information Protection Law. A group of experts, led by CASS (the Chinese Academy of Social Sciences) produced a draft PRC Law on the Protection of Personal Information (个人信息保护法 (草案)) that was submitted to the State Council but went no further.

What has happened since then is the development of a regime in a somewhat piecemeal fashion. Nevertheless, the level of activity in recent years demonstrates a clear intention from the PRC government to meet international standards.

Building the modern system

The first express recognition of a general civil right of privacy came in the PRC Tort Liability Law in 2009. The Law recognised private rights to (among others) “name, reputation, honour, portrait, privacy…and other rights related to the person or property”. Importantly, it also created the express right for citizens to sue ISPs that infringed those rights.

Also in 2009, the PRC Criminal Law (中华人民共和国刑法) established certain offences relating to illegal disclosures of private information, but this only applies to staff in government or key state-owned or state-controlled entities like banks and telecommunications operators.

On the administrative front, a smattering of rules from different government agencies that had created discrete obligations for some data controllers and processors was generally upgraded and consolidated through regulations – a process that begin in 2011. Issued by MIIT, China's regulator in relation to telecoms and technology matters, these regulations established clear administrative liability for what were called “Internet Information Service Providers”, including e-commerce operators and mobile service providers.

A statement of intent

With those civil, criminal and administrative building blocks in place, the PRC Government signalled its intention to bring the regime up to scratch when the NPC issued the Decision on Strengthening the Protection of Online Information (全国人大常委会关于加强网络信息保护的决定) (NPC's Online Information Decision) on December 28 2012.

While not law in itself, the Online Information Decision has the force of law and has formed the basis for the subsequent developments in 2013 on the administrative and civil fronts. It also perhaps shows the intention of the Government to revive development of a comprehensive Personal Information Protection Law.

Coming into force on September 1 2013, the Personal Information Provisions, build on the NPC's Online Information Decision and represent a culmination of the administrative reforms.

Applying to the collection and processing of data through telecoms and internet services, the Personal Information Provisions encapsulate the core principles of data privacy as set out in the 1980 OECD Guidelines and as expressed in the NPC's Online Information Decision. They are:

• the fundamental requirement of the individual's consent;

• the principle of transparency through the publishing by data controllers of their rules for collecting and using personal data;

• the requirements of necessity such that data controllers are only permitted to collect personal data that is necessary given their activity and is not otherwise excessive; and

• the obligation of security requiring data controllers to have a secure system for collecting and processing information.

Detailed private rights

Against that backdrop, the need for the establishment of corresponding detailed private rights can be seen. The Amendments to the Consumer Protection Law represent a major step forward, at least as far as consumers' relationships with businesses are concerned.

The application of the Amended Consumer Protection Law is broad, covering all businesses that supply goods or services to consumers. Notably, this is broader than just telecoms providers or internet service providers, as regulated by the Personal Information Provisions. While most data collection today is digital and online, the Amended Consumer Protection Law will also apply to traditional customer lists and related data, as may be collected in physical retail outlets, such as supermarkets offering sign-up for loyalty schemes, or points of personal service provision, such as private healthcare providers.

Significantly, the private rights of citizens in terms of their interactions with government itself and other government agencies in China remain unaddressed.

How the rights are framed

In establishing the rights, the Amended Consumer Protection Law provides that consumers shall enjoy respect for “protection of their rights to their names, images, privacy and other personal information”. Beyond that, however, it is also worth noting that the law is framed as creating specific obligations on business operators with civil liability to consumers to follow if those obligations are not met.

As such, the rights of consumers themselves are still not fully developed. For instance, and importantly, the Amended Consumer Protection Law does not establish any rights for consumers to access personal data or to correct personal data held by businesses. There are also no express rights to have personal data deleted.

The obligations on businesses follow the principles applied in the MIIT's Personal Information Provisions, and include requirements that:

• collection and use of any personal data is genuinely necessary;

• full disclosure is given of the purpose, method and scope of collection and use

• consumer consent is obtained;

• the businesses and their staff keep the personal data strictly confidential;

• the businesses and their staff do not divulge, sell or provide the data illegally to others;

• technical and other measures are taken to ensure the data remains secure and to prevent leakage or loss;

• remedial measures be taken if personal data is leaked or lost; and

• no commercial information is sent to consumers without their consent, or after consumers have expressly refused to receive commercial information.

China's data protection regulations

Liabilities that businesses can accrue for infringing consumers' rights include ceasing infringement, eliminating any ill effects, issuing an apology and compensating the consumer for their losses. Where the reputation of the consumer has been damaged, the business can be ordered to restore that reputation.

Businesses can also be administratively liable for infringement of consumers' rights. Cases will be handled by the Administration for Industry & Commerce (AIC) and in terms of penalties include fines up to 10 times illegal gains or up to Rmb500,000.

Key definitions

The Amended Consumer Protection Law includes no definition of personal information, and so it will need to be interpreted with reference to other laws, regulations and provisions. This will allow for flexible interpretation by the courts, though guidance is available from a number of other sources. Businesses reviewing or creating their data privacy policies and processes need to be aware of the range of possible definitions, some of which are quite far-reaching.

The NPC's Online Information Decision defines personal data as: “electronic data from which a person's identity can be determined and which relates to their privacy rights”. This is a definition of familiar scope. The MIIT's Personal Information Provisions, however, define personal data more broadly, covering: “any information that relates to a user and that separately or in combination with any other information may be used to identify the user”, and expressly includes specific data such as the time at which and the location from which services are used or received, an important point given the explosion of location-based services.

And yet another definition comes from the Information Security Technical Guidelines for the Protection of Personal Information in Public and Commercial Service Information Systems (信息安全技术公共及商用服务信息系统个人信息保护指南) (Data Protection Guidelines) jointly released in February 2013 by the PRC Standardisation Administration Committee and the PRC General Administration of Quality Supervision, Inspection and Quarantine. The Data Protection Guidelines is only a guideline – it has no binding force and creates no rights or liabilities – but is a further useful guide for businesses creating their own data policies. The Data Protection Guidelines might also indicate the direction of future legislation, particularly a comprehensive Personal Information Protection Law.

In defining personal data, the Data Protection Guidelines distinguish sensitive personal information from personal information, echoing the European Directive. Sensitive personal information is that which could have a negative impact on the person if revealed. Examples include a person's ID number, phone number, race, political views, religion, genetic information or fingerprints. Personal information, meanwhile, is any electronic data that could, on its own or combined with other information, distinguish a natural person.

These distinctions are not reflected in any of the principal regulations, but can assist a business in establishing best practices. For instance, a more conservative position may taken with sensitive personal data, with the business actively requiring a consumer to be fully informed about the intended collection and use of the data and then having to opt in to consent to that collection and use.

International standards

The first step for any international business is to ensure that it has in place complete data privacy policies, practices and procedures to handle all personal data that it collects and uses in China. There are ambiguities about the interpretation of the Chinese law, but given its increasing scope today a recommended starting point for a business's approach in China should be its approach to personal data collection, use and retention in Europe, where the regime shares many common principles.

Although the Chinese data privacy regime is increasingly comprehensive, there are notable areas of absence from regulation. These include an individual's right to access and correction of the personal data held by another; express provisions regarding the deletion of data (beyond the requirement that collection and use of data must be necessary); and provisions regarding the transfer or processing of data overseas.

The absence of regulations should not stop international businesses from considering these issues, however. Adopting international best practice in China as elsewhere is something international business should seriously consider as we can only expect more regulation to come given the continued development of the issues driven by the progress of technology and the accompanying keen interest from the PRC government.

Tim Smith and Sunshine Jin, Rouse, Beijing