The law firm perspective

Over the past two and a half years, China has published a raft of laws and regulations concerning data protection, loosely based on the European model. When planning system architectures and business models, companies need to have three main themes in mind: security, collection of personal data and offshoring of data. There is also the need to preserve confidentiality of data which is not personal data, but which consists of commercial secrets. So, underpinning the framework requires imposing contractual obligations on all employees, contractors and business partners to keep information confidential as well as to adhere to all data privacy laws.

Security

Although data breaches may occur; whether through hacking or human error, it is imperative that the company's information systems are protected, through physical and technical means, backed by appropriate training of personnel. Security requirements are set out in the Provisions on the Protection of Personal Information of Telecommunications and Internet Users (工业和信息化部电信和互联网用户个人信息保护规定) (Provisions), which were issued by the Ministry of Industry and Information Technology (MIIT) and went into effect on September 1 2013. This law applies to the collection and use of users' personal information during the provision of telecommunications services and internet information services. In the event of a data breach that is “likely to cause serious consequences”, there is a requirement to report the breach to the Telecommunications Administrators (which may lead to intervention and sanction).

Collection of personal information

The regulation of personal data is defined at the point of collection, generally by the obtaining of consent from the data subject. Article 4 of the Provisions defines users' personal information as “information that can, individually or in combination with other information, identify a user. This includes the user's name, date of birth, identity document number, address, telephone number, account number, password, the time and place of use of service by the user and other information”. Those covered by the Provisions must formulate rules concerning the collection and use of users' personal information and publish them, not least on their websites.

Collection of personal data should not take place without the users' informed consent. Users should be notified as to the purpose, method and scope of the collection and use of their data, how they may enquire about and correct the data and the consequences of not providing the requested data. Data users subject to the Provisions cannot collect users' personal information which is not required for provision of their services or use the information for a purpose other than the provision of services. This is very restrictive and seems to disallow personal information collection statements which seek consent for additional uses such as marketing or market research.

From February 1 2013, the MIIT issued guidelines of general application to organisations operating in China which also deals with the collection and use of personal data.