Why information security must be prioritised

This article is from the Data Protection chapter of the 2015 Annual Review and is available for download here.


Ken Dai and Jet Deng of Dacheng Law Offices explain the various regulations governing personal information and how companies can comply with data collection and protection laws

1. What have been the key legislative developments affecting data protection over the past 12 months?

In 2014, various departments issued new provisions on data protection in the form of administrative measures, drafts and judicial interpretations. Among those were the Measures for the Administration of Online Trading (Measures) adopted at an administration affairs meeting of the State Administration for Industry and Commerce (SAIC) and implemented from March 15 2014. The Measures regulate the collection, storage and use of the personal information of consumers and the trade secrets information of business operators collected by online product dealers, relevant service providers and their working personnel during business activities. The Provisions on Several Issues Concerning the Application of the Law in the Trial of Civil Dispute Cases Involving the Use of Information Networks to Infringe Personal Rights and Interests implemented from October 10 2014 specify the scope of personal information, and that if an online user or service provider uses a network to disclose personal information of a natural person that falls within the specified scope, he is required to bear liability for infringement. The judicial interpretation improves upon the Provisions on the Protection of Personal Information of Telecommunications and Internet Users promulgated by the Ministry of Industry and Information Technology in 2013, which failed to define the term “personal information”. It should be noted that the seeking of comments on the PRC Network Security Law (Draft) began on July 6 2015. Once adopted, the draft will increase the regulation of online information security and clarify the entities bearing legal liability as well as the consequences. Furthermore, the Provisions for the Administration of the Security of the Personal Information of Mail and Courier Service Users issued by the State Post Bureau on March 26 2014 set forth in detail the obligation of postal enterprises and courier service enterprises to protect the personal information of users.

2. How has the e-commerce industry adapted to these changes?

The e-commerce industry will inevitably be directly affected by the Measures for the Administration of Online Trading. With new forms of online trading constantly springing up, the Tentative Measures for the Administration of Online Commodity Transactions and Related Services promulgated by the SAIC in May 2015 are already incapable of meeting market requirements. The Measures have expressly specified that online product dealers, relevant service providers and their working personnel are required to conform with the principles of lawfulness, legitimacy and necessity in collecting information, and the objectives, methods and scope of collection and use are required to be disclosed and consented to by those whose information is being collected. They have an obligation to maintain the confidentiality of personal information and trade secrets, and may not disclose the same without authorisation. Furthermore, with a view to better avoiding and resolving issues that arise during online trading, the Measures specify that natural persons that engage in the online trading of goods are required to carry out their business activities through a third party trading platform, and provide their genuine identity information to the platform, such as their names, addresses, valid proof of identity and contact information. The third party trading platform has the obligation to store such personal identity information in an intact and secure manner.

3. What are the specific national laws that regulate personal data collection and use? What types of data are regulated?

In addition to the Measures, the Provisions on the Protection of Personal Information of Telecommunications and Internet Users and Supreme People's Court, Provisions on Several Issues Concerning the Application of the Law in the Trial of Civil Dispute Cases Involving the Use of Information Networks to Infringe Personal Rights and Interests regulate the collection of personal information in telecommunications, on the internet and in online transactions, and specify the scope of personal information. China has yet to issue the Personal Information Protection Law. However, legal provisions on the collection of personal information can be found in different law documents, e.g. the Criminal Law, the Tort Liability Law and the Law on Commercial Banks. Once the Network Security Law is adopted and promulgated, it will comprehensively regulate the collection and use of personal information on the internet and specify the liable entities and penal provisions.

According to the judicial interpretation promulgated by the Supreme People's Court, personal information subject to protection refers to private information of natural persons such as their genetic information, medical history, physical examination results, criminal record, home address, private activities or other personal information. Furthermore, the judicial interpretation also set forth five exceptions where the disclosure of private information is permissible, such as to promote the public good and provided that it is done within the specified scope or the information has been obtained through a lawful channel.

4. What dispute mechanisms are available to victims of private information misappropriation? How should companies prepare?

If personal information has been infringed, relief can be obtained through the civil procedure, administrative reporting or criminal reporting mechanism. Like the much talked about “20 million check-in record case” tried by the People's Court of Pudong New Area, Shanghai, in which the plaintiff took the hotel to court on the grounds that the hotel's check-in information had been leaked and that the hotel had infringed his right to privacy. This is a typical example of dispute resolution through a civil action after infringement of personal information. Secondly, an injured party may request, through administrative or criminal reporting, that the law enforcement authority or the industry regulator conduct an investigation. The authority then ascertains whether the reported party has committed a violation of the relevant administrative regulations of the industry or the criminal law.

In a legal action, the person whose personal information or privacy was infringed bears the burden of proof. However, the enterprise, as the defendant, can also actively assert evidence that it has not committed infringement. This requires the enterprise to normally keep complete records, train its personnel, keep system security logs, etc. to show that it did not improperly use the natural person's personal information.

5. What are the biggest cases from the past year that reflect the importance of data privacy?

The “20 million check-in record case” was one of the important cases of data leakage in 2014. A huge amount of sensitive data was leaked in the case, and the trial process and rendered judgment were closely watched. The case began in October 2013 with the release online of 20 million hotel check-in records of personal information. After discovering that his check-in information had been leaked, one of the victims, a certain Mr Wang, took the hotel to court on the grounds that it violated the Standing Committee of the National People's Congress, Decision on Strengthening the Protection of Online Information and the Tort Liability Law. Ultimately the People's Court of Pudong New Area, Shanghai dismissed the plaintiff's claims on the grounds that the leaked information was inconsistent with the information retained by the hotel and that it was impossible to establish that the information was leaked by the hotel. Although the plaintiff in this case lost, the case nonetheless demonstrates people's increased awareness of rights protection when information is leaked, although the difficulty of adducing evidence in such cases still remains unresolved. Furthermore, the leakage of railway ticket purchase information for the 2014 Spring Festival travel season, the leakage of the information of 1.3 million post-grad examination takers, etc. were also the focus of attention in the media and by the public, although these cases were not subject to jurisdiction at the judicial level.

6. Which regulators are responsible for handling data security violations?

At present, there is no authority with overall responsibility for law enforcement with respect to violations of relevant information protection laws and regulations on a nationwide basis, with administration and compliance usually the domain of each respective industry. As specified in the Measures, the AICs at each level are responsible for oversight of the security of personal information in online transactions and performing their duties in accordance with the law. Furthermore, when a violation is serious enough to constitute a criminal offence, the public security authority enforces the law and investigates.

7. What rules and requirements apply when a third party processes the personal data on behalf of the data collector/holder?

The Guidelines for the Protection of Personal Data in Public and Commercial Service Information Systems contain relevant provisions in this respect. The client, i.e. the data collector/holder, should assess whether the third party has the capacity to properly protect the information and ensure that information is secure and that it can thoroughly delete the information and data temporarily stored with the third party after achievement of the information processing objectives. Furthermore, there are principles such as the minimum and sufficient principle, good faith performance principle and clarity of responsibilities that act as constraints. With respect to the information itself, the client should inform the subject of the objective of the information processing and the scope of the information. The scope of personal information has been defined in the Supreme People's Court, Provisions on Several Issues Concerning the Application of the Law in the Trial of Civil Dispute Cases Involving the Use of Information Networks to Infringe Personal Rights and Interests. The third party and the information collector/holder should verify whether the information that they hold exceeds the provisions of laws, and ensure that they do not misuse others' information.

8. How is the transfer of data outside the Chinese jurisdiction regulated?

The Guidelines for the Protection of Personal Data in Public and Commercial Service Information Systems provide guiding opinions on the transmission of data abroad. In addition to conforming with general provisions on the transmission of information, when transmitting information abroad, the Guidelines expressly require that the transmission itself requires the express permission of the subject of the information that is being transmitted, unless laws or regulations provide otherwise or the consent of the competent department has been secured. Furthermore, if false information is transmitted to foreign media and damages the national image, criminal liability will be pursued in accordance with the law.

9. What are the sanctions and penalties for non-compliance with data protection laws?

A violation of laws on personal information can give rise to civil liability, administrative liability and criminal liability. Civilly, although provisions such as the General Provisions of the Civil Law and the Tort Liability Law do not directly provide for protection of the transfer of user data, if user data is leaked or misused in the course of transfer and the individual's interests are prejudiced, they can provide a legal basis for the indirect protection of user data and provide reference for the apportionment of liability and the method of compensating for infringement of personal information which, specifically, could include ceasing the infringement, compensating for losses, apologising, eliminating the effect and restoring reputation. With respect to administrative liability, oversight and the imposition of penalties is carried out by the regulator of the relevant industry, with each set of regulations such as the Provisions on the Protection of Personal Information of Telecommunications and Internet Users, the Measures for the Administration of Online Trading and the Decision on Strengthening the Protection of Online Information containing different provisions. Taking online trading as an example, the maximum fine can reach Rmb30,000. At the extreme, misuse of personal information can constitute a criminal offence, e.g. if the author of the act is suspected of selling or illegally providing the personal information of citizens, illegally obtaining the personal information of citizens or illegally accessing a computer information system and the circumstances are serious, the responsible person will bear criminal liability by serving a prison sentence of up to three years.

10. Where do you see the data protection laws heading? What is your advice to companies on ensuring compliance?

It is my opinion that laws and regulations on the protection of personal information are becoming more and more comprehensive and specific. The state will protect personal information from being misused or leaked by way of the codes of conduct for the industries that have access to personal information. The Measures for the Administration of Online Trading and the Provisions for the Administration of the Security of the Personal Information of Mail and Courier Service Users promulgated this year are excellent examples of this. With the increasing variety in internet consumption, the exchange of information in online trading and offline logistics services will also increase. Data protection has improved in these industries due to these two sets of regulations. Together with the previous year's synergistic operation of the telecommunications and internet industries, they counteract online information threats. Once the Network Security Law is adopted, the public will look forward to the early issuance of the Personal Information Protection Law. China will then have a separate law to protect the security of personal information.

When user information and data is collected and used, enterprises must take measures to secure the user data that they collect, train their employees and may not disclose, sell or provide user information to others without permission. Internally, enterprises can oversee their information protection systems and issue data security reports, and if an information leak occurs, promptly notify users and take remedial measures so as to minimise user losses. Externally, enterprises need to set rules for the stages of collection, transfer and processing up to deletion of personal information, so as to reduce the risks of data loss or leakage occurring during external transfers.


Author biographies

Ken Dai
Partner

Ken Dai is a partner of Dacheng Law Offices. He earned his LLB and LLM respectively from the China University of Political Science and Law and the University of Bristol in the UK. Currently, Ken is a member of the Antitrust Committee of IBA, the Competition Committee of IPBA, the Outbound Investment and Antitrust Committee at the Shanghai Bar Association and Asian Competition Forum. He is also a columnist at Forbes China.
Ken is one of the first lawyers in China to practise in the data protection field. He has advised numerous companies on the application of data protection related laws and enforcement policies. He has assisted a multinational company in tailoring a data-collecting project to Chinese privacy compliance regulations and has also advised on the data protection of various software, including mobile applications. He has much experience in handling employees' privacy on behalf of companies.
In addition, Ken also specialises in antitrust, including competition law compliance, merger control filing and private antitrust litigation. He stands at the cutting edge of Chinese antitrust, with significant experience and insight.
Ken's working languages include Chinese, English and Cantonese.

Jet Deng
Partner

Jet Deng is a partner of Dacheng Law Offices. Jet has 14 years professional experience, including ten years practising as a lawyer, and four years serving in the commercial sector. His major practice areas cover anti-monopoly law/anti-unfair competition law, international trade, litigation and arbitration. He specialises in handling complex projects and cases. He received his JM degree in 2005 and his PhD degree in International Economic Law in 2012 at the University of International Business and Economics. Jet has been a part-time researcher at the Competition Law Centre of the University of International Business and Economics since 2005. He enjoys interacting with the media circle, as he has frequently interviewed on mainstream Chinese media such as CCTV, China National Radio and various newspapers.
As an experienced antitrust lawyer, Jet's practice also covers the emerging field of data protection in China. He has been following and monitoring the legislation process of data protection for years. He has provided legal advice on privacy compliance for many business transactions and has helped enterprises on developing data protection policy under Chinese laws. He also assisted clients in dealing with data collection and processing of customers and employees. Jet is familiar with enforcement practices and specialises in designing response strategies.
Jet's working languages include Mandarin and English.

大成律师事务所的戴健民律师和邓志松律师阐述了监管个人信息的各项法规，以及企业应如何遵守信息收集和保护的法律

1. 过去12个月，在信息保护方面，出台了什么主要法规？

2014年，各部门透过管理办法、草案或司法解释，多方面给出了关于信息保护的新规定。其中2014年3月15日起实施的《网络交易管理办法》由工商行政管理总局局务会审议通过。该管理办法对网络商品经营者、有关服务经营者及工作人员在经营活动中收集的消费者个人信息或经营者商业秘密信息的收集、保存及使用加以规范。2014年10月10日起开始实施的《最高人民法院关于审理利用信息网络侵害人身权益民事纠纷案件适用法律若干问题的规定》中明确了个人信息的范围，网络用户或者网络服务提供者利用网络公开自然人规定范围内的个人信息并造成损害的，需要承担侵权责任。该司法解释完善了工信部于2013年颁布的《电信和互联网用户个人信息保护规定》中未对“个人信息”进行定义的缺失。值得关注的是，2015年7月6日《网络安全法（草案）》开始公开征集意见，若草案获得通过，网络信息安全将更加规范，法律责任主体与后果也将更加明确。此外，国家邮政局2014年3月26日颁布的《寄递服务用户个人信息安全管理规定》，该规定详细规定了邮政企业、快递企业对用户个人信息的保护义务。

2. 电子商务行业如何应对这些法规带来的改变？

电子商务行业将必然受到《网络交易管理办法》的直接影响。在网络交易新形态不断涌现的情况下，国家工商总局2010年5月颁布的《网络商品交易及有关服务行为管理暂行办法》已经无法适应市场需求。新出台的《网络交易管理办法》明确规定网络商品经营者、有关服务经营者及工作人员采集信息应当遵循合法、正当、必要三原则，收集、使用目的、方式和范围应当公开并经被收集者同意，对于个人信息或者商业秘密等具有保密义务，不得任意披露。此外，为更好的避免以及解决网络交易过程中产生的问题，《网络交易管理办法》规定从事网络商品交易的自然人，应当通过第三方交易平台开展经营活动，并向第三方交易平台提交其姓名、地址、有效身份证明、有效联系方式等真实身份信息。第三方交易平台对于个人身份信息等数据负有完整及安全保存的义务。

3. 有哪些国家法规是专门规范个人信息收集和使用的？有哪些信息是受规范的？

除了已经提及的《网络交易管理办法》、《电信和互联网用户个人信息保护规定》及《最高人民法院关于审理利用信息网络侵害人身权益民事纠纷案件适用法律若干问题的规定》中规范了在电信、互联网及网络交易中的个人信息收集并明确了个人信息范围之外，我国尚未出台《个人信息保护法》，但是关于个人信息收集的法律规定可以在不同的法律文件中体现，如《刑法》、《侵权责任法》及《商业银行法》等。当《网络安全法（草案）》通过审议并颁布后，将对互联网中的个人信息收集及使用进行全面规定，并明确了责任主体及处罚条例。

根据最高院颁布的司法解释，受规制的个人信息是指自然人基因信息、病历资料、健康检查资料、犯罪记录、家庭住址、私人活动等个人隐私和其他个人信息。另外，该司法解释中也规定了为促进社会公共利益且在必要范围内的个人信息、以合法渠道获得的个人信息等五种除外情况。

4. 个人信息被不正当使用的受害者可以使用哪些争议解决机制？企业应当如何应对？

个人信息受到侵害的可以通过民事诉讼、行政举报或刑事举报的机制获得救济。正如2014年备受瞩目的“2000万开房数据案件”由上海市浦东新区人民法院审理并宣判。原告就入住酒店信息被泄露及酒店侵犯隐私权为由将酒店诉诸法庭。这是典型的个人信息被侵害后通过民事诉讼方式进行争议解决。其次，受害人可以通过行政或刑事举报，请求执法机关或各行业的监管机关进行调查、侦查，由执法机关查明被举报人是否具有侵犯各行业相关行政法规或刑法的的行为。

在诉讼中，个人信息或隐私被侵权方负有举证责任，但企业作为被告也可积极主张自己不侵权的证据，这需要企业在平日里完善数据保管记录、员工培训、系统安全记录等，以证明企业自己并未不正当使用自然人的个人信息。

5. 去年有哪些重大的案件反映了信息私隐的重要？

“2000万开房数据案”为2014年关于数据泄露的重要案件之一，本案泄露数据量庞大且内容敏感，其开庭审理过程与宣判结果也备受关注。本案始于2013年10月，包含2000万条酒店开房的个人信息在网上泄露，被泄露人之一的王某在发现自己的开房信息被泄露后以酒店违反《全国人民代表大会常务委员会关于加强网络信息保护的决定》与《侵权责任法》为由将酒店告上法庭。最终，上海市浦东新区人民法院以被泄露信息与酒店留存信息不符且无法证明信息由酒店泄露为由驳回原告王某的诉讼请求。本案原告虽然败诉，但是体现了如今人们对于信息被泄露的维权意识增强，但此类案件举证困难问题依旧尚未解决。另外，2014年春运铁路购票信息泄露、130万考研用户信息泄露等案件都受到媒体与大众的关注，但这些案件没有在司法层面受到管辖。

6. 有哪些监管机关是负责处理信息安全违法案件的？

目前中国范围内没有统一的执法部门对于违反相关信息保护法律法规进行执法，通常由不同行业进行管理规范。如《网络交易管理办法》中规定，由各级工商行政管理部门对于网络交易中的个人信息安全监管并依法履行职责。另外，当违法行为上升到触犯刑法时，由公安机关进行执法侦查。

7. 第三方代表信息收集人/保存人处理个人信息时需遵守哪些规则和要求呢？

《公共及商用服务信息系统个人信息保护指南》对此具有相关规定，作为委托方即信息收集人、保存人应当对第三方是否具有妥善保护信息的能力进行评估，确保信息安全及完成信息加工目的后能够彻底删除暂存于第三方的信息数据，另有最少够用原则、诚实履行原则、责任明确等原则加以约束。对于信息本身，委托方应当将信息加工的目的与信息范围告知个人信息的主体，个人信息的范围已由《最高人民法院关于审理利用信息网络侵害人身权益民事纠纷案件适用法律若干问题的规定》进行界定，第三方及信息收集人、保存人都应核实所持有的信息是否突破法律规定，确保不滥用他人信息。

8. 对于将信息传送至中国境外，有什么监管措施？

在《公共及商用服务信息系统个人信息保护指南》中对于向境外传输信息给予指导性意见。向境外传输信息除了要遵守一般信息传输的规定之外，还明确要求除非有法律法规的相关规定或主管部门的同意，传输本身需得到被传输的信息主体明示许可。另外，若向境外媒体传输不实信息，诋毁国家形象，将被依法追究刑事责任。

9. 有什么罚则和处罚是针对未能遵守信息保护法规的行为的？

违反个人信息的相关法律可能产生民事责任、行政责任和刑事责任。在民事上，虽然《民法通则》、《侵权责任法》等规定并未直接规定保护用户数据转移，但如果因用户数据转移过程遭到泄漏或滥用，个人利益受到侵害，则可为用户数据的间接保护提供法律依据，也为个人信息侵权的归责和赔偿方式提供参考，具体可能为停止侵害、赔偿损失、赔礼道歉、消除影响、恢复名誉。行政责任由各个行业的监管机构进行监管及处罚，《电信和互联网用户个人信息保护规定》、《网络交易管理办法》、《关于加强网络信息保护的决定》等法规中都有不同规定，以网络交易为例，罚款额最高至三万元。滥用个人信息行为在极端情况下会触及刑法，如当行为人涉嫌到出售、非法提供公民个人信息、非法获取公民个人信息或者非法侵入计算机信息系统且情节严重时，责任人应当承担刑事责任，最高刑期为三年。

10. 您认为信息保护法规会朝哪个方向走？为确保合规，您对企业有什么建议？

我认为未来对于个人信息保护的法律法规会越来越全面并具体。国家将从各个能够接触到个人信息的行业规范行业准则，保护个人信息不被滥用或泄露。今年颁布的《网络交易管理办法》及《寄递服务用户个人信息安全管理规定》就是很好的范例。随着互联网消费的日新月异，网络交易与线下物流服务的信息交换愈发大量而频繁发生，行业的数据保护也因这两部法规而完善。与前一年度的电信与互联网行业协同操作，抵制网络信息威胁。当《网络安全法（草案）》通过之后，社会将会期待《个人信息保护法》及早出台，由此中国将有独立的法律保护个人信息安全。

对于收集、使用用户信息数据的，企业必须对收集到的用户数据采取安全保障措施，对员工进行培训，不得泄露、出售或未经许可向他人提供用户信息。对内，企业可以对信息保护系统进行监管并发布安全数据报告，一旦发生信息泄露，及时通知用户并采取补救措施，在最小的范围内减少对用户的损失；对外，企业在个人信息的收集、转移、加工至删除阶段中加以规范，减少因外部流转而发生的数据遗失、泄露风险。


作者简历

戴健民
合伙人

戴健民律师是大成律师事务所的合伙人。他分别在中国政法大学和英国布里斯托尔大学获得了法学学士和法学硕士学位。目前，戴律师分别是国际律师协会反垄断委员会委员、环太平洋律师协会竞争委员会成员、上海律师协会的国际投资与反垄断业务研究委员会委员，以及亚洲竞争法论坛的成员，同时也是福布斯中国的专栏作家。
戴律师是第一批在中国数据保护领域进行实践的律师之一，已经就数据保护相关法律的适用和执法政策为不少公司提供法律意见。他曾协助跨国公司专门根据中国的隐私保护法律来设计制定某个有关信息收集的项目，也曾就各种电子软件的数据保护出具意见，其中包括移动应用。而且，在为企业处理员工个人信息方面，他也有着丰富的经验。
此外，戴律师还专门处理反垄断、竞争法合规、合并控制申报和私人反垄断诉讼。作为站在中国反垄断法前沿的律师，他具有丰富的实践经验和深刻的理论见解。
戴律师的工作语言为：普通话、英文和粤语。

邓志松
合伙人

邓志松律师是大成律师事务所的合伙人。邓律师工作14年，其中10年投身律师业务，4年服务于商业领域。主要从事竞争法/反垄断、国际贸易、诉讼与仲裁法律业务，经常处理复杂案件和疑难项目。他在对外经济贸易大学接受法学教育，于2005年获得硕士学位，2012年获得博士学位。他自2005年起一直在对外经济贸易大学竞争法中心从事兼职研究员工作。此外，他与媒体关系良好，曾就相关法律问题多次接受包括中央电视台、中央人民广播电台和多家报纸在内的有关媒体访问。
作为实务经验丰富的反垄断律师，他在数据保护这一中国的新兴领域也有广泛涉足。他长期关注中国有关数据保护的立法进程并积极提供建设性意见。他曾为许多商业交易就隐私保护提供专业法律意见，并协助多家企业根据中国法律建立数据保护合规政策。他还曾协助客户处理其用户和员工的信息收集及加工。邓律师熟知相关的执法实践并擅长设计应对策略。
邓律师的工作语言为普通话和英文。