Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy, Cybersecurity & Data Breaches, International/EU Privacy

China: The Strengthening of Online Private Information Protection

circuitboardWith a population reaching billions, it is not a surprise that the number of internet users in China is drastically increasing.  Such influx of Chinese “netizens” brings with it the importance for protection of online private information.  As a result, in the last days of the 2012 calendar year, the Standing Committee of the National People’s Congress of China issued the Decision on Strengthening Protection of Online Information (the “Decision“) with the purpose of protecting online personal information, online privacy, as well as the public interest.

The Scope, the Prohibitions, and the Obligations

The Decision is designed to protect electronic information that may potentially identify an individual or involves personal privacy.  To do so, the Decision includes prohibitions and obligations regarding such electronic information.  It prohibits the stealing and selling (including any other methods of illegally obtaining or providing) of such electronic information, while also specifying obligations for collection and use and also for safeguarding personal information.  In the collection and use of personal electronic information, an entity must:

  • Follow the principle of legality, appropriateness, and necessity;
  • Disclose the purpose, method, and scope of the collection and use;
  • Obtain consent by relevant individuals; and
  • Abide by relevant laws and regulations and also contractual agreements (the collection and use of the information should not violate relevant laws and regulations and also any agreements or contracts).

In terms of safeguarding personal information, the information collected must be kept confidential with the use of technology or other similar necessary methods.  The Decision provides that the information may not be leaked, modified, destroyed, sold, or illegally provided to others, and in the event where it may have been, the responsible entity must take immediate remedial measures to fix the situation.  In addition, where an Internet Service Provider (“ISP”) discovers any prohibited information being released or transmitted, the ISP must immediately stop such transmission, remove the information, maintain relevant records, and report it to the authorities.

Note that an ISP that provides internet, landline or cell phone, or content publishing platform services must now require users to provide information about their true identities.  However, without explicit consent or a request from the receiver, an information provider may not send commercial electronic information to the receiver’s telephone, mobile phone, or personal e-mail account.

Remedies

In the event of a leak or dissemination of personal or private information or where a party is being bombarded with commercial electronic information, he or she may request the ISP to take necessary measures to stop it and may also file a complaint with the authorities.  Violations of the Decision could result in one or more penalties including warnings, fines, confiscation of illegal income, revocation of permits, cancellation of records, removal of the website, and civil, administrative and possibly even criminal punishments.  Any individuals who violate the Decision will be prohibited from future employment in the internet service industry.  In addition, all violations will be recorded in the social credibility files which are available to the public.

Government Obligations

In addition to the responsibilities required of the entities, the Decision also requires action from the government.  The Decision provides that government authorities must take technical or other necessary measures to prevent and deal with illegal and criminal activities relating to online information. Also, the authorities or its agencies must uphold the confidentiality of personal digital information obtained during performance of their duties.

China’s Privacy Efforts Don’t Stop Here

This Decision lays another milestone for the legislation in privacy protection in China.  Yet, it is quite broad and lacks accurate and detailed interpretation for compliance.  Foreign investors should continue to monitor for the implementation rules to the Decision or any other detailed official interpretations.