Gastón Fernández (Associate), Hogan Lovells, Beijing, PRC, contributed this entry
While personal data privacy law has been developing in many jurisdictions with the increasing prevalence of internet usage, the People’s Republic of China has not yet enacted comprehensive laws or regulations governing the collection, use and transfer of personal data. However, this may change soon, as indicated by the recent issuance of the draft Information Security Technology — Guide of Personal Information Protection (the "Guidelines", issued jointly by the General Administration of Quality Supervision Inspection and Quarantine and the Standardization Administration of the PRC on 30 January 2011). The draft Guidelines were developed in consultation with the Ministry of Industry and Information Technology, the government agency charged with regulating the telecoms and internet industries, and would create broadly applicable rules and principles for handling and transferring personal information. Although the draft Guidelines could be revised before implementation and have not yet been enacted, upon entering into force they could significantly impact business practices relating to storage, processing and transfer of information.
Currently applicable laws and regulations
In the absence of comprehensive PRC laws or regulations on personal information protection, businesses have had little guidance on the types of activities which are permissible. Generally, the Constitution of the People’s Republic of China ("PRC Constitution") sets forth rights which have been interpreted by academics as establishing an individual right to privacy. Article 40 of the PRC Constitution provides that a citizen’s freedom of communications and privacy of communications are protected by law. Article 38 of the PRC Constitution sets forth a general right of citizens to be free from infringements on their dignity, and protects citizens from defamation, false accusations and insults. These articles have been interpreted as the foundation for a general right to privacy which is briefly mentioned in various PRC laws and regulations. For example, the seventh amendment to the PRC Criminal Law (effective 28 February 2009) added the criminal offenses of illegally providing and illegally using personal information of PRC citizens. Both individuals and legal entities may be found guilty of the offenses: legal entities may liable for fines, and responsible individual management personnel may be subject to fines and imprisonment and/or probation for up to 3 years. Despite potentially harsh penalties, little regulatory guidance has been given on the types of behavior which are illegal when collecting and processing personal information. Although a draft Personal Information Protection Law ("Draft Privacy Law") was published in late 2006, it remains under review and has not been enacted. The draft Guidelines would partially fill this void, but in many ways could present compliance challenges for businesses.
Key features of the draft Guidelines
The draft Guidelines could have widespread effects on the way multinational corporations operate in China. By broadly defining "personal information", granting data subjects broad rights relating to personal information and tightly limiting the ability of data processors to transfer information, compliance with the draft Guidelines could prove costly and time-consuming.
The draft Guidelines would apply to all use of computer systems in processing personal information, including the collection, processing, transfer, use, prevention of access and deletion of personal information. Personal information is also broadly defined as any information which independently or together with other information enables identification of the data subject. The definition of personal information is broad enough to conceivably cover any type of information relating to a person.
The draft Guidelines provide general principles for processing personal information. The purpose and use of collecting personal information should be clear and reasonable. Data processors should notify data subjects in plain language of: (1) the purpose of collecting the personal information and the scope of use, (2) the period of storing the information, (3) information protection policies in place to safeguard the information, (4) the rights of the data subject, (5) the individual responsible for data processing, and (6) other relevant information. Personal information should not be collected or processed without the informed consent of the data subject.
Rights of data subjects
Under the draft Guidelines, data subjects would have broad rights in relation to their personal information held by data processors, including:
(a) Right to confidentiality
The data processor should not disclose personal information to any natural person or legal entity for purposes other than those notified to the data subject.
(b) Right to knowledge
The data subject would have the right to receive accurate information on the content of his or her personal information, the source of that information, the purpose and scope of use, and the scope of disclosure to third parties.
(c) Right to opt out, change data or prohibit use
Data subjects would have the right to accept or refuse to provide personal information, the right to request data processors amend or correct personal information which is incomplete or inaccurate, and the right to request data processors stop processing and delete personal information.
Prohibition on collecting personal information of children without their guardian’s consent
Data processors would be generally prohibited from collecting personal information from / or about people under 16 years of age. In the event that the collection of such information is necessary to provide services, consent from the child’s guardian would have to be obtained.
Irrelevant personal information should not be collected
The Guidelines prohibit data processors from collecting information which is not directly connected to the stated purpose, especially information relating to ethnicity, religious belief, genetic information, fingerprints, health condition or sex life.
Transferring personal information
The draft Guidelines take a restrictive position on the transfer of personal information between data processors and could create difficulties for multinational corporations relying on third party data processing companies or routinely passing information between affiliates.
(d) Presumption against transfer to third parties
The draft Guidelines generally prohibit transfer of personal information to third parties. In situations where personal information would be transferred to third parties, the data processor would have to disclose the identity of the transferees and obtain consent from the data subject.
(e) Presumption against allowing cross-border transfer of personal information
Under the draft Guidelines, transferring personal information to foreign data processors is prohibited except where there are clear laws or regulations permitting the transfer or the industry regulator has agreed. Given the lack of current PRC laws and regulations on this subject, the proposed rule could have a major impact on companies using offshore data centers or transferring information to foreign affiliates, especially in the financial services and insurance industries, where collection and transfer of personal data is necessary for business operations.
In this respect, the position in the draft Guidelines is far more restrictive than the proposed Draft Privacy Law, which would generally allow international transfer of information subject to informed consent, national security considerations and the adequacy of data privacy laws in the recipient’s jurisdiction.
(f) Use of personal information following mergers or acquisitions
The draft Guidelines require that in the event a data processor is involved in a merger or acquisition, the transaction documents would have to specify that the use and level of protection of personal information would not change.
The preface to the draft Guidelines notes that a number of domestic internet and software companies and industry associations were consulted in the course of preparing the draft, and the text appears to have been primarily prepared considering online collection of data from internet users. However, the draft Guidelines would potentially apply to virtually any company: for example, employers with digital records on employees, or financial institutions and insurers with records on their customers. While the general principles relating to informed consent and consumer protection are reasonable, the extent of proposed restrictions on transfer of personal information between entities and internationally could unnecessarily raise compliance costs. As further steps are taken toward enacting regulations on personal data privacy, regulators should consider the practical costs of implementation and the wider impact that rules in this area will have on companies doing business in the PRC.