On October 25, 2013, the Standing Committee of China’s National People’s Congress passed an amendment (in Chinese) (the “Amendment”) to the 1993 Law of Protection of Consumer Rights and Interests (the “Consumer Protection Law”), which addresses longstanding issues related to e-commerce fraud and illegal disclosures of consumers’ personal information. The Amendment, which takes effect on March 15, 2014, reforms China’s 20-year-old consumer protection law by providing more robust protections to consumers, including provisions that restrict the collection, use, and disclosure of consumers’ personal information and require consent to send commercial communications.
The passage of the Amendment comes on the heels of a flurry of legislation aimed at strengthening the protection of personal information in China, including the Decision on Strengthening Protection of Online Information, the Provisions on the Protection of the Personal Information of Telecommunications, and the Internet Users and the Provisions on Registration of the True Identity Information of Phone Users. Collectively, the new legislation related to the protection of personal information has significantly advanced and clarified China’s data protection regime.
The Amendment applies to any company that provides goods or services to consumers within China, and its privacy-related provisions include the following:
Prior to collection, a company must obtain consumers’ consent and provide notice of the purpose, method, and scope of the use and collection of personal information.
- A company must make its data practices regarding the collection and use of personal information publicly available.
- A company may only collect and use consumers’ personal information in accordance with applicable laws and regulations, as well as any agreement with the consumer regarding such collection or use.
- A company must keep consumers’ personal information strictly confidential and shall not disclose, sell, or illegally provide such information to others.
- A company must take appropriate measures (technical and otherwise) to protect consumers’ personal information from unauthorized disclosure or loss, and must take steps to immediately remediate any unauthorized disclosure or loss.
- A company may not send commercial communications to consumers without their consent or request, or must honor an individual’s request to opt out of the receipt of any future commercial communications. From a literal reading of this rule, it looks like the law may assume implied consent when the company sends commercial communications to a consumer unless the consumer expressly requests to opt out of receiving such communications, but it remains to be seen how this provision will be applied in practice.
In addition to assuming civil liabilities such as compensation for proved losses, a violation of the privacy-related provisions set forth in the Amendment is punishable by a warning, the confiscation of illegal gains, and/or the issuance of fines of up to ten times the amount of any illegal gains. In the event that a violation did not result in illegal gains, the regulator may issue a fine of up to RMB 500,000 (approximately USD $82,000). Finally, “serious” violations may result in an order requiring the company to suspend its business operations for ratification or the revocation of the company’s business license.
Unlike some of the recent privacy-related regulations and guidelines issued by the Chinese government, the Consumer Protection Law, as amended by the Amendment, sets forth more specific requirements related to the processing of personal information and applies broadly to all companies providing goods or services to consumers in China. Thus, it is important for companies operating in China to review their practices related to the collection, use, and disclosure of personal information in China and take the necessary steps to achieve compliance with the Amendment’s privacy-related provisions by March 15, 2014.