Skip Page Banner  
Skip Navigation

China Enacts Online Privacy Framework To Protect Data, but Not User Anonymity

Monday, January 7, 2013

BEIJING--China's National People's Congress (NPC), the country's top legislative body, Dec. 28 enacted new rules that seek to increase protection of online personal data but at the same time require internet users to reveal their real names, according to a same day statement by the central government.

The “Decision of the Standing Committee of the National People's Congress to Strengthen the Protection of Internet Data,” which took effect immediately upon its passage, bans the sale or distribution of an individual's personal digital information without consent, requires internet service providers to ensure the security of personal data and prevent its misuse, and gives individuals the right to seek deletion of personal data posted without consent and the right to sue for violations of the law.

The legislation is “a positive move for the public benefit” that “helps bring China closer to having its own data privacy laws” and achieves “the basic framework for internet data privacy protection,” Alan Chiu, a partner at Mayer Brown JSM in Hong Kong, told BNA Jan. 4.

The new rules establish the broad principle that personally identifiable electronic data are protected by the government, Chiu said. It clarifies the duties and obligations of website operators and internet service providers to protect internet users' data and outlines possible consequences for data privacy breaches. It also expressly prohibits email and text message spam, he said.

But questions remain about how the rules will be implemented, Chiu said. For example, the legislation does not specify which governmental department or agency will supervise or enforce the rules, he noted.

The law says that violators may be given a warning, fined, have illegal income confiscated, face cancellation of permits or other business privileges, or have their websites shut down. It does not, however, provide specific fines or jail terms for criminal violations, or contain civil fine details.

Builds on Previous ISP Regulation.

China began to address the issue of online personal data protection in 2012, with the release of a new Ministry of Industry and Information regulation requiring Chinese websites to follow stricter rules on user consent to the collection and sharing of their personal data (11 PVLR 304, 2/13/12).

Those rules, which took effect in March 2012, require ISPs to inform users how their data would be used. They introduced internationally recognized concepts such as data consent requirements, a provision on safeguarding information and use limitation. Practitioners told BNA at the time that the rules fell short because they only applied to ISPs.

The new rules include all organizations and individuals that handle personal data, within their scope, saying that “no organization or individual” may steal, sell, or illegally distribute an individual's personal data without consent.


 

The legislation is “a positive move for the public benefit” that “helps bring China closer to having its own data privacy laws” and achieves “the basic framework for internet data privacy protection.”  

 

Alan Chiu, Partner,
Mayer Brown JSM, Hong Kong

According to a Jan. 2 Hunton & Williams LLP blog post, personal data covered by the law includes “electronic information that can identify individuals and implicate their private affairs.”

Online User Registration.

The new law requires online users to register their real names with their internet or telecommunications service provider, raising free speech concerns among China's over 500 million web users, including bloggers.

Li Fei, deputy director of the Commission for Legislative Affairs of the NPC, was quoted by China's official government-controlled Xinhua news agency as calling such worries “unnecessary” and said individuals would still be able to expose cases of corruption online.

“Identity management work can be conducted backstage, allowing users to use different names when posting material publicly,” Li was quoted as saying.

By Leslie A. Pappas  


The “Decision of the Standing Committee of the National People's Congress to Strengthen the Protection of Internet Data” is available, in Chinese, at http://www.gov.cn/jrzg/2012-12/28/content_2301231.htm.

The Jan. 2 Hunton & Williams LLP blog post is available at http://www.huntonprivacyblog.com/2013/01/articles/chinese-legislature-passes-data-privacy-resolution/.

To view additional stories from Privacy & Data Security Law Resource Center™ register for a free trial now