The People’s Republic of China ("PRC" or "China"), like many other jurisdictions, has been grappling with the issue of how to protect personal information at a time when information tools are becoming increasingly pervasive and sophisticated. PRC law has not traditionally included robust rights of privacy that can be built upon to take account of modern information technology, although certain notions of an individual right to privacy can be derived from the PRC Constitution1 and other legislation.
Growing Interest in Information Privacy in China
China still lacks a comprehensive legal framework to regulate the use and disclosure of personal information. While the introduction of a national, generally applicable information privacy law remains elusive, recent years have seen a resurgent, if piecemeal, legislative interest in the topic. Notable recent developments at the national level include:
Seventh Amendment to the Criminal Law2
On February 28, 2009, the Standing Committee of the National People's Congress (“NPC”) promulgated the seventh amendment to the Criminal Law of the PRC (“Criminal Law Amendment”). The Criminal Law Amendment makes it a criminal offense:
If the violation is "severe", individuals found guilty of either offense will be subject to imprisonment for up to three years and/or a monetary fine. The Criminal Law Amendment also specifically provides that organizations (such as corporate entities) that commit either offense shall be liable for a monetary fine and the responsible officers may be personally liable for criminal charges. The Criminal Law Amendment does not define "personal data," leaves unclear what types of disclosure constitute “unlawful provision,” whether and to what extent any authorization by the employer and/or consent by the data subject are relevant and what factors are relevant in determining whether a violation is "severe." Subsequent implementing regulations or interpretations of the Supreme People’s Court may provide guidance on these questions. In the meantime, companies operating in the PRC financial, telecommunications, transportation, education, or medical sectors would be well advised to review their internal systems for preventing unauthorized disclosure of customer data and all companies looking to acquire customer databases in China should conduct thorough due diligence about the sources of such information.
Tort Liability Law3
On December 26, 2009, the Standing Committee of the NPC promulgated the Tort Liability Law. The Tort Liability Law includes the following material provisions relating to the right of privacy:
The Tort Liability Law also addresses protection of the information privacy of medical patients. It requires medical institutions to establish and keep various types of medical records and hold such records private and confidential. A patient has the right to bring a tort claim against a medical institution or its personnel for damages resulting from the unauthorized disclosure of the patient’s medical records by the medical institution or such personnel. On balance, the most notable aspect of the privacy provisions of the Tort Liability Law is the creation of a new private right of action allowing an individual to claim damages for breach of his or her privacy right. Whereas past attempts to address misappropriation of personal data had to invoke attenuated references to the General Principles of the PRC Civil Law (the "General Principles")4, these General Principles, along with the PRC Constitution and other PRC Civil Code measures, never recognized a private right of action for a breach of one’s relatively amorphous "right of privacy." Future judicial and legislative interpretation of the Tort Liability Law and new legislation will further clarify the nature of this private right of action, presumably in line with the General Principles which are applied to other private rights of action. In particular, the Tort Liability Law explicitly reaffirms one of the general precepts of Chinese law – that an employer is responsible for the actions of its employees taken in the course of their employment, such that if those actions result in the infringement of an individual’s privacy right, the employer may be held liable.
Regulations on the Administration of Credit Reporting
There is currently no national legislation governing the collection and dissemination of personal credit information, although local governments in some localities have enacted local regulations on collection of such information.5 Typically under local regulations, prior authorization or consent must be obtained from the person whose credit information is sought before the relevant CRA may release such information to a third party. A draft of Regulations on the Administration of Credit Reporting (“CR Regulations”) was issued for public comment on October 13, 2009 by the Legislative Affairs Office of the State Council ("SCLAO"), China’s cabinet-level body.6 The draft CR Regulations include provisions that:
Compliance with the CR Regulations will be primarily policed and supervised by the People’s Bank of China ("PBOC"), China’s central bank. It is worth noting that the draft regulations expressly exempt the Credit Reference Center of the PBOC from certain of the data privacy requirements. The SCLAO issued a second draft of the CR Regulations for public comment on July 21, 2011.7 The second draft expressly limits the regulations' scope of applicability to credit reporting activities within the information services industry, i.e., the collection, processing, sorting and publication of individuals’ and enterprises’ credit information by government agencies or by organizations with a public affairs function are not regulated. In addition, taking into consideration the significant differences between credit rating services and regular credit reporting activities, the second draft excludes provisions found in the first draft regulating credit rating activities. Furthermore, the second draft makes a greater distinction between personal credit reporting services and enterprise credit reporting services, imposing stricter capitalization and regulatory reporting obligations on entities engaged in provision of personal credit reporting services. This further highlights the Chinese government’s recognition of the need to strengthen the protection of personal information and to prevent the infringement of privacy.8
Efforts to Implement Omnibus Data Privacy Standards
China has as yet not issued a national, generally applicable information privacy law but there have been some efforts to implement general standards. Following an initial study carried out in 2003, the PRC State Council commissioned a group of PRC legal scholars to prepare a draft national law that would focus exclusively on the regulation of data privacy. The draft Personal Information Protection Law ("Protection Law") was finished in 2005 and published in 2006.9 The draft Protection Law provides as follows:
The draft Protection Law was merely a consultative document and has not been formally adopted by any part of the PRC government. Indeed, since the publication of the draft Protection Law, attempts to introduce a national privacy law appear to have remained in limbo. Proposals for such a law have been submitted to the NPC several times. None of these proposals have yet come to fruition, however. On February 10, 2011, the Ministry of Industry and Information Technology of the PRC ("MIIT") circulated a draft Information Security Technology – Guide of Personal Information Protection ("Guide") for public comment.10 The Guide, to be promulgated by the General Administration of Quality Supervision, Inspection & Quarantine of the PRC and the Standardization Administration of the PRC, if issued, provides a general principle requiring that the holders of third-party personal information keep such information confidential. The individual should be notified as to the manner of collection, processing and disclosure of his or her personal information, and should have a right and opportunity to object to such collection, processing and disclosure. The individual should also have the right to request that his or her personal information be corrected or removed from the holder of such information. The Guide also sets forth more specific principles on how personal information may be collected, processed, used, transferred and maintained. Notable highlights from the Guide include:
According to the Guide, personal information should only be used for the purpose stated to the individual when the information was collected, unless otherwise stipulated in law or clearly agreed to by the individual. This may present certain administrative difficulties for a company. Presumably it could be quite difficult to go back to customers after they have provided personal information in connection with a completed product purchase to obtain further consents to the use of their information. Companies would have to find the right balance in stating such purposes broadly at the outset to capture all potential uses, but not so broadly as to discourage customers from purchasing the underlying products or services. The Guide also imposes an obligation to obtain express consent from an individual in order to disclose his or personal information to another organization (within or outside of China). This exceeds the disclosure requirements in other jurisdictions such as the European Union ("EU"). The corresponding EU directive provides specific exceptions to its consent requirement where sharing the information is necessary to complete the contract or satisfy pre-contractual obligations. The Guide in its current recommended form does not state any such exceptions. The Guide also does not define the term "other organizations", and therefore, interpreted literally, could even preclude transfers to affiliates of the company holding the individual’s personal information. Of course, many companies outsource data processing (including the handling of personal information) to third-party service providers located in China. These companies would be reluctant to outsource such data processing to China-based providers if export restrictions created potential difficulties in having such data returned to them. In this regard, it is important to note that the prohibition on exporting personal data applies to any "administrator" of personal information, defined as “the natural person or legal person with the right to manage the personal information”. There is some room for interpretation, but presumably the prohibition may be understood to apply only to an entity which outsources the data processing since it has the actual right to manage the data under the primary contract with the individual. The drafters of the Guide have attempted to pick up the proverbial regulatory "baton" by preparing the Guide as a "national standard" under China’s GB (“guobiao”) standardization system, but only as a voluntary guideline (GB/Z) lacking the force of law. By proposing that the Guide be issued as only a recommended (not mandatory) “guideline” standard, the authorities may want to "test the waters" to see how tighter privacy standards are put into practice before imposing mandatory standards. Even before the Guide is finalized and issued, we anticipate that adopting the standards contemplated in the Guide may be a useful defence for companies operating in China that may be the subject of lawsuits under the Criminal Law Amendment or Tort Liability Law. For example, where a company is sued for a criminal or tortious act of its employee in making use of personal data housed at the company, it should be helpful (in order to distance itself from the rogue actions of the employee) to demonstrate that the company has adopted Guide standards in its internal control procedures.
Protections for Personal Information on the Internet
China has tightly regulated "Internet information services" for over 15 years but the focus of its regulatory efforts has not historically included personal data privacy. The Provisional Regulations of the PRC on the Management of International Networking of Computer Information Networks ("Internet Regulations")11, promulgated by the State Council on February 1, 1996 and effective on the same day, requires companies and individuals to comply with Chinese laws and regulations; implement secure online systems; not engage in illegal activities; and not produce, retrieve, reproduce, or disseminate information that would hinder public security or that is obscene or pornographic. On September 25, 2000, the State Council promulgated the Measures for the Administration of Internet Information Services ("Internet Measures")12, which took effect on the same day. Neither the Internet Regulations nor the Internet Measures include any explicit provisions addressing the protection of personal information. On July 27, 2011, the MIIT published draft Provisions for Administration of Internet Information Services (for Public Comment) ("Internet Provisions")13, which include provisions regulating the processing of personal information by “Internet Information Service Providers” (“IISPs”), a term which applying definitions in the Internet Measures, refers simply to parties providing information to Internet users over the Internet. The Internet Provisions include the following data privacy provisions:
As one would expect, the restrictions on collection of personal information as well as the obligation of confidentiality summarized above are limited "as provided by law or administrative regulation". The data privacy obligations of an IISP must be understood in the context of an IISP's robust monitoring, recording keeping and reporting obligations under the Internet Measures and other regulations relevant to users' online activities. By covering all parties operating over the internet, not just in particular industries, the Internet Provisions nonetheless represent a broadening of regulatory efforts beyond the more limited industry specific efforts that the CR Regulations and other current regulations represent. At the same time, it seems unlikely that China will promulgate data privacy legislation with mandatory provisions of general application to all parties collecting personal data in China in the near future.
Paul D. McKenzie is Managing Partner of Morrison & Foerster’s Beijing office. His practice focuses on a broad range of corporate transactions and regulatory compliance matters in China. Mr. McKenzie received his B.A. and LL.B. from the University of Toronto. He is admitted to practice in the Hong Kong Special Administrative Region of the PRC and British Columbia, Canada.Can Cui is a J.D. candidate at New York University. He has over four years’ of U.S. patent prosecution experience. Dr. Cui’s scholarship focuses on intellectual property law. He has a B.Sc. from Peking University and a Ph.D. from Harvard University. © 2011 Morrison & Foerster LLP
To view additional stories from Bloomberg Law® request a demo now