Dun & Bradstreet Subsidiary in China Fined, Employees Sentenced for Data Purchases

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

SHENZHEN, China--Shanghai Roadway D&B Market Services Co. Ltd., a subsidiary of New Jersey-based commercial information company Dun & Bradstreet (D&B), has been fined ¥1 million ($160,700) and several employees have been fined and sentenced to prison over illegal purchases of the private information of citizens, the Shanghai Zhabei District Court announced in a Jan. 9 blog post .  

At least four of the company's employees, including its general manager, have been fined between ¥5,000 and ¥20,000 ($800 to $3,200) and sentenced to between one and two years in prison, the court explained.

D&B suspended operations at Roadway early last year over allegations that its data collection practices had violated Chinese consumer data privacy laws (11 PVLR 557, 3/26/12).

The Zhabei court officially charged the company Sept. 28, 2012, for “illegally obtaining private information from Chinese citizens,” which included purchases of personal data related to employment and income and the addresses of up to 150 million citizens, according to state-media reports.

In a Jan. 9 statement sent to BNA, D&B said it “accepts the judgment of the court and the fine assessed upon its former subsidiary Shanghai Roadway Marketing Services Company Ltd. for Roadway's violation of China's consumer data privacy laws.” It noted that it closed Roadway after learning of the allegations. “D&B cooperated with all requests from Chinese investigators and did not contest the charges in court, in recognition of the fact that such consumer data collection practices contradict D&B's core values regarding data integrity,” the company added.

Though he could not comment directly on the case since the full decision was not available, Scott Livingston, an associate with Covington & Burling LLP, in Beijing, told BNA Jan. 15 that “the decision highlights the importance Chinese authorities are placing on protecting personal data and should send a clear signal to companies operating in China about the importance of complying with China’s emerging data protection framework.”

New Regulations on Horizon

Livingston said he expects that “several new regulations and standards should emerge this year to help clarify relevant responsibilities” of companies regarding the new data protection framework, something that was signaled in mid-2012 when the State Council issued an opinion on “Promoting Informatization Development and Practically Safeguarding Information Security.”

On Dec. 28, 2012, the Standing Committee of the National People’s Congress released a new law on data protection called the “Decision of the Standing Committee of the National People's Congress to Strengthen the Protection of Internet Data” (12 PVLR 6, 1/7/13).

The new law is meant to strengthen data protection by ensuring that “network service providers” and “enterprises or public institutions,” according to a client brief sent to BNA by Covington & Burling offices in China Jan. 14, “ … clearly indicate the 'use, method, and scope’ of their collection of an individual’s 'personal electronic information,’ and not to collect or use this information without the individual’s consent.” The brief added that “it is not clear at this time how a user may evidence consent.”

The brief said that “no formal definition or further interpretive guidance” had been given for the term “personal electronic information” beyond saying that it is something “by which the individual identity of citizens can be distinguished as well as that which involves a citizen’s privacy,” and that applying the notification requirement to all “enterprises or public institutions” would “presumably require all institutions to notify users of the collection and use” of their electronic information, “even for information that is not collected online, so long as that information is transmitted or stored electronically.”

By Michael Standaert  

The Shanghai Zhabei District Court announcement is available, in Chinese, at http://t.qq.com/p/t/201723032216835.

Full text of Covington & Burling's Jan. 11 client brief is available at http://op.bna.com/pl.nsf/r?Open=kjon-93ysq7.

Request Bloomberg Law: Privacy & Data Security