New Developments in Legislation on Personal Electronic InW88win优德中国有限公司ation Protection

The Resolution in Relation to Strengthening the Protection of InW88win优德中国有限公司ation on the Internet (《关于加强网络信息保护的决定》) (the “Resolution”) was promulgated by the Standing Committee of the National People’s Congress (the “NPC”) on December 28, 2012, and took effect on the same day.  In addition, the InW88win优德中国有限公司ation Security Technology – Guidelines on Personal InW88win优德中国有限公司ation Protection within InW88win优德中国有限公司ation Systems for Public and Commercial Services (《信息安全技术 公共及商用服务信息系统W88win优德中国有限公司信息保护指南(GB/Z 28828-2012)》) ( the “Guidelines”) were officially promulgated on November 5, 2012 and came into effect on February 1, 2013.

I. Background to Legislation

The internet has greatly facilitated the transmission of inW88win优德中国有限公司ation.  However, the internet has also amplified the adverse effects of the indiscriminate disclosure and use of personal inW88win优德中国有限公司ation.  In practice, there are many entities and individuals that illegally or improperly collect, use, disclose or sell personal electronic inW88win优德中国有限公司ation.  At the end of 2011, a serious hacking incident occurred in China, leading to the unauthorized disclosure of user data on many large websites.  User IDs and passwords of approximately 50 million internet users were released to the public.  Separately, China Central Television, widely known as CCTV, reported at the beginning of this year that certain internet service providers had been analyzing the interests, habits and preferences of internet users by illegally accessing internet accounts and tracking internet usage.  These internet service providers would then direct targeted commercial advertisements to such users.  The hacking incident and the CCTV report have roused significant public concern in China.

Before the Resolution, there was no established, integrated legal system regarding the protection of personal inW88win优德中国有限公司ation in China.  There was only a disparate assortment of provisions that sought to protect specific types of personal inW88win优德中国有限公司ation stipulated under various laws and regulations.  The PRC Personal InW88win优德中国有限公司ation Protection Law (《W88win优德中国有限公司信息保护法》), which attracted much attention, is still working its way through the legislative process.  A bill, prepared by academics in 2005 and submitted to the State Council for discussion in 2008, remains in draft W88win优德中国有限公司. 

The Resolution was promulgated by the Standing Committee of NPC and, pursuant to the PRC Legislative Law (《中华人民共和国立法法》), has equal standing with national laws.  In this sense, the Resolution is the first law-equivalent legislative document in China that focuses on the protection of personal inW88win优德中国有限公司ation.

Unlike the Resolution, which seeks to bring together the various laws, regulations and rules preceding it, the Guidelines are classed as a “guiding technical document” rather than a legislative document or a mandatory national standard.  This means that the Guidelines are neither mandatory nor enforceable.  In accordance with the PRC law, within three years of its promulgation, a guiding technical document must be revisited to (i) maintain its effectiveness; (ii) have it converted into a national standard; or (iii) have it revoked.

As the first guiding technical document regarding the protection of personal inW88win优德中国有限公司ation, the Guidelines set out the general principles and specific technical requirements for the collection, processing, transmission and deletion of personal inW88win优德中国有限公司ation through various inW88win优德中国有限公司ation systems. The draft of the Guidelines, named the InW88win优德中国有限公司ation Security Technology – Guide to Personal InW88win优德中国有限公司ation Protection (《信息安全技术 W88win优德中国有限公司信息保护指南》(草案)), was released for public consideration two years ago on February 10, 2011. However, due to the wide scope of the Guidelines and disagreements over the basic definitions, the Guidelines have only recently been finalized.  In its current W88win优德中国有限公司, the Guidelines apply only to personal inW88win优德中国有限公司ation held on inW88win优德中国有限公司ation systems used for public and commercial services, but do not apply to government authorities. It is highly likely that the Guidelines may, before a legally binding national standard is issued, be used as a reference in administrative and judicial practices to judge whether personal inW88win优德中国有限公司ation is properly protected.

II. Primary Provisions & Influence on Practice

I. Scope of Protection

The Resolution specifies in Article 1 that “electronic inW88win优德中国有限公司ation that enables the identification of an individual and electronic inW88win优德中国有限公司ation that involves individual privacy” should be protected.  “Personal inW88win优德中国有限公司ation” is defined in the Guidelines as “any computer data associated with an individual, which can be processed by inW88win优德中国有限公司ation systems and, either independently or when combined with other inW88win优德中国有限公司ation, can enable the identification of such individual”.  Therefore, both the Resolution and the Guidelines focus on the protection of “personal electronic inW88win优德中国有限公司ation”.

Under the Guidelines, personal inW88win优德中国有限公司ation consists of “personal sensitive inW88win优德中国有限公司ation” and “personal general inW88win优德中国有限公司ation” (i.e., non-sensitive personal inW88win优德中国有限公司ation).  If the subject of personal inW88win优德中国有限公司ation may be adversely affected once certain personal inW88win优德中国有限公司ation is disclosed or changed, then such personal inW88win优德中国有限公司ation should be recognized as personal sensitive inW88win优德中国有限公司ation. Personal sensitive inW88win优德中国有限公司ation includes ID numbers, mobile phone numbers, race, political opinions, religion, genetic inW88win优德中国有限公司ation, fingerprints etc.  In accordance with the Guidelines, different rules should apply to different types of personal inW88win优德中国有限公司ation.  For instance, the collection of personal sensitive inW88win优德中国有限公司ation must have the “express consent” of the subject of the personal inW88win优德中国有限公司ation, while “implied consent” is sufficient for the collection of personal general inW88win优德中国有限公司ation.

II. Application of the Resolution and the Guidelines

Application of the Resolution

There are general prohibitive provisions in the Resolution applying to any entity and individual.  Such provisions include prohibitions against the illegal collection, stealing, sale or provision of personal electronic inW88win优德中国有限公司ation (as stipulated in Article 1) and sending spam email, mobile phone spam etc. (as stipulated in Article 7).  These are all general provisions that seek to protect personal life and privacy.

With respect to internet service providers, other enterprises and public institutions, Articles 2 to 5 provide specific requirements for the collection, utilization, provision and storage of personal inW88win优德中国有限公司ation by such entities and their staff in the course of business operation.  In addition, where an internet service provider provides a user with network or inW88win优德中国有限公司ation publication services, such provider should require the user to disclose and verify its identity.

As for government authorities and their staff, the Resolution requires that they should keep secret personal electronic inW88win优德中国有限公司ation received by them during the perW88win优德中国有限公司ance of their duties, and may not disclose, change or destroy such inW88win优德中国有限公司ation, or sell or illegally provide it to any third party.

Application of the Guidelines

The Guidelines provide guidance on the protection by various organizations and institutions of personal inW88win优德中国有限公司ation within inW88win优德中国有限公司ation systems.  These organizations and institutions include service providers in relation to telecommunications, finance, medical services etc.  However, entities perW88win优德中国有限公司ing public administration duties, such as government authorities, are expressly excluded from the scope of the Guidelines.

Under the Guidelines, the protection of personal inW88win优德中国有限公司ation involves four aspects: (i) the subject of the personal inW88win优德中国有限公司ation, i.e., the individual to which such personal inW88win优德中国有限公司ation relates; (ii) the administrator of the personal inW88win优德中国有限公司ation, e.g., a service provider; (iii) the recipient of the personal inW88win优德中国有限公司ation, e.g., a specialized data processing/management service provider; and (iv) the independent evaluation institution, which specializes in the attestation/evaluation of inW88win优德中国有限公司ation and which is independent from the administrator of the personal inW88win优德中国有限公司ation. 

There are different responsibilities and duties for each role.  For example, the requirements for the administrator of the personal inW88win优德中国有限公司ation are particularly strict.  Under the Guidelines, the administrator of the personal inW88win优德中国有限公司ation should: (i) design and establish the process under which personal inW88win优德中国有限公司ation is processed; (ii) W88win优德中国有限公司ulate a management system for managing personal inW88win优德中国有限公司ation; (iii) implement the management system mentioned in (ii); (iv) designate certain personnel to take charge of personal inW88win优德中国有限公司ation protection and accept complaints and enquiries; (v) W88win优德中国有限公司ulate an educating and training plan in relation to personal inW88win优德中国有限公司ation protection and carry out such training; and (vi) establish internal controls for personal inW88win优德中国有限公司ation protection and inspect, or evaluate by engaging an independent evaluation institution, the security and protection mechanisms of the inW88win优德中国有限公司ation system.  In addition, the administrator of the personal inW88win优德中国有限公司ation is required to manage and control the risks that arise in the course of processing personal inW88win优德中国有限公司ation.  The administrator of the personal inW88win优德中国有限公司ation should make plans for incidents that may occur, such as the disclosure, loss, damage, change, and improper use of personal inW88win优德中国有限公司ation.  Once any of the aforementioned incidents actually occurs, the administrator of the personal inW88win优德中国有限公司ation should promptly take measures to mitigate the adverse effects of such incident, promptly give notice to the affected subject of the personal inW88win优德中国有限公司ation, and, if the incident is serious, promptly report to the government administration on personal inW88win优德中国有限公司ation protection. 

While the Guidelines are currently not mandatory, they establish the basic requirements and standard regarding the protection and management of personal inW88win优德中国有限公司ation.  With greater public awareness of the importance of personal inW88win优德中国有限公司ation protection, the Guidelines may be elevated to legal obligations in the future.  In this sense, it is advisable that service providers that need to process large amounts of inW88win优德中国有限公司ation gradually introduce and improve personal inW88win优德中国有限公司ation protection mechanisms in a cost-efficient way, so that they can minimize the time and cost of adapting to future legislation and thereby gain a competitive advantage.

iii. Requirements for InW88win优德中国有限公司ation Processing

Both the Resolution and the Guidelines emphasize the importance of protecting personal inW88win优德中国有限公司ation in the course of inW88win优德中国有限公司ation processing.

General Principles

In accordance with the Resolution, internet service providers, other enterprises and public institutions should strictly comply with the general principles of “legitimacy, reasonableness and necessity” when they collect or use personal inW88win优德中国有限公司ation in the course of business.  Under the Guidelines, the processing of inW88win优德中国有限公司ation consists of four steps, i.e., collection, processing, transmission and deletion.  The Guidelines set forth the following eight principles to be observed in the processing of personal inW88win优德中国有限公司ation: (i) have a reasonable and clear purpose for inW88win优德中国有限公司ation processing; (ii) collect, process and use no more inW88win优德中国有限公司ation than is necessary to fulfill the purpose; (iii) notify the subject of the purpose, the scope of collection and use, protection measures etc.; (iv) obtain consent from the subject; (v) keep the personal inW88win优德中国有限公司ation complete, accurate, usable and up to date; (vi) guarantee the security of personal inW88win优德中国有限公司ation; (vii) stop processing or using the personal inW88win优德中国有限公司ation upon fulfillment of the purpose; (viii) clearly allocate and implement internal responsibilities in relation to the inW88win优德中国有限公司ation.

Specific Provisions on Collection of InW88win优德中国有限公司ation

Pursuant to the Resolution, internet service providers, other enterprises and public institutions should publish their rules concerning the collection and use of personal inW88win优德中国有限公司ation, give notice to and obtain consent from the subject of personal inW88win优德中国有限公司ation about the purpose, method and scope of collection and use of his or her inW88win优德中国有限公司ation.  The relevant provisions under the Guidelines are more specific.  No entity is allowed to collect personal inW88win优德中国有限公司ation either secretively or indirectly.  No entity may directly collect personal sensitive inW88win优德中国有限公司ation from any person with limited or no legal capacity (e.g., minors under 16 years old) without the express consent of his or her guardian.  It is foreseeable that service providers of instant messaging, e-commerce services and social networking services will face great pressure to reengineer their processing flow chart and upgrade their technology if the Guidelines become enforceable.

Specific Provisions on Transmission of InW88win优德中国有限公司ation

Under the Guidelines, without express consent from the subject of the personal inW88win优德中国有限公司ation, or explicit authorization by laws or regulations, or approval of the competent authorities, the administrator of the personal inW88win优德中国有限公司ation is not allowed to transmit any personal inW88win优德中国有限公司ation to any overseas personal inW88win优德中国有限公司ation recipient (including any overseas individual and any organization or institution registered overseas).  This provision has already raised concerns among Chinese and multinational companies which, in the course of business, provide personal inW88win优德中国有限公司ation to overseas persons or entities.  This is a real issue and merits continued monitoring for any developments in administrative and judicial practice and future legislation.

In addition, we note that some multinational companies have raised concerns about the applicability of the Resolution and Guidelines to the collection, storage and processing by employers of employees’ personal electronic inW88win优德中国有限公司ation.  If the Resolutions and Guidelines apply, employee management costs will increase significantly and employees may use any non-compliance in this connection as a bargaining chip if there are labor disputes.  Based on the content and legislative purpose of the Resolution, the Resolution may be unlikely to apply to the protection of employees’ personal inW88win优德中国有限公司ation against their employers.  However, it is not clear if we can say the same for the Guidelines.  Given that there has been no official judicial interpretation or precedent since the promulgation of the Resolution and Guidelines, it is difficult to reach a conclusive interpretation at this stage.

iii. Legal Liabilities

If an entity or individual breaches the Resolution, such entity or individual may face civil, administrative or even criminal liabilities.

Civil Liability

The Resolution generally provides that where an entity or individual violates the protection of personal electronic inW88win优德中国有限公司ation under the Resolution and infringes another person’s civil rights and interests, such entity or individual should bear civil liability.  This help specify that the personal electronic inW88win优德中国有限公司ation is one type of civil rights and interests defined to be protectable under the PRC Tort Liability Law (《侵权责任法》). 

Administrative Liability

Pursuant to the Resolution, any entity or individual that violates the Resolution may face administrative penalties imposed by the competent government authorities, including but not limited to warnings, monetary penalties, confiscation of illegitimate gains obtained from such violation, revocation of permits or cancellation of registrations, suspension of websites, prohibiting the responsible person from engaging in internet service provision and noting such violation on the social creditability records of the entity in question and making such noting public.  Among these penalties, the final two had never been stipulated as administrative penalties in any law-equivalent legislative document before the Resolution.  It is probable that the penalties, including the new ones, may be introduced into the draft PRC Personal InW88win优德中国有限公司ation Protection Law and other regulations and rules in this connection.

Criminal Liability

Under the PRC Criminal Law, government authorities and entities in the fields of finance, telecommunications, transportation, education or medical treatment and the staff of such authorities or entities are prohibited from selling or illegally providing personal inW88win优德中国有限公司ation to others where such inW88win优德中国有限公司ation is obtained during the perW88win优德中国有限公司ance of duties or provision of services by such authority, entity or staff member.  If the circumstances are serious, penalties may include imprisonment of no more than three years or criminal detention and fines.  It is worth noting that, given the fact that more and more internet service providers are providing services to numerous, non-specific persons, there has been much debate about whether an internet service provider can be accused of such crime.

In addition, any entity or individual that illegally obtains personal inW88win优德中国有限公司ation by stealing or any other means may, if the circumstances are serious, also be charged under the PRC Criminal Law.

In short, the promulgation of the Resolution and the Guidelines marks a milestone in the development of legislation on personal inW88win优德中国有限公司ation protection in China.  How the Resolution and the Guidelines will be implemented in practice would be continuously monitored by us.  Risk assessment and solution W88win优德中国有限公司ulation in this connection would also be the value we as lawyers could provide to our clients.