China’s Data Privacy Protection Comes of Age
Here we look at some major recent developments in relation to data privacy protection in China. It is vital that all foreign and Chinese businesses develop strong and compliant data privacy policies, given the potential penalties involved for breach of China’s relatively new data privacy rules.
China has come a long way in relation to the protection of private information of consumers. Originally, one had to point to provisions in China’s Constitution that seemed to provide some protection to a person’s right to privacy. Then, along came a number of considerable amendments to the PRC Consumer Rights Protection Law (“CRPL”) in 2014, which has certainly raised the bar in a number of areas, including in relation to data privacy.
Article 14 of the CRPL states that consumers are to have the “right to have personal information protected in accordance with the law” when purchasing and using goods or services. Article 29 of the CRPL sets out rules for collection and use of a consumer’s personal information:
(a) The purpose, method, scope and rules of collection and use of personal information shall be explicitly stated and consented to, by consumers
(b) Business operators are to maintain personal information in confidence and are not to disclose, sell or illegally provide the personal information, to third parties, without consent
(c) Business operators are to ensure that technical and necessary relevant appropriate measures are in place, to ensure information security and to prevent information disclosure or loss, and
(d) The distribution of commercial information to consumers is prohibited where a consumer has not consented to its receipt.
Then in January of this year, the State Administration of Industry and Commerce (“SAIC”) issued a regulation based on Articles 14 and 29 of the CRPL, that is to take effect from 15 March 2015. The regulation is known as the “Measures for Penalties Regarding the Infringement of Consumers’ Rights and Interests”. One key aspect of this regulation, is that the SAIC has defined “consumers’ personal information” for the purposes of the regulation, as “information collected by an business operator during the sale of products or provision of services, that can, on its own or in combination with other information, identify a consumer.” Such a definition obviously excludes application of the CRPL and this regulation to the corporate information, which is generally in line with the data privacy regulations found in most developed countries.
The SAIC has gone on to provide some examples of personal information to clarify its definition – these are listed in the regulation as “a consumer’s name, gender, occupation, date of birth, identification document number, residential address, contact information, status of income and assets, health status, consumption habits, and other information collected by business operators during their provision of goods and services that may independently or in combination with other information identify consumers.”
Clearly, foreign and local entities, conducting business in China, will need to keep this relatively new area of Chinese law in mind, when carrying out daily activities. Further, it is vital that businesses review data privacy practices when engaged in mergers or acquisitions, or any kind of corporate restructuring involving Chinese based entities, to ensure that this area of the law is complied with, or breaches are identified at an early stage, so that they may be remedied as quickly as possible. Violating China’s data privacy rules can expose an entity to large fines (RMB500,000 or ten times illegal income) as well as civil and criminal liabilities.
ABOUT THE AUTHOR: Matthew A. Murphy
Matthew has over 20 years of China and Asia Pacific legal and business experience, focusing on Intellectual Property, Mergers & Acquisitions (including anti-trust) and International Trade. Matthew has been listed as a leading corporate/IP lawyer by various publishers such as Euromoney, Chambers and the Legal 500 and is an arbitrator with the Hong Kong International Arbitration Centre, an arbitrator and mediator with the Kuala Lumpur Regional Centre for Arbitration, and a domain name dispute arbitrator with the Asian Domain Name Dispute Resolution Centre in Beijing. Matthew is a regular contributor of articles on Chinese and IP law to major journals, and regularly teaches international IP and technology law at the post-graduate level at a number of leading universities.
Copyright MMLC Group
More information from MMLC Group
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.