Privacy and Data Protection in China - Latest Developments
[With] the new Chinese Cyberlaw, as well as recent proclamations by the Supreme People's Court and other Chinese government agencies working in this area, China clearly is developing a system that is comparable to many developed nations in this important area.
Currently, China does not have a national and systematic law on personal information protection, however, the legislative framework for personal information protection has been formed and is located in several instruments. Provisions relating to personal data protection are provided by various laws and regulations, such as Criminal Law, General Provision of Civil Law, Judicial Interpretations issued by Supreme People’s Court and Supreme People’s Procuratorate, and the new launched Cybersecurity Law, and so on. The legislation tries to protect personal data via criminal strikes, civil relieves and administrative supervision. The current main laws and regulation on personal information protection in China as follows:
● The Decision on Strengthening Information Protection on Networks (Effective Date: 28 December, 2012)
● The Guidelines for Personal Information Protection within Public and Commercial Services Information Systems (Effective Date: 1 February, 2013)
● The Provisions on Protecting the Personal Information of Telecommunications and Internet Users (Effective Date: 1 September, 2013)
● Administrative Regulations on the Credit Reporting Industry (Effective Date: 15 March 2013)
● Provisions of the Supreme People’s Court on Several Questions relating to the Applicable Law of Civil Disputes Concerning the Use of Informational Network to Harm Personal Rights and Interests (Effective Date: 10 October, 2014)
● The Consumer Rights Protection Law of PRC (Effective Date: 15 March, 2014)
● 9th Amendment Criminal Law of PRC (Effective Date: 1 November, 2015)
● Cybersecurity Law of PRC (Effective Date: 1 June, 2017)
● Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate of the Issues concerning the Specific Application of Law in Handling Criminal Cases of Infringement Citizens’ Personal Information (Effective Date: 1 June, 2017)
The Criminal Law Protection for Personal Information
In August 2015, Article 253 of the 9th Amendment Criminal Law of PRC was updated by the National People’s Congress Standing Committee, the provision prohibits sale or illegal provision of citizens’ personal information. (Article 253 of 9th Amendment Criminal Law: Whoever, in violation of relevant provisions of the State, sells or provides the personal information of the citizens to others with serious circumstances shall be sentenced to an imprisonment not more than three years or criminal detention and concurrently or separately sentenced to a fine; under specially serious circumstances, he shall be sentenced to an imprisonment not less than three years but not more than seven years and concurrently sentenced to a fine.)
The General Provision of Civil Law Protection for Personal Information
General Provision of Civil Law, which was passed on 12 March 2017, firstly separates “personal information rights” from privacy rights, and in Article 111 provides that “The personal information of natural persons is protected by law, and no organization or individual may illegally collect, use, process or transmit personal information, or illegally provide, disclose or sell personal information.” The innovation for the personal data protection is deemed as one of the highlights of the General Provisions. In the past, civil law only protects privacy right, however, personal data and information is different from privacy, it owns both personality and property features. The new General Provision of Civil Law brings personal information into the civil rights, and definitively states that personal information will be protected by Civil Law.
New Development on Protection for Personal Information
Besides, the Cybersecurity Law, which was passed on 7 November 2016 and took effect on 1 June 2017, stipulates requirements in detail for personal information protection to both Chinese companies and international organizations which are doing business in China. The law focus on protecting personal information and individual privacy, such as:
● Network product and service providers that collect users’ information are required to inform and obtain consent from the users;
● Network operators are required to collect and use personal information in a legal and proper manner;
● Individuals and organizations must not steal or use other illegal means to obtain personal information;
● Network operators must gather and store personal information in accordance with the Law, administrative regulations and their agreements with users;
● Network operators must not disclose, tamper with or destroy collected personal information;
● In an instance where a network operator has violated the Law’s provisions, individuals have the right to request the operator to delete their personal information;
● Departments with legal responsibilities for cybersecurity supervision must ensure that all personal information obtained is kept confidential.
In addition, Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate of the Issues concerning the Specific Application of Law in Handling Criminal Cases of Infringement Citizens’ Personal Information also took effect on 1 June 2017. The Interpretation defines “personal information” should cover name, ID number, personal contact, addresses, account password, information on property and personal whereabouts. Besides, the Interpretation stipulates that any leak, sale or collecting of personal information without consent will be subject to Article 253 of the Criminal Law. Moreover, the Interpretation defines “severe circumstances” under Article 253 of the Criminal Law, such as:
● illegally obtaining, selling or providing 500 items of data about people’s location, the contents of their communications, their credit information and their property information;
● illegally obtaining, selling or providing 5,000 items of communications records, accommodation data, health data or transaction information;
● illegally obtaining, selling or providing 50,000 items or more of personal information, or making more than RMB 5,000 (US$ 725) from the sale of such stolen personal data.
Although China has already adopted a large number of legislations to strengthen the protection of personal information, the relevant legal experts suggest that the state should continue to establish a unified law on personal information protection, and clearly define the law enforcement standards, and set up the special personal information protection department to handle information disclosure, telecommunications fraud and other related actions.
ABOUT THE AUTHOR: Sarah Xuan and Matthew Murphy
Sarah Xuan and Matthew Murphy are with the MMLC Group.
Copyright MMLC Group
More information about MMLC Group
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.