China's Government Ministries Commence Audit of Major Consumer Applications for Data Protection

Website By MMLC Group, China
Firm's Profile & Articles Law Firm's Profile & Articles
Phone Call +86 (10) 8515-1091
The PRC Cyber Security Law came into operation on 1 June 2017. This has led to businesses all over China and broad, to revisit their data collection, management and disclosure systems and procedures.

China has been paying a lot more attention to the protection of personal information, in particularly in relation to the online world. This is reflected in the PRC Cyber Security Law (“the Law”) which became effective on 1 June 2017, and includes a chapter stipulating the basic legal system on personal information protection by highlighting the responsibility and obligation of network operators
to protect personal information.

In accordance with the Law, personal information is defined as “various information which can be alone or in combination with other information to identify natural persons recorded electronically or otherwise, including but not limited to natural person's name, date of birth, identity document number, personal biometric information, address, contact information and so on”; and the network operators, which refers to owners, operators, and service providers of networks, shall bear the following responsibilities:

1. the collection and use of personal information, must comply with the lawful, just and necessary principles, the purpose must be clear and prior consent must be obtained from the users;
2. having a report and notification system for occurrence of any accident such as leak, damage or loss of personal information;
3. the users are entitled to require the network operators to delete and correct their personal information; and
4. confidentiality to personal information.

On 24 August when the Law had been in force for only 85 days, a review team established by China’s top internet regulators including the Cyberspace Administration of China, Ministry of Industry and Information Technology, Ministry of Public Security and the Standardization Administration, announced that they had finished their first round of checks on the implementation of the Law by China’s major network operators in terms of their personal information protection responsibilities.

The initial examination focused on whether the privacy policies of ten popular mobile applications such as WeChat, Sina Weibo, Taobao, JD Mall, Alipay, Amap, Baidu map, DiDi, Umetrip and Ctrip comply with the requirements of the Law; regulating their behavior on collection, preservation, use and transfer of personal information; and urged the rectification of illegal terms in their privacy policies. The problems found included - some users of some of the applications were not allowed to cancel their own accounts, personal information was not deleted within a reasonable period for receipt, and privacy policies of some network operators were not easy to be understood by users.

In accordance with the interpretation on how to comply with the requirements on personal information protection provided by the Law from the experts of the review team, the privacy policies must be explained explicitly to users, and the users are able to select “agree” or “disagree” on the privacy policies after fully understanding thereof. Although the inspection has been completed, the inspection results will be published in late September this year in order to leave time for these network operators to correct their improper behavior and policies in relation to the handling and management of personal information.

It is noted that shortly after this news release was issued by the government departments, JD, Taobao and Alipay adjusted their privacy policies accordingly. The new versions of their privacy policies are much clearer in terms of the purposes for collection and use of personal information. In addition, a 30 days of =colling-off period during which users are allowed to cancel their accounts has been established by JD.

A specialized privacy/date protection law hasn’t been established in China as yet, like it has in other countries and regions. The relevant legal basis for personal information protection and management are scattered in many laws and regulations including the Cyber Security Law, The Constitution, General Provisions of the Civil Law, the Criminal Law, Administrative Measures for the Security Protection of Computer Information Networks Linked to the Internet, the Law on Resident Identity Cards, the Law on the Protection of Consumers Rights and Interests, Provisions of the Supreme People's Court on Several Issues concerning the Application of Law in the Trial of Cases involving Civil Disputes over Infringements upon Personal Rights and Interests through Information Networks, Provisions on Protecting the Personal Information of Telecommunications and Internet Users and the Law.

Xia Yu is a Partner in the MMLC Group.

Copyright MMLC Group
More information from MMLC Group

Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.

Find a Lawyer

Find a Local Lawyer