Home  Contact Us
  Follow Us On:
 
Search:
Advertising Advertising Free Newsletter Free E-Newsletter
Magazine
  
      2024       2023       2022       2021       2020       2019       2018       2017       2016       2015       2014       2013       2012       2011       2010       2009       2008

POLICY EXPLANATION: China Strengthens Personal Information Protection
Share to

 

alt

 

In recent years, protection of personal information and privacy has become a widespread social concern in China.  During the past one year, China has introduced a raft of regulatory initiatives in the realm of personal information protection that will have a significant impact on the various industries of I.T., telecommunications, e-commerce, financial institutions, and other businesses that might have access to, collect, or use personal information of consumers and the public.

 


 

On 28 December 2012, the Standing Committee of the National People’s Congress (NPC) of China passed the Resolution on Strengthening the Protection of Information on the Internet (referred to as the Resolution).

 

On 16 July 2013, China’s Ministry of Industry and Information Technology(MIIT) released the Rules on Protecting Personal Information of Telecommunication and Internet Users (referred to as the Rules) .The Rules, which took effect on 1 September 2013, are intended to implement the general provisions set forth in the Resolution. In the meantime, MIIT released the Information Security-Technology Guidelines for Personal Information Protection within Public and Commercial Services Information Systems, on 21 January 2013. Back in late December 2011, MIIT issued Several Regulations on Standardizing Market Order for Internet Information Services.

 

The Resolution contains extensive requirements applicable to the collection and processing of electronic personal information via the Internet. In the meantime, the Rules are the first specific regulations concerning personal information protection by telecommunications service providers in China. The Rules are expected to greatly strengthen the protection of personal privacy online.

 

Both China Criminal Law and the Tort Liability Law have provisions on the protection of personal data. For example they prohibit anyone who has access to personal information from selling or otherwise unlawfully providing third parties with personal data of any Chinese citizen. The Criminal Law forbids any person to obtain personal information of any person by means of theft or other unlawful actions. A person whose personal data has been unlawfully used or disclosed may also take civil action under the Tort Liability Law for infringement of privacy. The challenge is that there has been insufficient detailed interpretation or implementing regulation on the application of such provisions in the Criminal Law and Tort Liability Law, thus they have not been frequently relied upon as an effective recourse of legal remedy.


The Resolution

The Resolution stipulates two broad principles that can be widely applied in terms of protection of personal data on the internet in the future: (1) the state will protect electronic information that can identify individuals and implicate their private affairs, and (2) no organization or individual may misappropriate or otherwise obtain electronic personal information by unlawful means, or sell or otherwise unlawfully provide it to other persons.

Moreover, the Resolution sets forth a number of requirements that are more specifically directed at Internet Service Providers (ISPs) and other businesses that handle electronic personal information, including:

• ISPs and other businessesmust adopt and comply with rules for their collection and use of electronic personal information, and make the rules publicly known.

• ISPs and other businesses must clearly state the purpose, means and scope of their collection and use of electronic personal information, and obtain the consent of the data subject for such collection and use.

 

• ISPs and other businesses must maintain electronic personal information in strict confidentiality.

•ISPs and other businesses must not divulge, alter or destroy electronic personal information obtained in the course of their business activities, and may not sell it to other persons.

•ISPs and other businesses must adopt information security safeguards, and must take immediate remedial measures when they discover users distributing information illegally.


The Rules

The Rules apply to the collection and use of users’ personal information during the provision of telecommunication services and Internet services in China. The concept “user’s personal information” is defined as any information collected during the provision of telecommunications or Internet information services that is capable of identifying the user if used alone or in combination with any other information. The Rules is rolled out to better regulate areas of collection and use of personal information, information security measures, and supervision and inspection by relevant authorities.
 

According to the Rules, a user’s personal information includes the user’s identification info such as name, birth date, ID number, and address, plus the user’s login information such as account number, login time and login location.
 

The Rules provide that the collection and use of personal information of telecommunication and Internet users must be done on a legal, justified, and necessary basis. Moreover, without the user’s consent, the telecommunication operators and Internet service providers are not permitted to collect and use the user’s personal information.

Specifically, the Rules require telecommunication operators and Internet service providers to prevent disclosure, damage, and loss of personal information by taking specific measures in the following aspects:

• Limiting access to users’ personal information to certain authorized employees only;

• Establishing management systems and security protocols;

• Maintaining records of staff who handle user information;

• Establishing internal policies on data collection and use; and

• Providing staff training on personal information protection.

Telecommunication operators and Internet service providers are also required to observe the following rules regarding the collection and use of personal information of users:

• When collecting or using personal information, obtaining the consent of the user;

• Clearly informing users of the purpose, methods and scope of which the information is being collected or used as well as the retention period for the information;

• Only collecting/using information necessary to provide the services;

• When collecting/using personal information, not violating any laws or agreements with the user nor using it in a fraudulent, misleading or coercive manner;

• Keeping strictly confidential all personal information collected and used during the course of provision of services and not divulging, altering, destroying, or selling such information, or unlawfully providing such information to third parties; and

• Supervising and managing the performance of third parties processors of personal information.

 

altSuggestions for Foreign Businesses 

For the purpose of legal compliance, the recent legislation has important business implications for foreign companies doing business in China, including many commercial websites. It is advisable that they pay sufficient attention to these new developments and establish internal rules with regards to collection, processing, and use of personal information of their employees in China. In order to reduce possible misuse of personal data, the following measures will be useful:

• Keeping each employee informed when collecting personal data and states the purpose for collecting such data.

• Obtaining the employee’s written consent to the company's collection, processing, and use of personal data.

• Implementing security measures for maintaining confidentiality of personal data such as limited access by specified personnel only.

• Limiting the use of personal data collected for specified purpose only.

• Regularly review the internal rules on employee data protection to identify defects and make improvements accordingly.

• Keep pace with latest legislation and regulatory initiatives.

• Maintain regular internal training programme on personal information.


Conclusion

In early August 2013 a British citizen, who had been operating an investigation and consultation business in Shanghai since 2004, was arrested by the police during a crackdown campaign on personal information crime. He reportedly collected, purchased or otherwise illegally obtained personal information that he used to compile credit reports, which he sold to his clients. This raises a red flag for international businesses operations in China that collecting, storing, using, processing, and disclosing personal information can be an extremely tricky operation that might trigger legal consequences these days. Foreign businesses engaged in relevant industries must beef up their compliance efforts and programmes in this regard in accordance with the latest legal developments. 
    Subscription    |     Advertising    |     Contact Us    |
Address: Magnetic Plaza, Building A4, 6th Floor, Binshui Xi Dao.
Nankai District. 300381 TIANJIN. PR CHINA
Tel: +86 22 23917700
E-mail: webmaster@businesstianjin.com
Copyright 2024 BusinessTianjin.com. All rights reserved.