Print this Post

New data privacy standard signals change ahead in mainland China

China is one of the few major countries in Asia without a comprehensive law regulating the use and handling of personal information.  Instead, data privacy is governed by way of a regime that includes the constitution, criminal law, civil law, tort law and some sector-­specific regulations.

Concepts such as “personal information” and “consent” are not well defined, so protection of data privacy on the mainland is piecemeal at best.  In addition to this, the exact obligations of those who use personal data are vague and unclear.

This ambiguity, however, has been significantly addressed by China’s recent issuance of a standard named “信息安全技朮 –  公共及商用服务信息系统个人信息保护指南” (“Information Security Technology – Guidelines for Personal Information Protection within Public and Commercial Services Information Systems”).  These guidelines, which came into effect on 1 February 2013, have not only shed some much needed light on China’s data privacy regime, but have also paved the way for more comprehensive regulation in future.

How significant is this move? 

The new guidelines represent China’s first serious attempt to define data privacy concepts for more general application.  That said, their scope is still limited, as they cover only personal data in computer networks and apply only to the private sector.

More importantly, the guidelines serve only as a voluntary national standard and do not have the force of law.  Compliance is not mandatory.  However, in practice, it is possible that they may be used for reference by local authorities and courts, and it is expected that they will serve as an important reference when China enacts its own comprehensive data privacy law.

What do the guidelines say? 

The guidelines define personal information as information related to an individual (a “subject”) that may be processed by an information system and which, either alone or in combination with other information, can identify that individual.  Anyone who holds and manages such information (an “administrator”) or who receives that information (a “recipient”) must comply with the following requirements before handling it:

  • Collection: Before collecting personal information, the administrator must first satisfy notification requirements by providing the subject with specific information about its intended handling – such as the purpose of its handling, the scope of its intended use, security measures, retention periods and details about any potential transfer of the information.  The administrator must also obtain consent from the subject for handling the information.  Implied consent is permitted in some cases, but where sensitive information is involved, such as ID numbers or fingerprints, expressed consent is required.
  • Processing: The administrator must process information in accordance with the notifications issued to the subject.  They also have the duty to ensure the completeness and accuracy of the information, and to allow the subject access to and correction of their personal information upon request.
  • Transfer: Any transfer of personal information by the administrator to other parties is subject to consent and notification requirements.  For any transfer outside mainland China, expressed consent from the subject is required unless it is authorised by law or permitted by authorities.
  • Retention and deletion: The administrator or recipient must delete the personal information when the purpose of handling it is complete, as well as at the request of the subject or upon expiry of the retention period explained to the subject.

What should firms do now? 

At the same time the guidelines were released, the government also announced the creation of the 个人信息保护推进联盟 (Personal Information Protection Alliance), which is expected to play a key role in regulating the data practices of businesses.  Hence, it appears that China is preparing to strengthen its data privacy regime, and a comprehensive law cannot be very far behind.  Time is therefore of the essence for companies with any presence in China to align their data privacy practices with the guidelines by reviewing internal data privacy and security practices, updating customer take-on documents, reviewing data transfer arrangements, developing internal data privacy protocols and training staff in data privacy.

◊ ◊ ◊

For information on data privacy changes in Hong Kong, please visit the relevant article on the Hong Kong Personal Data (Privacy) (Amendment) Ordinance in our December 2012 issue of Media Intelligence.

If you have any questions in relation to the above, please contact Scott Thiel at scott.thiel@dlapiper.com.

Permanent link to this article: https://blogs.dlapiper.com/mediaandsport/2013/04/new-data-privacy-standard-signals-change-ahead-in-mainland-china/