China Continues Efforts to Expand Consumer Privacy Protections
By Paul McKenzie, Gabriel Bloch, and Jingxiao Fang, Morrison & Foerster LLP
After a flurry of legislative and administrative initiatives over the past six months to strengthen privacy protections in the telecommunications, internet, and credit-related sectors, China’s legislature now appears to be setting its sights on crafting broader consumer privacy protections. On April 28, the National People’s Congress (NPC) released for public consultation draft amendments to the Law on the Protection of the Rights and Interests of Consumers (“Consumer Protection Law”).1 If approved, these amendments would be the biggest amendments made to the Consumer Protection Law since its adoption in 1994.
In addition, efforts continue to strengthen protections in the telecommunications and internet sectors, particularly with respect to the use of mobile devices, sending spam text messages, and the collection of personal information in the education context. The Decision on Reinforcing the Protection of Network Information (“Decision”), issued by the Standing Committee of the NPC Dec. 28, 2012, set the stage for the Ministry of Industry and Information Technology (MIIT) to issue draft implementing rules that, if approved, would require telecommunications business operators and internet information service providers to fulfill privacy-related obligations such as notice, consent, and data security.2 Since then, MIIT continues to issue new rules, opinions, and initiatives that address specific issues raised by the Decision. Most recently, MIIT has issued in final form new rules that regulate the collection of personal information through mobile devices and has launched an initiative to crack down on spam text messages. MIIT also has issued opinions that prohibit telecommunications companies from illegally collecting personal information of students and teachers and sending them materials without their consent.
Consumer Protection Law Highlights
The draft amendments to the Consumer Protection Law would clarify that consumers have a right to privacy, dignity, and respect for ethnic customs and practices, and to have their personal information such as name and image protected when purchasing or using a good or receiving a service. A business operator who infringes these rights would have to cease such infringement, rehabilitate the user’s reputation, take actions to mitigate negative effects, apologize, and indemnify the user for losses. In addition to civil liabilities, governing authorities and penalties specified in relevant laws and regulations would apply. If the laws and regulations were silent, industrial and commercial authorities or other relevant administrative authorities could order rectification and based on the circumstances, impose one or more of the following penalties: a warning, confiscation of unlawful income, or a fine of more than one times and less than 10 times the unlawful income. Where there is no unlawful income, a fine of less than ¥500,000 (about $81,584) would have to be imposed. Where laws and regulations were seriously violated, the business operator would have to be ordered to cease business until the problem had been rectified, or have its business license revoked.
Other privacy law principles incorporated into the draft include:
- The collection and use of consumers’ personal information would have to be on the basis of informed consent, and consumers would have to be notified about the purpose, method, and scope of the data collection.
- Business operators would have to adhere to the principles of legality, legitimacy, and necessity when collecting or using consumers’ personal information.
- Business operators would have to adopt rules and regulations governing their collection and use of the personal information that is made publicly available.
- Business operators and their staff would be required to keep consumers’ personal information in strict confidence and could not divulge, tamper with, or damage such information, and could not sell or illegally provide such information to third parties. Business operators would have to adopt technological and other measures as necessary to secure the safety of the information, and prevent it from being divulged, damaged, or lost. In the event that personal information had or could be divulged, damaged, or lost, the business operator would have to immediately take remedial actions.
- Without a consumer’s consent or request or if a consumer had expressly refused, business operators could not send electronic commercial information to the consumer.
The deadline for feedback and comments to the draft Consumer Protection Law was May 31. Public consultation is an increasingly important part of the legislative process. Once the Commission of Legislative Affairs of the Standing Committee of the NPC has received comments, there could well be relatively significant changes to the draft. Some commentators are predicting the law will be finalized by year-end, but predictions can be difficult.
The following provides an overview of recent initiatives in the telecommunications, internet, and credit-related sectors.
- Circular on Strengthening the Administration of Network Access of Mobile Intelligent Terminals(Issued April 11; effective Nov. 1, 2013).3 This circular will prohibit production enterprises from pre-installing application software with a feature to collect or amend users’ personal information in “mobile smart terminals” (a term that includes mobile handsets, tablets, and other mobile devices that can access public communications networks) without expressly indicating or asking for consent from such users. The circular will also prohibit production enterprises from pre-installing other software that may infringe upon the safety of users’ personal information or endanger the safety of the network and its information.
- Circular on Carrying out a Special Operation for Cracking Down on Spam Text Messages (Issued and effective April 7, 2013).4 A special operation to crack down on spam text messages will last from April 2013 to December 2013. Based on the relevant work plan, the MIIT will draft the Provisions for Administration of Text Message Communication Services and amend relevant technology standards. Basic telecommunications service providers are required to upgrade their spam message disposal platforms and standardize the subscription and cancellation of commercial text messages. Without the informed consent of subscribers, or if a subscriber has expressly refused, telecommunications enterprises may not send commercial text messages to subscribers. However, these regulations, like the regulations for email advertising,5 do not distinguish clearly between spam messages and reasonable commercial communications. The MIIT regulations also call for the establishment of a mechanism to enable the discovery, reporting, disposal, and monitoring of spam text messages.
- Opinions on Further Regulating the Market Operation Activities of Telecommunications Operation Enterprises in Campus Telecommunications Businesses (Issued and effective April 3, 2013).6 Under these opinions, telecommunications enterprises are prohibited from illegally obtaining personal information of teachers, students, or their parents. Without the consent of teachers, students, or their parents, telecommunications enterprises may not mail subscriber identity module (SIM) cards or business materials to them.
- Information Security Guidelines for Protection of Personal Information Within Information Systems for Public and Commercial Services (Issued and effective Feb. 1, 2013).7 The guidelines, issued as a ‘‘national standard’’ under China’s GB (‘‘guobiao’’) standardization system, encompass the full range of obligations found under most omnibus data protection laws and encompass all of the Fair Information Principles as well as some additional obligations. Although these guidelines are not mandatory, they will serve as an important reference for companies seeking to develop best practices in order to comply with existing People’s Republic of China legal provisions that pertain to data privacy.
- Credit Reporting Regulations (Approved in December 2012 and effective March 15, 2013).8 The regulations impose a number of obligations upon credit reporting agencies (CRAs) and other entities with regard to their collection and use of personal information in the course of their business operations.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.