Personal Information Privacy in China: An Update, Contributed by Paul D. McKenzie and Can Cui, Morrison & Foerster LLP
The People’s Republic of China (“PRC” or “China”), like many other jurisdictions, has been grappling with the issue of how to protect personal information at a time when information tools are becoming increasingly pervasive and sophisticated. PRC law has not traditionally included robust rights of privacy that can be built upon to take account of modern information technology, although certain notions of an individual right to privacy can be derived from the PRC Constitution1 and other legislation.
Growing Interest in Information Privacy in China
China still lacks a comprehensive legal framework to regulate the use and disclosure of personal information. While the introduction of a national, generally applicable information privacy law remains elusive, recent years have seen a resurgent, if piecemeal, legislative interest in the topic.
Notable recent developments at the national level include:
- The promulgation in February 2009 of an amendment to the national Criminal Law criminalizing the sale or other unlawful disclosure of personal information by government officials and employees in key industries;
- The promulgation in December 2009 of a new Tort Liability Law that includes relatively far-reaching provisions governing data protection and privacy rights;
- The circulation for public comment in October 2009 and July 2011 of two drafts of Regulations on the Administration of Credit Reporting, governing, among other things, the establishment, operation, and administration of credit reporting agencies (“CRAs”) in China;
- The publication in 2005 and early 2011 of two non-mandatory documents focusing exclusively on the regulation of personal information protection; and
- The publication in July 2011 of draft regulations governing online businesses that include new provisions protecting the personal data of users.
Seventh Amendment to the Criminal Law2
On February 28, 2009, the Standing Committee of the National People’s Congress (“NPC”) promulgated the seventh amendment to the Criminal Law of the PRC (“Criminal Law Amendment”). The Criminal Law Amendment makes it a criminal offense:
- for employees of government institutions or private organizations in the financial, telecommunication, transportation, education, or medical sectors to sell or otherwise unlawfully provide to third parties the personal data of any citizen that has been obtained in the course of performing duties or services by their employers; or
- for any person to obtain such information by means of theft or other unlawful means.
If the violation is “severe”, individuals found guilty of either offense will be subject to imprisonment for up to three years and/or a monetary fine. The Criminal Law Amendment also specifically provides that organizations (such as corporate entities) that commit either offense shall be liable for a monetary fine and the responsible officers may be personally liable for criminal charges.
The Criminal Law Amendment does not define “personal data,” leaves unclear what types of disclosure constitute “unlawful provision,” whether and to what extent any authorization by the employer and/or consent by the data subject are relevant and what factors are relevant in determining whether a violation is “severe.” Subsequent implementing regulations or interpretations of the Supreme People’s Court may provide guidance on these questions.
In the meantime, companies operating in the PRC financial, telecommunications, transportation, education, or medical sectors would be well advised to review their internal systems for preventing unauthorized disclosure of customer data and all companies looking to acquire customer databases in China should conduct thorough due diligence about the sources of such information.
Tort Liability Law3
On December 26, 2009, the Standing Committee of the NPC promulgated the Tort Liability Law. The Tort Liability Law includes the following material provisions relating to the right of privacy:
- The right of privacy is a unique type of right separate from other civil rights and interests, although the definition of privacy and the scope of the right are not described in detail.
- Infringement of the right of privacy can give rise to a private right of action for civil damages (i.e., a tort claim).
- A party whose right to privacy is infringed is entitled to claim from the tortfeasor the profits arising from the breach as well as damages for emotional harm.
- A website operator who either recognizes that a party’s privacy or other rights are being infringed through content posted on the operator’s website or who is warned of such infringement by an affected party and fails to remove the content or adopt other corrective measures, is jointly and severally liable with the party having posted the content.
- If an affected party requests registered information about the party having posted infringing content and the website operator refuses to divulge such information, the website operator itself becomes liable for the infringement.
The Tort Liability Law also addresses protection of the information privacy of medical patients. It requires medical institutions to establish and keep various types of medical records and hold such records private and confidential. A patient has the right to bring a tort claim against a medical institution or its personnel for damages resulting from the unauthorized disclosure of the patient’s medical records by the medical institution or such personnel.
On balance, the most notable aspect of the privacy provisions of the Tort Liability Law is the creation of a new private right of action allowing an individual to claim damages for breach of his or her privacy right. Whereas past attempts to address misappropriation of personal data had to invoke attenuated references to the General Principles of the PRC Civil Law (the “General Principles”)4, these General Principles, along with the PRC Constitution and other PRC Civil Code measures, never recognized a private right of action for a breach of one’s relatively amorphous “right of privacy.”
Future judicial and legislative interpretation of the Tort Liability Law and new legislation will further clarify the nature of this private right of action, presumably in line with the General Principles which are applied to other private rights of action. In particular, the Tort Liability Law explicitly reaffirms one of the general precepts of Chinese law – that an employer is responsible for the actions of its employees taken in the course of their employment, such that if those actions result in the infringement of an individual’s privacy right, the employer may be held liable.
Regulations on the Administration of Credit Reporting
There is currently no national legislation governing the collection and dissemination of personal credit information, although local governments in some localities have enacted local regulations on collection of such information.5 Typically under local regulations, prior authorization or consent must be obtained from the person whose credit information is sought before the relevant CRA may release such information to a third party.
A draft of Regulations on the Administration of Credit Reporting (“CR Regulations”) was issued for public comment on October 13, 2009 by the Legislative Affairs Office of the State Council (“SCLAO”), China’s cabinet-level body.6
The draft CR Regulations include provisions that:
- prohibit the collection of certain types of personal information, such as information relating to an individual’s ethnicity, religious beliefs, political affiliation and medical history, as well as an individual’s genetic information and fingerprints; and
- require CRAs, before disclosing to a third party credit information about an individual or an entity, to notify the data subject of the identity of the recipient and of possible adverse effects of the disclosure and to obtain the data subject’s written consent to the disclosure.
Compliance with the CR Regulations will be primarily policed and supervised by the People’s Bank of China (“PBOC”), China’s central bank. It is worth noting that the draft regulations expressly exempt the Credit Reference Center of the PBOC from certain of the data privacy requirements.
The SCLAO issued a second draft of the CR Regulations for public comment on July 21, 2011.7 The second draft expressly limits the regulations’ scope of applicability to credit reporting activities within the information services industry, i.e., the collection, processing, sorting and publication of individuals’ and enterprises’ credit information by government agencies or by organizations with a public affairs function are not regulated. In addition, taking into consideration the significant differences between credit rating services and regular credit reporting activities, the second draft excludes provisions found in the first draft regulating credit rating activities. Furthermore, the second draft makes a greater distinction between personal credit reporting services and enterprise credit reporting services, imposing stricter capitalization and regulatory reporting obligations on entities engaged in provision of personal credit reporting services. This further highlights the Chinese government’s recognition of the need to strengthen the protection of personal information and to prevent the infringement of privacy.8
Efforts to Implement Omnibus Data Privacy Standards
China has as yet not issued a national, generally applicable information privacy law but there have been some efforts to implement general standards.
Following an initial study carried out in 2003, the PRC State Council commissioned a group of PRC legal scholars to prepare a draft national law that would focus exclusively on the regulation of data privacy. The draft Personal Information Protection Law (“Protection Law”) was finished in 2005 and published in 2006.9 The draft Protection Law provides as follows:
- entities undertaking the commercial processing of personal data would require a permit from a new “personal data administrative authority” prior to collection of personal data;
- collection of personal data by non-government entities would generally require prior consent from the data subject; and
- the administrative authority would have the power to restrict the cross-border transmission of personal data to any jurisdiction that did not provide sufficient protection to such data.
The draft Protection Law was merely a consultative document and has not been formally adopted by any part of the PRC government. Indeed, since the publication of the draft Protection Law, attempts to introduce a national privacy law appear to have remained in limbo. Proposals for such a law have been submitted to the NPC several times. None of these proposals have yet come to fruition, however.
On February 10, 2011, the Ministry of Industry and Information Technology of the PRC (“MIIT”) circulated a draft Information Security Technology – Guide of Personal Information Protection (“Guide”) for public comment.10 The Guide, to be promulgated by the General Administration of Quality Supervision, Inspection & Quarantine of the PRC and the Standardization Administration of the PRC, if issued, provides a general principle requiring that the holders of third-party personal information keep such information confidential. The individual should be notified as to the manner of collection, processing and disclosure of his or her personal information, and should have a right and opportunity to object to such collection, processing and disclosure. The individual should also have the right to request that his or her personal information be corrected or removed from the holder of such information. The Guide also sets forth more specific principles on how personal information may be collected, processed, used, transferred and maintained.
Notable highlights from the Guide include:
- Clarification on the definition of personal information to include any information that (i) is able to be collected and processed; (ii) relates to individuals; and (iii) by itself or in combination with other information could disclose the identity of the individual;
- An overarching principle that the holders of personal information should keep such information confidential, and a specific requirement that express consent be obtained for all third-party disclosures of personal information;
- A set of more specific principles to be observed during the collection, processing, use, transfer, and maintenance of personal information;
- Application of such principles specifically to personal data on computer networks (as opposed to other data storage media in hard-copy form);
- Restrictions on outsourcing the handling of personal information; and
- Prohibition on the export of personal information unless expressly permitted by law or otherwise approved by government authorities.
According to the Guide, personal information should only be used for the purpose stated to the individual when the information was collected, unless otherwise stipulated in law or clearly agreed to by the individual. This may present certain administrative difficulties for a company. Presumably it could be quite difficult to go back to customers after they have provided personal information in connection with a completed product purchase to obtain further consents to the use of their information. Companies would have to find the right balance in stating such purposes broadly at the outset to capture all potential uses, but not so broadly as to discourage customers from purchasing the underlying products or services.
The Guide also imposes an obligation to obtain express consent from an individual in order to disclose his or personal information to another organization (within or outside of China). This exceeds the disclosure requirements in other jurisdictions such as the European Union (“EU”). The corresponding EU directive provides specific exceptions to its consent requirement where sharing the information is necessary to complete the contract or satisfy pre-contractual obligations. The Guide in its current recommended form does not state any such exceptions. The Guide also does not define the term “other organizations”, and therefore, interpreted literally, could even preclude transfers to affiliates of the company holding the individual’s personal information.
Of course, many companies outsource data processing (including the handling of personal information) to third-party service providers located in China. These companies would be reluctant to outsource such data processing to China-based providers if export restrictions created potential difficulties in having such data returned to them. In this regard, it is important to note that the prohibition on exporting personal data applies to any “administrator” of personal information, defined as “the natural person or legal person with the right to manage the personal information”. There is some room for interpretation, but presumably the prohibition may be understood to apply only to an entity which outsources the data processing since it has the actual right to manage the data under the primary contract with the individual.
The drafters of the Guide have attempted to pick up the proverbial regulatory “baton” by preparing the Guide as a “national standard” under China’s GB (“guobiao”) standardization system, but only as a voluntary guideline (GB/Z) lacking the force of law. By proposing that the Guide be issued as only a recommended (not mandatory) “guideline” standard, the authorities may want to “test the waters” to see how tighter privacy standards are put into practice before imposing mandatory standards. Even before the Guide is finalized and issued, we anticipate that adopting the standards contemplated in the Guide may be a useful defence for companies operating in China that may be the subject of lawsuits under the Criminal Law Amendment or Tort Liability Law. For example, where a company is sued for a criminal or tortious act of its employee in making use of personal data housed at the company, it should be helpful (in order to distance itself from the rogue actions of the employee) to demonstrate that the company has adopted Guide standards in its internal control procedures.
Protections for Personal Information on the Internet
China has tightly regulated “Internet information services” for over 15 years but the focus of its regulatory efforts has not historically included personal data privacy.
The Provisional Regulations of the PRC on the Management of International Networking of Computer Information Networks (“Internet Regulations”)11, promulgated by the State Council on February 1, 1996 and effective on the same day, requires companies and individuals to comply with Chinese laws and regulations; implement secure online systems; not engage in illegal activities; and not produce, retrieve, reproduce, or disseminate information that would hinder public security or that is obscene or pornographic. On September 25, 2000, the State Council promulgated the Measures for the Administration of Internet Information Services (“Internet Measures”)12, which took effect on the same day. Neither the Internet Regulations nor the Internet Measures include any explicit provisions addressing the protection of personal information.
On July 27, 2011, the MIIT published draft Provisions for Administration of Internet Information Services (for Public Comment) (“Internet Provisions”)13, which include provisions regulating the processing of personal information by “Internet Information Service Providers” (“IISPs”), a term which applying definitions in the Internet Measures, refers simply to parties providing information to Internet users over the Internet.
The Internet Provisions include the following data privacy provisions:
- Without a user’s consent, IISPs must not collect user-related information, which, either by itself or in combination with other information, can reveal the user’s identity, unless otherwise provided for by law or administrative regulation.
- IISPs may only collect users’ personal information as necessary to provide their services.
- IISPs must expressly inform users of the method, content and purpose(s) of the collection and processing of their personal information, and must not use their personal information beyond the stated purpose(s).
- IISPs must protect users’ personal information, and must not provide their personal information to any third party without the users’ consent, unless otherwise provided for by law or administrative regulation.
- IISPs must immediately take remedial measures when an Internet security event occurs that has caused or might cause a leakage of users’ personal information; when such an event has caused or might cause serious consequences, IISPs must report to the MIIT and relevant telecommunications administrative authority and cooperate with the investigations by the relevant governmental department.
- IISPs breaching these requirements are subject to sanctions that include rectification orders, warnings and/or penalties ranging from RMB10,000 to RMB30,000.
As one would expect, the restrictions on collection of personal information as well as the obligation of confidentiality summarized above are limited “as provided by law or administrative regulation”. The data privacy obligations of an IISP must be understood in the context of an IISP’s robust monitoring, recording keeping and reporting obligations under the Internet Measures and other regulations relevant to users’ online activities. By covering all parties operating over the internet, not just in particular industries, the Internet Provisions nonetheless represent a broadening of regulatory efforts beyond the more limited industry specific efforts that the CR Regulations and other current regulations represent. At the same time, it seems unlikely that China will promulgate data privacy legislation with mandatory provisions of general application to all parties collecting personal data in China in the near future.
Paul D. McKenzie is Managing Partner of Morrison & Foerster’s Beijing office. His practice focuses on a broad range of corporate transactions and regulatory compliance matters in China. Mr. McKenzie received his B.A. and LL.B. from the University of Toronto. He is admitted to practice in the Hong Kong Special Administrative Region of the PRC and British Columbia, Canada.
Can Cui is a J.D. candidate at New York University. He has over four years’ of U.S. patent prosecution experience. Dr. Cui’s scholarship focuses on intellectual property law. He has a B.Sc. from Peking University and a Ph.D. from Harvard University.
© 2011 Morrison & Foerster LLP
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.