A stricter regime for profiling07 June 2016
China Publishes Draft Privacy Guidelines
Gastón Fernández (Associate), Hogan Lovells, Beijing, PRC, contributed this entry
While personal data privacy law has been developing in many jurisdictions with the increasing prevalence of internet usage, the People's Republic of China has not yet enacted comprehensive laws or regulations governing the collection, use and transfer of personal data. However, this may change soon, as indicated by the recent issuance of the draft Information Security Technology -- Guide of Personal Information Protection (the "Guidelines", issued jointly by the General Administration of Quality Supervision Inspection and Quarantine and the Standardization Administration of the PRC on 30 January 2011). The draft Guidelines were developed in consultation with the Ministry of Industry and Information Technology, the government agency charged with regulating the telecoms and internet industries, and would create broadly applicable rules and principles for handling and transferring personal information. Although the draft Guidelines could be revised before implementation and have not yet been enacted, upon entering into force they could significantly impact business practices relating to storage, processing and transfer of information.
Currently applicable laws and regulations
In the absence of comprehensive PRC laws or regulations on personal information protection, businesses have had little guidance on the types of activities which are permissible. Generally, the Constitution of the People's Republic of China ("PRC Constitution") sets forth rights which have been interpreted by academics as establishing an individual right to privacy. Article 40 of the PRC Constitution provides that a citizen's freedom of communications and privacy of communications are protected by law. Article 38 of the PRC Constitution sets forth a general right of citizens to be free from infringements on their dignity, and protects citizens from defamation, false accusations and insults. These articles have been interpreted as the foundation for a general right to privacy which is briefly mentioned in various PRC laws and regulations. For example, the seventh amendment to the PRC Criminal Law (effective 28 February 2009) added the criminal offenses of illegally providing and illegally using personal information of PRC citizens. Both individuals and legal entities may be found guilty of the offenses: legal entities may liable for fines, and responsible individual management personnel may be subject to fines and imprisonment and/or probation for up to 3 years. Despite potentially harsh penalties, little regulatory guidance has been given on the types of behavior which are illegal when collecting and processing personal information. Although a draft Personal Information Protection Law ("Draft Privacy Law") was published in late 2006, it remains under review and has not been enacted. The draft Guidelines would partially fill this void, but in many ways could present compliance challenges for businesses.
Key features of the draft Guidelines
The draft Guidelines could have widespread effects on the way multinational corporations operate in China. By broadly defining "personal information", granting data subjects broad rights relating to personal information and tightly limiting the ability of data processors to transfer information, compliance with the draft Guidelines could prove costly and time-consuming.
The draft Guidelines would apply to all use of computer systems in processing personal information, including the collection, processing, transfer, use, prevention of access and deletion of personal information. Personal information is also broadly defined as any information which independently or together with other information enables identification of the data subject. The definition of personal information is broad enough to conceivably cover any type of information relating to a person.
The draft Guidelines provide general principles for processing personal information. The purpose and use of collecting personal information should be clear and reasonable. Data processors should notify data subjects in plain language of: (1) the purpose of collecting the personal information and the scope of use, (2) the period of storing the information, (3) information protection policies in place to safeguard the information, (4) the rights of the data subject, (5) the individual responsible for data processing, and (6) other relevant information. Personal information should not be collected or processed without the informed consent of the data subject.
Rights of data subjects
Under the draft Guidelines, data subjects would have broad rights in relation to their personal information held by data processors, including:
(a) Right to confidentiality
(b) Right to knowledge
(c) Right to opt out, change data or prohibit use
Prohibition on collecting personal information of children without their guardian's consent
Irrelevant personal information should not be collected
The Guidelines prohibit data processors from collecting information which is not directly connected to the stated purpose, especially information relating to ethnicity, religious belief, genetic information, fingerprints, health condition or sex life.
Transferring personal information
The draft Guidelines take a restrictive position on the transfer of personal information between data processors and could create difficulties for multinational corporations relying on third party data processing companies or routinely passing information between affiliates.
(d) Presumption against transfer to third parties
(e) Presumption against allowing cross-border transfer of personal information
(f) Use of personal information following mergers or acquisitions
The preface to the draft Guidelines notes that a number of domestic internet and software companies and industry associations were consulted in the course of preparing the draft, and the text appears to have been primarily prepared considering online collection of data from internet users. However, the draft Guidelines would potentially apply to virtually any company: for example, employers with digital records on employees, or financial institutions and insurers with records on their customers. While the general principles relating to informed consent and consumer protection are reasonable, the extent of proposed restrictions on transfer of personal information between entities and internationally could unnecessarily raise compliance costs. As further steps are taken toward enacting regulations on personal data privacy, regulators should consider the practical costs of implementation and the wider impact that rules in this area will have on companies doing business in the PRC.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016