A stricter regime for profiling07 June 2016
China: The Strengthening of Online Private Information Protection
The Scope, the Prohibitions, and the Obligations
The Decision is designed to protect electronic information that may potentially identify an individual or involves personal privacy. To do so, the Decision includes prohibitions and obligations regarding such electronic information. It prohibits the stealing and selling (including any other methods of illegally obtaining or providing) of such electronic information, while also specifying obligations for collection and use and also for safeguarding personal information. In the collection and use of personal electronic information, an entity must:
- Follow the principle of legality, appropriateness, and necessity;
- Disclose the purpose, method, and scope of the collection and use;
- Obtain consent by relevant individuals; and
- Abide by relevant laws and regulations and also contractual agreements (the collection and use of the information should not violate relevant laws and regulations and also any agreements or contracts).
In terms of safeguarding personal information, the information collected must be kept confidential with the use of technology or other similar necessary methods. The Decision provides that the information may not be leaked, modified, destroyed, sold, or illegally provided to others, and in the event where it may have been, the responsible entity must take immediate remedial measures to fix the situation. In addition, where an Internet Service Provider (“ISP”) discovers any prohibited information being released or transmitted, the ISP must immediately stop such transmission, remove the information, maintain relevant records, and report it to the authorities.
Note that an ISP that provides internet, landline or cell phone, or content publishing platform services must now require users to provide information about their true identities. However, without explicit consent or a request from the receiver, an information provider may not send commercial electronic information to the receiver's telephone, mobile phone, or personal e-mail account.
In the event of a leak or dissemination of personal or private information or where a party is being bombarded with commercial electronic information, he or she may request the ISP to take necessary measures to stop it and may also file a complaint with the authorities. Violations of the Decision could result in one or more penalties including warnings, fines, confiscation of illegal income, revocation of permits, cancellation of records, removal of the website, and civil, administrative and possibly even criminal punishments. Any individuals who violate the Decision will be prohibited from future employment in the internet service industry. In addition, all violations will be recorded in the social credibility files which are available to the public.
In addition to the responsibilities required of the entities, the Decision also requires action from the government. The Decision provides that government authorities must take technical or other necessary measures to prevent and deal with illegal and criminal activities relating to online information. Also, the authorities or its agencies must uphold the confidentiality of personal digital information obtained during performance of their duties.
China's Privacy Efforts Don’t Stop Here
This Decision lays another milestone for the legislation in privacy protection in China. Yet, it is quite broad and lacks accurate and detailed interpretation for compliance. Foreign investors should continue to monitor for the implementation rules to the Decision or any other detailed official interpretations.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016