Hogan Lovells 2024 Election Impact and Congressional Outlook Report
A new law in China taking affect in March of this year will provide businesses with a clearer understanding of what types of information are protected as consumer personal information in China. This new definition will clarify companies’ obligations with respect to the use and processing of that information under other Chinese laws and regulations. A failure by businesses to recognise these new requirements can lead to onerous penalties including fines.
Currently in China, personal information, as referred to in various PRC regulations covering data protection, is defined in broad terms as any identifying information. Or, to be more precise, the rules define it as “any information associated with a user, which, either independently or when combined with other information, is able to identify such user.”
The essence of this definition, albeit with some variations, is found in various PRC laws, regulations, and non-binding standards which include data privacy provisions, here listed in date order:
the Several Provisions on Regulating the Internet Information Service Market Order (effective 15 March 2012) issued by the Ministry of Information and Internet Technology (MIIT), which is charged with regulating data privacy online;
the Decision on Strengthening Network Information Protection (effective from 28 December 2012) issued by the Standing Committee of the National People’s Congress;
the non-binding Guidelines for Personal Information Protection within Information Systems for Public and Commercial Services on Information Security Technology (dated as effective from 1 February 2013, the Guidelines) issued by China’s Standardization Administration; and
the Provisions on Protecting the Personal Information of Telecoms and Internet Users (effective from 1 September 2013) issued by MIIT.
Additionally, the Law on the Protection of Consumer Rights and Interests (effective from 15 March 2014) (Consumer Rights Protection Law) issued by the State Administration of Industry and Commerce ((SAIC) which is charged with consumer protection covering both online and offline transactions) uses the term personal information but fails to define it.
To date, the Provisions on Protecting the Personal Information of Telecoms and Internet Users (which places obligations on telecommunications business operators and Internet Information Service Providers which includes any organization operating a website) is the only binding law that has further described the definition of personal information through the use of lists of categories or examples. The list includes the following categories of identifying information: “name, date of birth, identity card numbers, address, phone numbers, account numbers and passwords.” Information about the time and place in which a user has used a service is also part of personal information.
Besides this, the Guidelines, which are not binding, provide a definition of “sensitive personal information” which is information that:
“will have an adverse impact on the subject of the information if disclosed or altered; [as] determined on the basis of the wishes of the subject of personal information who receives services and the characteristics of [a given] industry,”
and may include, for example – and here comes a partial list – “identity card numbers, mobile phone numbers, race, political views, religion, genetic information, and fingerprints.” The Guidelines do not though provide a list of “general” personal information, which is defined only in distinction from sensitive personal information.
Consumer protection law, however, as noted above, has up until now not included a definition of personal information, whether in a general sense, in a list, or otherwise.
The lack of a definition of personal information in the Consumer Rights Protection Law is about to change. On 15 March 2015 – Consumer Protection Day in China – the SAIC’s Measures for Punishments against Infringements on Consumer Rights and Interests (the SAIC Measures) will take effect.
The SAIC Measures define personal information in the context of consumer transactions both online and offline and, in addition to generally defining personal information as identifying information, provide the following list of data categories: “a consumer’s name, gender, occupation, date of birth, identification card number, address, contact information, status of income and assets, health status, and consumption habits.”
Notably, five categories in the list go beyond the categories found in the Provisions on Protecting the Personal Information of Telecoms and Internet Users and the Guidelines. These five categories are: gender, occupation, status of income and assets, health status and consumption habits.
The definition of personal information is a matter of particular significance because businesses must treat personal information they collect and use in accordance with their obligations under applicable law. Specifically, under the SAIC Measures and the Consumer Rights Protection Law, businesses must, when collecting and using personal information:
Observe the principles of lawfulness, rationality and necessity;
Expressly state the purposes, methods and scope of collection and use;
Obtain the consumer’s consent;
Adopt measures to keep personal information secure;
Take immediate remedial action in the case of any disclosure or loss of personal information;
Make public the rules of data collection and use adopted by the business; and
Observe the provisions of applicable laws and regulations and any additional terms separately agreed between the consumer and business.
Businesses must not:
Collect or use personal information without the consumer’s consent;
Disclose, sell, or illegally transfer personal information to third parties; or
Send commercial information to the consumer if the consumer has neither agreed to receive it, nor asked for it, or the consumer has communicated clearly that it does not want to receive it.
These SAIC consumer protection data privacy requirements are generally consistent with, though do not completely reflect, the requirements found in other data privacy legislation in China.
A failure to comply with the above requirements, whether stemming from the Consumer Rights Protection Law or the SAIC Measures, is subject to the varied and potentially onerous penalties set out in Article 56 of the Consumer Rights Protection Law (except in those situations where the penalty for a failure to comply is set out in another relevant law or regulation).
Under Article 56, the SAIC can punish non-compliant businesses with an order for remediation and one or more of the following penalties:
A warning;
Confiscation of illegal gains;
A fine of 1 to 10 times the amount of illegal gains, or if there are no illegal gains, up to a maximum of RMB 500,000 (approx. USD 80,000 or GBP 52,500); and
In serious circumstances, closure of the business for remediation or revocation of the company’s business license.
Such penalties are separate from any civil liabilities that may also arise due to the compliance failure.
The SAIC Measures define and clarify which categories of information are protected as consumer personal information in China. It is an expansive list that covers more categories, but not exactly the same categories, as the Provisions on Protecting the Personal Information of Telecoms and Internet Users and the Guidelines. Under a best practices model, each of these lists will need to be taken into account in formulating a business’s data privacy policy.
Business should keep up to date with this and other developments in this area of law and be vigilant in adopting and implementing compliant data collection and use policies. This will help them meet the government’s call to protect consumers’ rights and interests and also avoid the potentially harsh penalties for non-compliance.
Updated on March 11, 2015
Authored by Jun Wei, Sherry Gong, and Nolan Shaw.