China is one of the few major countries in Asia without a comprehensive law regulating the use and handling of personal information. Instead, data privacy is governed by way of a regime that includes the constitution, criminal law, civil law, tort law and some sector-specific regulations.
Concepts such as "personal information" and "consent" are not well defined, so protection of data privacy on the mainland is piecemeal at best. In addition to this, the exact obligations of those who use personal data are vague and unclear.
This ambiguity, however, has been significantly addressed by China's recent issuance of a standard named "Information Security Technology - Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems". These guidelines, which came into effect on February 1, have not only shed some much-needed light on China's data privacy regime, but have also paved the way for more comprehensive regulation in future.
How significant is this move?
The new guidelines represent China's first serious attempt to define data privacy concepts for more general application. That said, their scope is still limited, as they cover only personal data in computer networks and apply only to the private sector.
More importantly, the guidelines serve only as a voluntary national standard and do not have the force of law. Compliance is not mandatory. However, in practice, it is possible that they may be used for reference by local authorities and courts, and it is expected that they will serve as an important reference when China enacts its own comprehensive data privacy law.
What do the guidelines say?
The guidelines define personal information as information related to an individual (a "subject") that may be processed by an information system and which, either alone or in combination with other information, can identify that individual. Anyone who holds and manages such information (an "administrator") or who receives that information (a "recipient") must comply with the following requirements before handling it:
- Collection: Before collecting personal information, the administrator must first satisfy notification requirements by providing the subject with specific information about its intended handling - such as the purpose of its handling, the scope of its intended use, security measures, retention periods and details about any potential transfer of the information. The administrator must also obtain consent from the subject for handling the information. Implied consent is permitted in some cases, but where sensitive information is involved, such as ID numbers or fingerprints, expressed consent is required.
- Processing: The administrator must process information in accordance with the notifications issued to the subject. They also have the duty to ensure the completeness and accuracy of the information, and to allow the subject access to and correction of their personal information upon request.
- Transfer: Any transfer of personal information by the administrator to other parties is subject to consent and notification requirements. For any transfer outside the mainland, expressed consent from the subject is required unless it is authorised by law or permitted by authorities.
- Retention and deletion: The administrator or recipient must delete the personal information when the purpose of handling it is complete, as well as at the request of the subject or upon expiry of the retention period explained to the subject.
What should firms do now?
At the same time the guidelines were released, the government also announced the creation of the Personal Information Protection Alliance, which is expected to play a key role in regulating the data practices of businesses. Hence, it appears that China is preparing to strengthen its data privacy regime and a comprehensive law cannot be very far behind. Time is therefore of the essence for companies in China to align their data privacy practices with the guidelines by reviewing internal data privacy and security practices, updating customer take-on documents, reviewing data transfer arrangements, developing internal data privacy protocols, and training staff in data privacy.
WRITE TO US Send your legal questions to firstname.lastname@example.org .