China takes a step forward in data privacy?
The mainland is one of the few remaining major markets in Asia without a comprehensive law regulating the use and handling of personal information. Data privacy is governed by way of a regime consisting of the constitution, criminal law, civil law, tort law and some sector-specific regulations. Fundamental concepts such as "personal information" and "consent" have not previously been well defined and, as such, the protection of data privacy on the mainland is piecemeal at best.
In addition to this, the exact obligations on users of personal information are vague and unclear.
This ambiguity has recently been significantly addressed by the mainland's issuance of the "Information Security Technology - Guidelines for personal information protection system for public and commercial services". The guidelines, which came into effect on February 1, not only shed some much-needed light on the mainland's data privacy regime, but also pave the way for more comprehensive regulation in future.
What is the significance of the guidelines?
The guidelines represent the mainland's first significant attempt at defining data privacy concepts for more general application. That said, their applicability is still limited, as they only cover personal information in computer networks. Furthermore, the guidelines only apply to the private sector as government authorities and other institutions exercising public management responsibilities are excluded.
More importantly, the guidelines only serve as a voluntary national standard and therefore do not have the force of law - thus compliance is not mandatory.
However, in practice, given the guidelines' never-before-seen detail on data privacy concepts, it is possible that they may be used for reference by local authorities and courts in cases concerning similar concepts. As such, the guidelines are not necessarily devoid of legal significance.
Also, it is expected that these guidelines will serve as an important reference in lawmaking, when the mainland enacts its own comprehensive data privacy law.
What do the guidelines say?
Briefly, the guidelines define "personal information" as information related to an individual ("subject"), which may be processed by an information system and which, either alone or in combination with other information, can identify that subject.
Any person who holds and manages such information ("administrator") or a recipient of the same ("recipient") must comply with the following requirements before handling personal information:
Collection - Before collecting personal information, the administrator must first satisfy notification requirements by providing the subject with specific information about its intended handling. Examples include the purpose(s) of handling, the scope of the intended use, security measures adopted, retention periods, and details about any potential transfer of the personal information. The administrator must also obtain consent from the subject for the handling - while tacit/implied consent is allowed in some cases, where the sensitive personal information is involved, such as ID numbers and fingerprints, expressed consent will be required.
Processing - The administrator must process personal information in accordance with the notifications made to the subject. It also has the duty to ensure completeness and accuracy of the personal information, and allow the subject access to and correction of his/her personal information upon request.
Transfer - Any transfer of personal information by the administrator to other parties are subject to consent and notification requirements. For any transfer outside the mainland, expressed consent from the subject is required, unless the transfer is authorised by law or permitted by authorities.
Retention and deletion - The administrator or receiver must delete the personal information when their handling purpose(s) are completed, as well as upon request from the subject or expiry of the retention period as notified to the subject.