China’s population exceeds 1.3 billion people, with over 40 percent of its population using the Internet. Last year, total online sales in China grew to nearly $200 billion, an increase of over 60 percent from 2011. There are signs that the value of China’s e-commerce market value will soon surpass that of the United States, making China attractive to international companies in many industries. But some companies have been reluctant to enter China’s online marketplace because of the uncertain privacy and security landscape.

In an apparent effort to encourage consumer engagement in the e-commerce market and establish baseline security standards, the Chinese government has in the past several months released laws, regulations and guidelines focused on privacy and security issues. At the end of 2012, the National People’s Congress issued a law regulating the collection and use of personal electronic information. In April, the People’s Congress released draft amendments to the country’s 20-year old consumer protection law, and China’s Ministry of Industry and Information Technology (MIIT) issued regulations governing the release of pre-installed apps on smart devices. In February, MIIT issued non-binding data privacy guidelines. In this post, we briefly summarize some of the notable takeaways from these and other initiatives.

Decision on Strengthening Protection of Online Information (the Decision)

The Decision, which was enacted in December 2012, governs businesses and organizations, including public institutions, that collect personal electronic information. “Personal electronic information is defined as electronic information capable of identifying an individual or affecting personal privacy. The decision includes the following provisions:

  • Organizations collecting personal electronic information must publish policies regarding their data practices.
  • Individuals must be informed of the purpose, method, and scope of data collection.
  • Organizations must obtain individuals’ consent prior to collecting personal electronic information.
  • Organizations must implement measures to protect individuals’ personal electronic information against theft, loss, and damage.
  • Organizations must refrain from selling or illegally disclosing personal electronic information.
  • Organizations must take immediate remedial measures if personal electronic information is compromised.
  • Organizations must refrain from sending commercial electronic communications to a recipient’s landline, mobile phone, or email address without consent.

Draft Amendments to Consumer Protection Law

The national legislature released draft amendments to the 1993 Law of Consumer Rights and Interests on April 28, 2013, and the amendments were open for public comment through May 31. The draft would amend almost half of the current law’s clauses to address e-commerce issues. The privacy and security amendments to the consumer protection law align with the Decision’s provisions regarding notice, consent, disclosure of personal electronic information, electronic commercial communications and the requirements for security and remedial actions. The updated consumer protection laws would also give certain associations the right to file suits against companies that infringe the rights of large groups of consumers.

Regulation of Smart Devices

In April, MIIT issued a regulation regarding smart devices that takes effect November 1, 2013. The regulation prohibits smart device manufacturers from pre-installing apps that:

1)     collect or modify users’ personal information without their consent;

2)     access networks without expressly notifying users and obtaining their consent;

3)     affect the normal operations of a smart device or the safe operation of a telecommunications network;

4)     contain content restricted by Chinese law; e.g., obscenity and anti-government speech, or

5)     infringe on the safety or security of users’ personal information.

Device manufacturers must already obtain network access licenses for the devices they manufacture. The new regulation will require manufacturers to include in their applications information about the configuration of pre-installed apps and the devices’ operating systems.

MIIT’s Guidelines

On February 1, MIIT issued non-binding guidelines for organizations that collect, use, and disclose personal information through information systems. Although the guidelines do not have the force of law, they may well serve as the basis for comprehensive privacy laws or regulations or serve as a reference in enforcement actions or litigation. The guidelines require that organizations processing information that alone or in combination with other information is capable of identifying an individual do the following:

1)     notify individuals of the purpose and scope of processing prior to collection;

2)     obtain individuals’ consent prior to collecting information;

3)     process information only as consistent with the notice given at the time of collection;

4)     provide reasonable security measures to protect personal information;

5)     retain information no longer than as required to meet the purposes for which it was collected, and

6)     obtain express consent for the processing of sensitive data and for cross-border transfers of any personal information. 


As these initiatives illustrate, China is focused on data privacy and security issues, no doubt in part to promote the growth of China’s e-commerce market. MIIT’s guidelines do not provide a definition of “sensitive data,” and it is not clear the extent to which the guidelines will serve as the basis for a comprehensive data privacy law. The Decision does not specify how individual consent to data practices should be obtained, nor does it elaborate on the types of remedial measures that organizations should take when personal information is compromised. MIIT’s smart device regulation may apply only to pre-installed apps, but some wonder whether future regulations will apply to apps installed post-purchase. And we must wait to see what form the final version of the amendments to the consumer protection law, as well as any associated regulations, will take.

Companies looking to enter into or invest in the Chinese e-commerce market should of course take careful note of the current landscape to ensure that business practices align with legal and regulatory requirements. But perhaps more importantly, they should also monitor for signs of how China’s privacy and security frameworks, and enforcement of same, will take shape in the future. MIIT’s guidelines suggest that cross-border transfers may be permitted only with express consent. That, along with other privacy and security regulations, could significantly impact business models. 

Written By

Hogan Lovells


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»