The business case for understanding Chinese privacy law is clear. With China’s growing economic power and large consumer base, any international company seeking to profit from consumers in the region should expend resources on understanding how best to succeed in the Chinese market. This means that privacy officers must pay close attention to how privacy law is developing in China, both to keep up with current developments and to stay ahead of the curve by proactively implementing strategic policies.
This three-part series will provide a basic privacy practitioner’s guide to privacy law in China.
Current State of Chinese Privacy Laws
Privacy law in China is still a relatively new field. While China lacks a comprehensive national privacy law, there are a number of privacy laws and regulatory guides focused on specific concerns.
To understand the current state of Chinese privacy laws, it’s best to first distinguish the concepts of privacy from government actors and privacy from corporate actors. China’s current legal system does not afford significant privacy protections against government intrusion. However, in the past few years, China has been increasingly willing to create and enforce privacy laws aimed at regulating corporations and private actors.
In the past few years, China has created a number of privacy laws focused on regulating the private sector. These laws include telecommunications regulations like the 2011 MIIT Internet Information Services Regulations (“MIIT 2011 Regulation”); the 2013 MIIT “Telecommunications and Internet Personal User Data Protection Regulations (MIIT 2013 Regulation); the 2013 MIIT Information Security Technology - Guidelines for Personal Information Within Public and Commercial Services Systems, (MIIT 2013 Guide). Additionally, in 2012, the SC-NPC Decision on Internet Information Protection (SC-NPC 2012) created the highest level law in China dealing with data protection. The provisions from SC-NPC 2012 were largely included in the 2013 amendments to China’s Law on the Protection of Consumer Rights and Interests (Consumer Law).
The amended Consumer Law includes the general principle that all operators must “follow legal, legitimate and necessary principles,” incorporating principles stated in the SC-NPC 2012.
The Consumer Law (2013), Art. 29 lists these basic principles:
- Proprietors collecting and using consumers' personal information shall abide by principles of legality, propriety and necessity, explicitly stating the purposes, means and scope for collecting or using information and obtaining the consumers' consent. Proprietors collecting or using consumers' personal information shall disclose their rules for their collection or use of this information and must not collect or use information in violation of laws, regulations or agreements between the parties.
- Proprietors and their employees must keep consumers' personal information they collect strictly confidential and must not disclose, sell or illegally provide it to others. Proprietors shall employ technical measures and other necessary measures to ensure information security, and to prevent consumers' personal information from being disclosed or lost. In situations where information has been or might be disclosed or lost, proprietors shall immediately adopt remedial measures.
- Proprietors must not send commercial information to consumers without their consent or upon their request of consumers or where they have clearly refused it.
These principles are echoed in the general principles of MIIT 2011, which state that ISPs “shall provide services in accordance with the principles of equality, free will, fairness and good faith.”
In 2013, the MIIT released a voluntary guide for industry best practices. The MIIT 2013 Guide elucidates eight principles, which are all fairly standard for international privacy norms and similar to other nations’ privacy principles.
- Clear Purpose Principle: Data should only be used for a clear purpose and should not be used outside of that purpose.
- Minimum and Sufficiency Principle: Companies should only handle the minimum amount of information sufficient for their purpose. Personal info should be deleted after the purpose has been achieved.
- Public Notification Principle: Companies should give notice to data subjects of the purpose, scope, use, security and other information related to the data collection.
- Personal Consent Principle: Companies should obtain consent before using data.
- Quality Assurance Principle: Companies should take measures to ensure confidentiality, integrity, availability of data.
- Safety Guarantee Principle: Companies should take measures to ensure security of data.
- Good Faith Fulfilling Principle: Companies should act in good faith in compliance with legal requirements.
- Clear Responsibility Principle: Companies should clearly define responsibilities, taking of appropriate measures and records processing (for use in potential future investigations).
These principles should be familiar to any privacy practitioner. Additionally, the MIIT 2013 Guide includes the following: special safeguards for sensitive information, restrictions for overseas data exports, data breach notification obligations and information on rights of data subjects. The MIIT 2013 Guide is the only current state policy that mentions limits on transnational data exportation, explicitly prohibiting overseas transfer of data without express consent of data subjects or explicit legal or regulatory permission. However, the MIIT 2013 Guide is voluntary and does not impose legal obligations upon corporations.
Chinese citizens may have a right to privacy under tort law. China’s General Principles of Civil Law (GPCL) includes protection of the “right of reputation," while the Tort Liability Law (TTL) protects the “right of privacy." Both the GPCL and TTL tort rights of privacy have been used in litigation between individuals and corporations. It is important to note that, under the TTL, “network service providers” (likely to be interpreted as similar to “Internet Service Providers” in the West) have special obligations to prevent tortious actions committed by users of their services.
China also has some privacy-focused sectoral legislation, somewhat similar to the U.S. sectoral approach to privacy law. China’s sectoral laws include the Basic Norms for Electronic Medical Records (Ministry of Health, 2010), Social Insurance Law (2010) and Regulations and Administrative Measures for Credit Reference Agencies (2013). In addition, a number of provinces and municipalities have enacted their own privacy laws.
So while Chinese privacy law is still fairly undeveloped, China has made significant strides in recent years to create new laws governing data privacy and confidentiality of personal information. Some of the major principles inherent in the highest level Chinese privacy laws are similar to international privacy norms (EU Directive, APEC Principles, etc.). With the law still unclear, the best way forward for privacy practitioners is to ensure compliance with current laws and proactively adapt practices that are in touch with Chinese consumer culture.
In our next post, we will discuss some of those unique historical and cultural factors that might provide clues on the development and application of privacy laws in China. Finally, we will provide some practical lessons for how to proactively adapt to privacy laws in China.