In 2011, the Ministry of Industry and Information Technology of
the People's Republic of China (MIIT) published two draft
regulations that are related to data privacy.
As a background, China has not yet enacted comprehensive laws or
regulations governing the collection, use and transfer of personal
data. Although a draft Personal Information Protection Law
(个人信息保护法)
has been pending since 2003, some observers are pessimistic about
the likelihood of its enactment in the near future due to the
complicated interplay between privacy protection and disclosures in
Chinese political system. However, some provinces and cities are in
the process of local privacy law legislation. For example, the
local bar association just submitted a Report on the Practicality
and Necessity of Personal Data Protection Legislation in the City
of Shenzhen, which is China's most successful Special
Economic Zone ("SEZ"). SEZ's have flexibility
with respect to governmental actions that enable business to be
done.
On January 30, 2011, the MIIT issued a draft Information
Security Technology – Guide of Personal Information
Protection
(信息安全技术个人信息保护指南,
the "Guidelines") for comment. The Guidelines define
personal information liberally, grant data subjects broad rights
and tightly restrain data processors' ability to transfer
information. For example, a data processor generally cannot
collect, alter, transmit, use, block or erase personal data without
the person's consent. Depending on the purpose, a data
processor also has the duty to keep personal data accurate,
complete and up-to-date. If a data processor authorizes a
third-party to process personal data under its control, it must
notify the persons before the collection of data. More importantly,
a data processor cannot transfer personal information to another
entity without the persons' express consent. In perhaps the
most devastating provision for the outsourcing industry, a data
processer is prohibited from transferring personal information to a
foreign data processor without express authorization of the law or
from the government. The Guidelines are silent as to its
applicability to foreign citizens' personal data.
Also, the MIIT published a draft Internet Information Service
Regulations
(互联网信息服务管理规定,
the "Internet Regulations") on July 27, 2011, which
includes provisions regulating the processing of personal
information by entities providing internet information service or
related products in China. In addition to the similar requirements
of obtaining consent and general prohibition of data transfer, the
Internet Regulations also impose a duty to report serious security
breaches to the MIIT.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.