In 2011, the Ministry of Industry and Information Technology of
the People's Republic of China (MIIT) published two draft
regulations that are related to data privacy.
As a background, China has not yet enacted comprehensive laws or
regulations governing the collection, use and transfer of personal
data. Although a draft Personal Information Protection Law
has been pending since 2003, some observers are pessimistic about
the likelihood of its enactment in the near future due to the
complicated interplay between privacy protection and disclosures in
Chinese political system. However, some provinces and cities are in
the process of local privacy law legislation. For example, the
local bar association just submitted a Report on the Practicality
and Necessity of Personal Data Protection Legislation in the City
of Shenzhen, which is China's most successful Special
Economic Zone ("SEZ"). SEZ's have flexibility
with respect to governmental actions that enable business to be
On January 30, 2011, the MIIT issued a draft Information
Security Technology – Guide of Personal Information
the "Guidelines") for comment. The Guidelines define
personal information liberally, grant data subjects broad rights
and tightly restrain data processors' ability to transfer
information. For example, a data processor generally cannot
collect, alter, transmit, use, block or erase personal data without
the person's consent. Depending on the purpose, a data
processor also has the duty to keep personal data accurate,
complete and up-to-date. If a data processor authorizes a
third-party to process personal data under its control, it must
notify the persons before the collection of data. More importantly,
a data processor cannot transfer personal information to another
entity without the persons' express consent. In perhaps the
most devastating provision for the outsourcing industry, a data
processer is prohibited from transferring personal information to a
foreign data processor without express authorization of the law or
from the government. The Guidelines are silent as to its
applicability to foreign citizens' personal data.
Also, the MIIT published a draft Internet Information Service
the "Internet Regulations") on July 27, 2011, which
includes provisions regulating the processing of personal
information by entities providing internet information service or
related products in China. In addition to the similar requirements
of obtaining consent and general prohibition of data transfer, the
Internet Regulations also impose a duty to report serious security
breaches to the MIIT.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Credit providers should review their processes and procedures to ensure compliance with obligations under the Privacy Act.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”