Two recent moves indicate that China is taking significant first steps on enhancing personal information protection. The National People's Congress adopted a Decision on strengthening online information protection and China's first national Guidelines on personal information protection became effective.

Decision

The Decision, which has the force of law, provides principles and requirements for primarily internet service providers in collecting and using personal electronic information. These requirements include:

  • explicitly indicating the purpose, manner and scope of collecting and using such information
  • obtaining the consent of users whose information is collected
  • publishing policies for collecting and using such information
  • not divulging, distorting or destroying such information
  • not selling or illegally providing others with such information
  • adopting technological and other necessary measures to protect personal information.

The wording of the Decision suggests that its application is not necessarily limited to internet service providers, but may potentially also apply to entities in general to the extent that they collect or use individuals' electronic information during their business activities.

Violators and responsible individuals can potentially be subject to a ban on engaging in web-related business activities, as well as to administrative, civil and even criminal sanctions.

Guidelines

The Guidelines apply to all companies processing personal information and to a great extent mirror the European Privacy Directive. While the Guidelines do not have the force of law, they serve as an important guidance document for China's future law-making.

According to the Guidelines, handling (including collecting, processing, transferring and deleting) of personal information must be for specific, clear and reasonable purposes, and must be subject to the permission of the user, who must be well informed in that respect. Information must be deleted once its intended use has been fulfilled.

Both the Decision and the Guidelines take a relatively restrictive position on the transfer of personal information between companies. This could create difficulties for multinational corporations relying on third-party data processing companies or routinely sharing information between affiliates. Companies will therefore need to give close attention to their compliance with regard to intra-company data transfers.

Regulation reference:    Decision on Strengthening Online Information Protection

Issuing authority:          Standing Committee of the National People's Congress

Regulation reference:    Guide of Personal Information Protection on Information Security Technology

Issuing authority:          The Government of the Republic of China

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.