Inside Privacy - Updates on Developments in Global Privacy & Data Security

On March 15, 2012, new provisions governing the online collection, use, and storage of personal information went into effect in China.  Promulgated by China’s Ministry of Industry and Information Technology (“MIIT”), the Several Provisions on Regulating the Market Order of Internet Information Services (“Provisions”) govern the competition-related activities of Internet Information Services Providers (“IISP”) in China and also include key provisions relating to the collection, use, and storage of “Users’ Personal Information.”   While certain sector-specific regulations have included protections for online personal information in the past, the Provisions represent the first time a broad definition for online personal information has appeared in PRC law.  “Personal Information” is defined as information “that would identify the user if used alone or together with other information.” 

Under the Provisions, an IISP must inform users of the ways the IISP collects and processes information, what kind of information is collected, and the purposes for the collection.  IISPs may not collect any information unnecessary for the provision of services or use Users’ Personal Information for any purpose outside the scope of the services.  The Provisions also require IISPs to “properly” maintain their Users’ Personal Information. Where Users’ Personal Information is or may be divulged, the IISP must take remedial action. If the violation is “serious,” then the IISP shall report the violation to MIIT and jointly cooperate in taking further remedial measures.

The Provisions do not define “properly” or explain what would constitute a “serious” disclosure violation. It is also unclear whether, as part of taking “remedial action,” an IISP would be expected to notify a user for all breaches of user data or merely for “serious” ones.

Continue Reading

China’s Internet regulator, the Ministry of Information and Industry Technology, or MIIT,  is close to releasing the final version of China’s first national standards for personal information protection.  Drafted with the assistance of two other government departments, the release of  “Information Security Technology - Guidelines for Personal Information Protection” (信息安全技术个人信息保护指南) represents China’s first foray into the field of data privacy regulation.  As a voluntary national standard, the Guidelines will lack the force of law but will likely serve as an important guidepost for future lawmaking.  We understand that a final version of the Guidelines is expected to be released in the second half of 2011.

The Guidelines as currently drafted set out (1) suggested principles for processors and administrators of personal information, (2) rights enjoyed by the data subject, and (3) requirements for the collection, processing, transfer, use, blockage, deletion, and management of personal information. 

Among the requirements for data transfer in the Guidelines are restrictions that would prevent the transfer of personal information overseas.  Article 5.3.5 of the draft states that unless otherwise stipulated in law or regulation or having gained the approval of the relevant ministry, no data administrator within China may transfer personal information to a foreign administrator. Such a requirement would prevent the transfer of personal information gathered in China to any non-China based entity and would affect both the internal transfer of personal information within multinational companies as well as any personal information transfers between cross-border cloud computing servers.

The appearance of these Guidelines appear to be a stop-gap measure for the future passage of China’s Personal Information Protection Law (个人消息保护法).  That law, in draft form since 2005, shows no signs of enactment in the near term and with China’s Internet population expanding rapidly (485 million users in June 2011, a 1700% increase since 2000) it appears MIIT has decide to take the lead in ensuring China’s legal regime does not fall further behind its rapidly evolving online social and e-commerce environments.  While non-mandatory, the suggested provisions point the way for future developments in China, including potential inclusion in a future Personal Information Protection Law.