China’s Internet regulator, the Ministry of Information and Industry Technology, or MIIT, is close to releasing the final version of China’s first national standards for personal information protection. Drafted with the assistance of two other government departments, the release of “Information Security Technology - Guidelines for Personal Information Protection” (信息安全技术个人信息保护指南) represents China’s first foray into the field of data privacy regulation. As a voluntary national standard, the Guidelines will lack the force of law but will likely serve as an important guidepost for future lawmaking. We understand that a final version of the Guidelines is expected to be released in the second half of 2011.
The Guidelines as currently drafted set out (1) suggested principles for processors and administrators of personal information, (2) rights enjoyed by the data subject, and (3) requirements for the collection, processing, transfer, use, blockage, deletion, and management of personal information.
Among the requirements for data transfer in the Guidelines are restrictions that would prevent the transfer of personal information overseas. Article 5.3.5 of the draft states that unless otherwise stipulated in law or regulation or having gained the approval of the relevant ministry, no data administrator within China may transfer personal information to a foreign administrator. Such a requirement would prevent the transfer of personal information gathered in China to any non-China based entity and would affect both the internal transfer of personal information within multinational companies as well as any personal information transfers between cross-border cloud computing servers.
The appearance of these Guidelines appear to be a stop-gap measure for the future passage of China’s Personal Information Protection Law (个人消息保护法). That law, in draft form since 2005, shows no signs of enactment in the near term and with China’s Internet population expanding rapidly (485 million users in June 2011, a 1700% increase since 2000) it appears MIIT has decide to take the lead in ensuring China’s legal regime does not fall further behind its rapidly evolving online social and e-commerce environments. While non-mandatory, the suggested provisions point the way for future developments in China, including potential inclusion in a future Personal Information Protection Law.