Inside Privacy - Updates on Developments in Global Privacy & Data Security

On April 10, 2013, China’s internet regulator, the Ministry of Industry and Information Technology (“MIIT”), issued a draft regulation for public comment entitled Provisions on Protecting the Personal Information of Telecommunication and Internet Users  (“Draft Provisions”).  The Draft Provisions would impose additional requirements when telecommunication service providers (“TSPs”) and internet information service providers (“IISPs”) collect and use personal information (“PI”), and would direct these entities to implement a number of compliance measures to protect against disclosure, damage, or loss of PI.  The Draft Provisions would also provide MIIT with significant authority to enter premises and request documents for purpose of assessing the PI protection efforts of any TSP or IISP. 

The Draft Provisions are intended to implement the general requirements set forth in the Decision of the Standing Committee of the National People's Congress on Strengthening Online Information Protection ("Online Information Decision"), which was promulgated in December 2012.  (See our client alert here.)  The term “IISPs” includes all companies utilizing a PRC-based website (i.e., a website registered with, or licensed by, MIIT) to collect PI from their customers or site visitors.

Continue Reading

China’s Standardization Administration recently released a long-awaited national standard related to personal information.  Entitled Information Security Technology -- Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems (信息安全技术公共及商用服务信息系统个人信息保护指南) (“Guidelines”), the new standard will take effect February 1, 2013.  The Guidelines are voluntary and lack the force of law.  They nevertheless clarify key expectations for relevant actors collecting personal information (“PI”) and outline how PI is to be handled in four phases: collection, processing, transfer, and deletion, with voluntary requirements for each phase.  The Guidelines also set out eight “basic principles” for handling of PI within China.

China has two types of standards: mandatory and voluntary.  As a voluntary standard, the Guidelines may impact companies operating in China in two principal ways.  First, while the Guidelines lack the force of law, they might serve as a regulatory baseline for PRC judicial and law enforcement authorities to judge a company’s data privacy efforts in criminal or civil litigation or in administrative proceedings. The Guidelines also may reflect an evolving consensus by China’s policy-makers regarding data privacy that may be further extended in subsequent binding legislation.  In particular, the voluntary nature of the Guidelines, along with the creation of the industry self-regulatory group discussed below, may indicate that China intends to place greater emphasis on self-regulatory efforts in its emerging data privacy protection framework.

Continue Reading

On December 28, 2012, China’s national legislature enacted a new law to further regulate the collection and use of online personal information and to require certain network service providers to implement real name registration for all users. 

As described below, the new law may affect all businesses handling an individual’s “personal electronic information” in China, even if that information is not necessarily processed over the internet.  For many companies operating websites hosted in China, the new law will require only slight modifications to existing data handling practices, as many of the new law’s provisions reflect or only slightly modify other provisions found in existing law.  However, websites providing “internet publication services” such as blogs, microblogs, or online forum providers, will be required to implement a real name registration system for their users.  The specifics of the real name registration system have not been announced and will likely come from China’s principal internet regulator, the Ministry of Industry and Information Technology (“MIIT”), which is drafting regulations in furtherance of the new law. 

Continue Reading

On March 15, 2012, new provisions governing the online collection, use, and storage of personal information went into effect in China.  Promulgated by China’s Ministry of Industry and Information Technology (“MIIT”), the Several Provisions on Regulating the Market Order of Internet Information Services (“Provisions”) govern the competition-related activities of Internet Information Services Providers (“IISP”) in China and also include key provisions relating to the collection, use, and storage of “Users’ Personal Information.”   While certain sector-specific regulations have included protections for online personal information in the past, the Provisions represent the first time a broad definition for online personal information has appeared in PRC law.  “Personal Information” is defined as information “that would identify the user if used alone or together with other information.” 

Under the Provisions, an IISP must inform users of the ways the IISP collects and processes information, what kind of information is collected, and the purposes for the collection.  IISPs may not collect any information unnecessary for the provision of services or use Users’ Personal Information for any purpose outside the scope of the services.  The Provisions also require IISPs to “properly” maintain their Users’ Personal Information. Where Users’ Personal Information is or may be divulged, the IISP must take remedial action. If the violation is “serious,” then the IISP shall report the violation to MIIT and jointly cooperate in taking further remedial measures.

The Provisions do not define “properly” or explain what would constitute a “serious” disclosure violation. It is also unclear whether, as part of taking “remedial action,” an IISP would be expected to notify a user for all breaches of user data or merely for “serious” ones.

Continue Reading

China’s Internet regulator, the Ministry of Information and Industry Technology, or MIIT,  is close to releasing the final version of China’s first national standards for personal information protection.  Drafted with the assistance of two other government departments, the release of  “Information Security Technology - Guidelines for Personal Information Protection” (信息安全技术个人信息保护指南) represents China’s first foray into the field of data privacy regulation.  As a voluntary national standard, the Guidelines will lack the force of law but will likely serve as an important guidepost for future lawmaking.  We understand that a final version of the Guidelines is expected to be released in the second half of 2011.

The Guidelines as currently drafted set out (1) suggested principles for processors and administrators of personal information, (2) rights enjoyed by the data subject, and (3) requirements for the collection, processing, transfer, use, blockage, deletion, and management of personal information. 

Among the requirements for data transfer in the Guidelines are restrictions that would prevent the transfer of personal information overseas.  Article 5.3.5 of the draft states that unless otherwise stipulated in law or regulation or having gained the approval of the relevant ministry, no data administrator within China may transfer personal information to a foreign administrator. Such a requirement would prevent the transfer of personal information gathered in China to any non-China based entity and would affect both the internal transfer of personal information within multinational companies as well as any personal information transfers between cross-border cloud computing servers.

The appearance of these Guidelines appear to be a stop-gap measure for the future passage of China’s Personal Information Protection Law (个人消息保护法).  That law, in draft form since 2005, shows no signs of enactment in the near term and with China’s Internet population expanding rapidly (485 million users in June 2011, a 1700% increase since 2000) it appears MIIT has decide to take the lead in ensuring China’s legal regime does not fall further behind its rapidly evolving online social and e-commerce environments.  While non-mandatory, the suggested provisions point the way for future developments in China, including potential inclusion in a future Personal Information Protection Law.