Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

China Clarifies Requirements for Companies Regarding Consumers’ Personal Information

Posted in China, Privacy Policies, Technology Transactions

New consumer protection provisions that clarify how companies may collect, use, and protect personal information of consumers will come into effect in China on March 15, 2015.

On January 5, 2015, China’s State Administration of Industry and Commerce (“SAIC”) issued measures to implement China’s Consumer Rights Protection Law (“CRPL”), which was amended effective March 2014 to include, among other things, provisions on the protection of personal information of consumers and administrative penalties for the misuse of personal information.   The newly promulgated measures, entitled Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (“Implementing Measures”; Covington’s translation is available here) flesh out the CRPL by addressing a range of consumer protection issues.  From a privacy perspective, the Implementing Measures (1) clarify the definition of “personal information of consumers,” (2) provide more detail on the CRPL’s requirements for the collection, use, and protection of consumer personal information, and (3) provide for significant penalties for violations.  The Implementing Measures take effect on March 15, 2015, China’s Consumer Protection Day.

Article 11 of the Implementing Measures define “personal information of consumers” as “a consumer’s name, gender, occupation, date of birth, identification document number, residential address, contact information, status of income and assets, health status, and consumption habits, and other information collected by business operators during their provision of goods or services that may independently or in combination with other information identify the consumers.”

The CRPL states that consumers’ personal information is entitled to protection when they purchase goods or services.  The CRPL applies to all online and offline consumer transactions and to businesses in all industries that provide goods or services to consumers in China.  The CRPL and the Implementing Measures, taken together, require businesses to:

(1) Inform and obtain consent from consumers regarding the purpose, method, and scope of collection or use of consumers’ personal information;

(2) Publish rules for the collection and use of consumers’ personal information;

(3) Not collect or use information in ways that violate laws, regulations, or contractual arrangements;

(4) Not divulge, sell, or illegally disclose consumer personal information to third parties;

(5) Implement measures to ensure the security of consumers’ personal information and immediately take remedial action if information is improperly disclosed or lost;

(6) Not send commercial information to consumers without consent, particularly if consumers have expressly indicated an unwillingness to receive such information.

Violations of the Implementing Measures are subject to civil liability:  SAIC and its local counterparts may confiscate all illegal earnings and impose fines of between one and ten times the amount of the illegal earnings, or up to RMB 500,000 (about US $80,000) if there are no illegal earnings.  (Note that starting in October 2014, companies have been required to disclose administrative penalties to the public within 20 business days.)

The Implementing Measures are part of a series of laws and regulations issued by the government in the last 24 months to further regulate collection and use of personal information — e.g., the Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection  (see our previous client alert here) and the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (see our blog post here).  The definition in the Implementing Measures of “personal information of consumers” is one of the more specific definitions in China’s patchwork of privacy laws and regulations.

The substantial enforcement authority granted to SAIC and its local counterparts (local Administrations of Industry and Commerce, or AICs) suggests that the Chinese government is serious about cracking down on improper use, disclosure, and sale of consumers’ personal information in the country.  AICs handle not only consumer protection but also advertising regulation, commercial bribery, and some aspects of antitrust enforcement.  In our experience, AIC enforcement is largely executed at a local level (district, municipal, or sometimes provincial).

Material for this post was supplied by Sheng Huang and Ashwin Kaja of Covington & Burling LLP.