As China’s central regulators finalize several national laws with data privacy components, provincial and municipal authorities are filling in the current legislative gap by passing local regulations governing the collection of personal information.

Currently at the national level, sector-specific laws target various aspects of personal information collection but no single comprehensive law exists to govern data privacy. Although efforts from the central government are expected to pick up in 2012, as we previously reported, pertinent national legislation remains in draft form. As these laws creep through China’s legislative process, the Chinese public is growing increasingly concerned about the security of their personal information following several high-profile scandals involving online disclosure.

In the absence of national legislation, China’s local governments have stepped in to fill the void.  The municipal government of Shenzhen, a city of ten million across the border from Hong Kong, commissioned the Shenzhen Lawyers Association in late 2010 to research and draft the “Shenzhen City Regulation on Personal Information Protection.” While exact details of the regulation have yet to be released to the public, the Shenzhen Municipal People’s Congress Standing Committee is currently deliberating the first research draft report with approval expected to follow in early 2012.

In Jiangsu, a prosperous coastal province north of Shanghai, the “Jiangsu Province Informatization Regulation [Chinese] “was officially passed in September to take effect on January 1, 2012.  The Jiangsu Regulation would govern the collection of “information” — an undefined term — within the province, requiring notice and consent provisions for any non-governmental entity collecting information and obligating such collectors to use collected data within the scope of use consented to by the user.  It would also give legal persons or other organizations the right to edit or amend any incorrect information collected or used by other organizations.  Finally, the Jiangsu Regulation would go a step further than the PRC Criminal Law, which prohibits the illegal sale or disclosure of personal information collected in certain industries, by extending this prohibition to the illegal sale or disclosure to third parties of personal information collected in any industry.

 This type of patchwork municipal regulation presents several challenges for businesses operating in China, including those whose customer base and data collection activities span localities. It is also unclear how such measures will fare once national legislation is enacted.  A recent draft measure, the “Regulations on the Administration of Internet Information Services”, contains similar requirements on notice and consent and might eventually preempt the relevant sections of the Jiangsu Regulation. Meanwhile, official comments from the State Council also have indicated that an upcoming amendment to the PRC Advertising Law will cover online advertising, and is likely to deal with critical aspects of online collection of user data. Although such developments could ultimately relegate these local measures to the sideline, they remain, in the interim, applicable law and should be noted by companies with operations in Shenzhen and/or Jiangsu province.