In response to the recent coronavirus outbreak (“2019-nCoV”), a wide range of Chinese regulators, including many levels of local governments (down to the neighborhood committee level) and local public security bureaus (“PSBs”), have been actively collecting personal information to monitor and potentially mitigate the spread of the outbreak. For example, Shenzhen PSB has issued a notice requiring residents or visitors to Shenzhen to scan a QR code to fill in personal information, such as their contact details, addresses, travel information, and health status. The Shanghai Municipal People’s Government also issued a similar notice requiring residents returning to Shanghai from an out-of-town trip or visitors to report a similar set of personal information.
In practice, numerous additional third party entities, including airports, train stations, employers, and landlords, could engage in collecting extensive personal information from travelers or visitors to a particular location or area, due to their own reporting obligations. For instance, visitors to office buildings may be obliged to report their health status to the landlord or building management. Also, employers are required to closely monitor the health status of employees if the employers apply to the local government to re-open their offices or factories.
With the widespread practice of information collection for public health purposes, data breaches and misuse of data become a major concern of the public. For example, it has been reported that travelers from Wuhan to other cities within China have been victims of data breaches after submitting their personal information to transportation entities and local regulators. A document entitled “List of Individuals Returning to Ningdu From Wuhan” was leaked to various WeChat groups in January 2020 and contained the personal information, including telephone numbers, national identification numbers, and home addresses, of approximately four to five hundred data subjects. Similar incidents happened across China and the sources of the leaks remain uncertain.
To address public concerns about data breaches and prevent further unauthorized use of personal information, the Cyberspace Administration of China (“CAC”) released the Notice on the Protection of Personal Information when Using Big Data for Joint Support and Defense (“2019-nCoV Personal Information Notice”) (an official Chinese version is available here) on February 9, 2020, setting forth a few privacy and cybersecurity principles in connection with the collection, use, and disclosure of personal information for purposes of containing 2019-nCoV:
- Limiting Entities Authorized to Collect Personal Information for Public Health Purpose
Only entities that are authorized by the National Health Commission in accordance with the Cybersecurity Law, Law on Prevention and Treatment of Infectious Diseases and Regulations on Public Health Emergencies are allowed to legally collect personal information for purposes of containing 2019 n-CoV. Other entities may not collect personal information without obtaining consent from individuals.
- Targeted Collection and Principle of Data Minimization
The collection of personal information for the purpose of containing 2019 n-CoV should adhere to the requirements set forth in the Information Security – Personal Information Security Specification, and in particular, to the principle of data minimization. In addition, rather than focusing on all individuals from particular geographic regions (within China), collection of personal information shall be targeted towards key groups of interest, such as diagnosed patients and individuals who have been in close contact with others who have been infected with 2019-nCoV.
- Purpose Limitation and Disclosure of Personal Information
Personal information collected for the purpose of containing 2019 n-CoV should not be used for any other purpose. Unless sensitive personal information has been masked and with the exception of 2019 n-CoV containment purposes, personal information, such as name, age, home address, etc., shall not be disclosed without the consent of the data subjects.
- Cybersecurity Requirements
Entities collecting or possessing personal information shall implement organizational and technical measures to prevent theft or leakage of such information.
The 2019-nCoV Personal Information Notice also provides that any individual or entity that discovers a violation with respect to the use, collection, and disclosure of personal information may report such violation to the CAC or PSB. The CAC will handle any such violations or data breaches in accordance with China’s Cybersecurity Law and related regulations. The PSB will investigate violations that may constitute crimes.
As more companies operating in China are preparing to re-open their facilities in the coming days, information requests from regulators and third parties are likely to increase. It is therefore important for companies to be mindful about their collection, usage, and sharing of personal information with regulators and third parties and take appropriate measures to protect information collected during this difficult time.