China -  Chinese law firm

China Enacts New Data Privacy Legislation

In order to strength the protection of  an individual’s personal online information , China government promulgated a new law entitled the Decision of Standing Committee of the National People’s Congress on Strengthening Online Information Protection(“Decision”) on December 28, 2012, which becomes effective as of the promulgation date.

Q: What is the purpose of the Decision and what kind information will be protected under this Decision?

A: The Decision was drafted with the purpose of strengthening the protection of an individual’s personal electronic information. In practice, many companies operating website misused or leaked an individual’s personal electronic information to third party with the purpose of making money. Also, some users registered on blog, micro-blogs or online forum under the assumed names, which would disseminate untrue information and therefore infringe other party’s right or even hurt the state security. Then PRC government promulgated this Decision trying to protect the security of an individual’s personal electronic information.

Q: What is the definition of personal electronic information?

A: According to Article 1 of the Decision, an individual’s personal electronic information should refer to information by which the individual identity of citizens can be distinguished as well as that which involves a citizen’s privacy.

Q: Who should bear the obligations regarding use or collection of a citizen’s personal electronic information?

A: under the Decision, any individual or entity should not steal or collect, through illegal means, a citizen’s personal electronic information, and should not sell or unlawfully provide a citizen’s personal electronic information to the other party. The Decision also set forth the specific requirements for network service provider and other enterprises or public institutions on use and collection of a citizen’s personal electronic information (please see below).

Q: What are the specific requirements for network service provider or other enterprises or public institutions using or collecting a citizen’s personal electronic information?

A: In particularly, the network service provider and other enterprises or public institutions should, when collecting or using a citizen’s personal electronic information, adhere to the principles of lawfulness, proper purpose and necessity, and clearly indicate the purpose, method, and scope of their use and collection of an individual’s personal electronic information, and should not collect or use this information without the individual’s consent or in breach of agreed purpose, method or scope or in violation of laws or regulations.

Also, the network service provider and other enterprises or public institutions should, when using or collecting a citizen’s personal electronic information, have this citizen being aware of the rules of using and collecting such information.

Q: What are the confidentiality obligations of personal electronic information for network service provider or other enterprises or public institutions?

A: Network service providers, other enterprises or public institutions and their employees should keep a citizen’s personal electronic information confidential, and should not disclose, distort, damage, sell or illegally provide such information to any third party.

Also, the network service providers and other enterprises or public institutions must take necessary steps to maintain the confidentiality of information, ensure information security and prevent such information from being disclosed, damaged or lost.

Q: Is a user required to do real name registration when he/she register on the website of a network service provider?

A: Yes. A user must supply real identity information when he/she register on the website of a network service provider which provides either internet publication services or website access services.

Q: Is the commercial electronic information allowed to send to an email recipient or a user?

A: the Decision stipulates that any organization or individual is not permitted to send so called commercial electronic information (such as spam or other commercial solicitation information) to a recipient’s email box, land-line telephone, or cell phone without his/her consent or request, or following a user’s clear refusal.

Q: What is the punishment for breach of the Decision?

A: According to the Decision, a person who is in violation of the Decision would bear civil, administrative or criminal liability, including without limitation warnings, fines, confiscation of illegal income, cancellation of operating permits, website closure, or the prohibition of involved individuals from engaging in other network services business.

RSS Feeds