On December 28, 2012, China’s legislative body issued a decision that lays out the basic framework for protection of electronic personal data, which took immediate effect. On November 15, 2012, China’s standard-setting authority issued a non-binding national standard on personal information protection in information systems, which became effective on February 1, 2013. Together, these new rules have provided some additional clarity on personal data protection requirements in China, including personal data collection, processing and transfer, and companies operating in China should carefully review the new requirements to ensure compliance.
Both of these rules, however, are clearly consistent with internationally accepted fair information practices, and they should not pose undue hurdles to well-established international information governance systems within corporations.
I. Decision on Strengthening Protection of Internet Data
On December 28, 2012, the Standing Committee of the Chinese National People’s Congress, which is China’s top legislative body, issued the Decision on Strengthening Protection of Internet Data. The Decision contains high-level requirements for Internet service providers and other types of entities (Data Collectors) on protecting “electronic personal data,” which means electronic data that may identify a person and electronic data that relate to a person’s privacy. Highlights of the requirements are:1
- When collecting electronic personal data from individuals, Data Collectors should obtain the consent of the individuals and explicitly inform the individuals of the purpose, manner and scope of data collection and use.
- Data Collectors should develop procedures for data collection and use, and make these procedures publicly available.
- Data Collectors should keep the confidentiality of collected data, and should not sell or provide such data to other persons in any illegal manner. (Significantly, there is no guidance on what constitutes “illegal” sale or provision of data.) Data Collectors should take immediate remedial measures in case of leakage or threat of leakage.
- Violations may subject Data Collectors to a series of penalties, including warning, monetary fine, confiscation of illegal gains, revocation of license, take-down of website and disbarment of relevant personnel from engaging in Internet services.
II. Guideline for Personal Information Protection within Information System for Public and Commercial Services
On November 5, 2012, the General Administration of Quality Supervision, Inspection and Quarantine of China (AQSIQ) and the Standardization Administration of China (SAC) issued the Guideline for Personal Information Protection within Information System for Public and Commercial Services. The only readily available draft of the Guideline dates back to December 31, 2011.
This document is a “technical guideline,” which is at the third, and lowest, level of national standards and does not have binding legal force. The Guideline sets the requirements on collecting, handling, transferring and deleting personal information in information systems, and key requirements are:
- Personal information administrators, which are the entities that collect personal information and then control and use the information, should expressly inform the subject individual of all key aspects of personal information collection and use, such as purpose, scope, retention period, etc. Personal information administrators should obtain the subject individual’s tacit consent for collection of “personal general information,” and expressed consent for collection of “personal sensitive information,” which is defined as “information the leakage of which will cause adverse consequences to the subject individual.”
- Personal information administrators should not use personal information for any purpose that is not disclosed to the subject individual.
- If a personal information administrator needs to transfer personal information to another person, it should evaluate whether the receiver may handle the information in accordance with the requirements of the Guideline, and also sign a written agreement with the receiver to set forth the receiver’s personal information protection obligations.
- Personal information administrators should delete collected personal information immediately after the purpose of the information collection notified to the subject individual has been fulfilled. If a personal information administrator needs to continue to process the information, it should delete the content that may relate to the identity of the subject individual.
- Personal information administrators should delete personal information if the subject individual makes a reasonable request, but should take appropriate information retention and screening measures if such deletion may hinder evidence-collection activities of the government.
China’s data protection law is at a rudimentary stage, and companies operating in China can find very limited guidance on how to collect, process and transfer data. The Decision and Guideline provide important clarification on these issues, thought still to a limited extent.
Note that the Decision is an act of Congress, while the Guideline is an administrative national standard. These two rules do not cross-reference each other, and there is no express relationship between them.
There are no obvious special constraints on international transfers of personal data outside China. However, as described above, “If a personal information administrator needs to transfer personal information to another person, it should evaluate whether the receiver may handle the information in accordance with the requirements of the Guideline, and also sign a written agreement with the receiver to set forth the receiver’s personal information protection obligations.”
The Guideline has set forth considerably detailed requirements on personal data protection, particularly setting up internal departments and developing internal procedures for personal data protection. Companies are advised to review these requirements carefully and evaluate the need for action.
The Chinese Government has been active in developing data privacy regulations, and has proposed a few draft standards, although there are very few enforcement actions reported. Companies should closely monitor the rule-making activities, and should also consider participation either directly or through relevant industry associations.
If you have any questions regarding this update, please contact Yuet Ming Tham (
; +852.2509.7645), Alan Raul (
, +1.202.736.8477), John Casanova (
; +65.6230.3907; +44.20.7360.3739), Edward McNicholas (
; +1.202.736.8010) or Lei Li (
AQSIQ and SAC have not published the official version of the Guideline. Analysis in this article is based on the final draft of the Guideline that was published on December 31, 2011.
The Privacy, Data Security & Information Law Practice of Sidley Austin LLP
We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes lawyers experienced in regulatory compliance, litigation, financial institutions, healthcare, EU regulation, IT licensing, marketing counsel, intellectual property, and criminal issues. Sidley provides services in the following areas:
- Privacy and Consumer Protection Litigation, Enforcement and Regulatory Compliance
- Data Breach, Incident Response, and Cybersecurity Advice
- Global Data Protection, International Data Transfer Solutions and Cross-Border Issues
- Corporate Data Protection, Compliance Programs and Information Governance Assessments
- FTC and State Attorney General Investigations of Unfair or Deceptive Acts and Practices
- Social Media, Cloud Computing, Online Advertising, E-Commerce and Internet Issues
- EU, China and Japan Data Protection and Compliance Counseling
- Gramm-Leach-Bliley and Financial Privacy
- HIPAA and Healthcare Privacy
- Communications Law and Data Protection
- Workplace Privacy and Employee Monitoring
- Website Policies Online Trademarks and Domain Name Protection
- Records Retention, Electronic Discovery, Government Access and National Security
To receive Sidley updates via email, please click here.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.