On December 28, 2012, China’s legislative body issued a decision that lays out the basic framework for protection of electronic personal data, which took immediate effect. On November 15, 2012, China’s standard-setting authority issued a non-binding national standard on personal information protection in information systems, which became effective on February 1, 2013. Together, these new rules have provided some additional clarity on personal data protection requirements in China, including personal data collection, processing and transfer, and companies operating in China should carefully review the new requirements to ensure compliance.
Both of these rules, however, are clearly consistent with internationally accepted fair information practices, and they should not pose undue hurdles to well-established international information governance systems within corporations.
I. Decision on Strengthening Protection of Internet Data
On December 28, 2012, the Standing Committee of the Chinese National People’s Congress, which is China’s top legislative body, issued the Decision on Strengthening Protection of Internet Data. The Decision contains high-level requirements for Internet service providers and other types of entities (Data Collectors) on protecting “electronic personal data,” which means electronic data that may identify a person and electronic data that relate to a person’s privacy. Highlights of the requirements are:1
II. Guideline for Personal Information Protection within Information System for Public and Commercial Services
On November 5, 2012, the General Administration of Quality Supervision, Inspection and Quarantine of China (AQSIQ) and the Standardization Administration of China (SAC) issued the Guideline for Personal Information Protection within Information System for Public and Commercial Services. The only readily available draft of the Guideline dates back to December 31, 2011.
This document is a “technical guideline,” which is at the third, and lowest, level of national standards and does not have binding legal force. The Guideline sets the requirements on collecting, handling, transferring and deleting personal information in information systems, and key requirements are:
China’s data protection law is at a rudimentary stage, and companies operating in China can find very limited guidance on how to collect, process and transfer data. The Decision and Guideline provide important clarification on these issues, thought still to a limited extent.
Note that the Decision is an act of Congress, while the Guideline is an administrative national standard. These two rules do not cross-reference each other, and there is no express relationship between them.
There are no obvious special constraints on international transfers of personal data outside China. However, as described above, “If a personal information administrator needs to transfer personal information to another person, it should evaluate whether the receiver may handle the information in accordance with the requirements of the Guideline, and also sign a written agreement with the receiver to set forth the receiver’s personal information protection obligations.”
The Guideline has set forth considerably detailed requirements on personal data protection, particularly setting up internal departments and developing internal procedures for personal data protection. Companies are advised to review these requirements carefully and evaluate the need for action.
The Chinese Government has been active in developing data privacy regulations, and has proposed a few draft standards, although there are very few enforcement actions reported. Companies should closely monitor the rule-making activities, and should also consider participation either directly or through relevant industry associations.
If you have any questions regarding this update, please contact Yuet Ming Tham (firstname.lastname@example.org; +852.2509.7645), Alan Raul (email@example.com, +1.202.736.8477), John Casanova (firstname.lastname@example.org; +65.6230.3907; +44.20.7360.3739), Edward McNicholas (email@example.com; +1.202.736.8010) or Lei Li (firstname.lastname@example.org; +86.10.5905.5505).
The Privacy, Data Security & Information Law Practice of Sidley Austin LLP
We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes lawyers experienced in regulatory compliance, litigation, financial institutions, healthcare, EU regulation, IT licensing, marketing counsel, intellectual property, and criminal issues. Sidley provides services in the following areas:
To receive Sidley updates via email, please click here.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.