China unquestionably has many great wonders to speak of. Even in the 21st century, the nation never ceases to impress the world as it continues to adapt rapidly to a globalized world. For readers behind on international data privacy developments, the first ever national standard on personal data privacy protection came into force in China on February 8, 2013.
The new Chinese guidelines were originally proposed in 2011 by the nation’s telecoms regulator, the Ministry of Industry and Information Technology, and were subsequently released by the Standardization Administration of China. At the heart of the Guidelines’ is a strong feeling of necessity to provide guidance on protecting personal information handled in information systems. As in most jurisdictions across the globe, the new Chinese data privacy guidelines apply generally to the private sector. The new guidelines are intended to serve as a national standard only and are not legally binding, and are primarily directed at regulating the processing of personal electronic information over the internet by internet service providers and carries the force of law.
The introduction of a general national standard on personal data privacy protection marks a significant move for China. The adoption of the Guidelines suggests that China has begun to value the issue of data privacy, and is rapidly moving away from its historical piecemeal approach to data privacy regulation to a more regulated environment similar to the data privacy regimes across the Asia Pacific region. The adoption further serves to highlight the development in the data privacy landscape in the region in the past year, as exemplified by the recent legislative amendments in Hong Kong, as well as new data privacy legislations in Philippines and Taiwan last year, and Malaysia and Singapore last January.
A Few Highlights under the Guidelines
At the date of writing, the official publication of the Guidelines is yet to be released. However, the following key provisions in the Guidelines are expected:
- Definition of ‘personal information’
- For the first time, the term ‘personal information’ is defined in regulations in China. ‘Personal information’ is defined as ‘computer data that may be processed by an information system, relevant to a certain natural person, and that may be used solely or along with other information to identify such natural person’.
- Scope of application
The Guidelines apply to the processing of personal information by all organisations and entities, excluding government bodies exercising any public administrative function, that involves the use of an ‘information system’. - Basic principles for handling personal information
The Guidelines set out 8 basic principles for handling personal information, including a requirement for personal information to be used for specific, clear and reasonable purposes. - Collection and use of general personal information
Collection and use of general personal data should be subject to the tacit consent of an individual, who has been well-informed. Tacit consent is assumed as long as the individual does not expressly raise any objections to the collection or processing. - Sensitive personal information
‘Sensitive personal information’ is defined as personal information which would have a negative impact on an individual once it has been leaked or modified, for example, an individual’s personal identity card, fingerprints or religious views. For ‘sensitive personal information’, express consent should be obtained from the individual before collection and use. In particular, the Guidelines specify that evidence of the individual’s express consent should be retained. - Extraterritorial transfer
Extraterritorial transfer of any personal information is also prohibited without the individual’s express consent, government permission or other explicit legal or regulatory permission. - Security measures
Technical and organisational measures should be established to protect the personal information collected and to address the risk of unauthorised data leakage, loss, damage and breach. - Retention and deletion
Personal information should be deleted once its intended use has been fulfilled.
What you need to do now
The Guidelines have already come into effect as of 1 February 2013. In parallel, the China Software Evaluation and Test Centre has announced it is forming a self-regulatory group to play a consultative role in future legislation in the personal data privacy arena. Although the Guidelines are not binding, they nevertheless show that China appears to be gathering momentum in regulating data privacy and may have a strong influence on how future regulations are drafted. In light of this, organisations should take active measures now to prepare their data collection, handling and processing/use practices for compliance with the best practice Guidelines. Some to-do actions include:
- Reviewing existing data privacy and security practices
- Updating data collection / customer take-on documentation
- Reviewing processor contracts, and
- Developing internal data privacy guidelines protocols.
Smit LeSieur is always delighted to speak with you regarding this and any of your regional or global data privacy requirements.
Smit LeSieur is a leading Canadian law firm in the area of data privacy and security. For more information about us, and how we can assist your needs, we encourage you to visit our website at http://www.smitlesieur.com.
