Written by: Scott Thiel and Arthur Cheuk
On 1 February 2013, the first ever national standard on personal data privacy protection came into force in China.
The guidelines, called the Information Security Technology – Guide for Personal Information Protection within Public and Commercial Information Systems (‘Guidelines’), were originally proposed by the nation’s telecoms regulator, the Ministry of Industry and Information Technology in 2011 and subsequently released by the Standardisation Administration of China. The Guidelines’ primary purpose is to provide guidance on protecting personal information handled in information systems and applies generally to the private sector. That said, they are intended to serve as a national standard only and are not legally binding.
The adoption of the Guidelines follows the recent Decision on Strengthening Online Information Protection (‘Decision’) issued by the Standing Committee of the National People’s Congress just a month earlier in late December 2012, which is primarily directed at regulating the processing of personal electronic information over the internet by internet service providers and carries the force of law.
While the Guidelines do not have the force of law, the introduction of a general national standard on personal data privacy protection marks a significant move for China. The adoption of the Guidelines and the Decision in the space of two months suggests that China has begun to pay serious attention to the issue of data privacy, and is rapidly moving away from its historical piecemeal approach to data privacy regulation to a more regulated environment similar to the data privacy regimes across the Asia Pacific region. The adoption further highlights the tremendous development in the data privacy landscape in the region in the past year, as exemplified by the recent legislative amendments in Hong Kong, as well as new data privacy legislations in Philippines and Taiwan last year, and Malaysia and Singapore last January.
Key features of the Guidelines
At the date of writing, the official publication of the Guidelines is yet to be released. However, the following key provisions in the Guidelines are expected:
- Definition of ‘personal information’
For the first time, the term ‘personal information’ is defined in regulations in China. ‘Personal information’ is defined as ‘computer data that may be processed by an information system, relevant to a certain natural person, and that may be used solely or along with other information to identify such natural person’.
- Scope of application
The Guidelines apply to the processing of personal information by all organizations and entities, excluding government bodies exercising any public administrative function, that involves the use of an ‘information system.’
- Basic principles for handling personal information
The Guidelines set out 8 basic principles for handling personal information, including a requirement for personal information to be used for specific, clear and reasonable purposes.
- Collection and use of general personal information
Collection and use of general personal data should be subject to the tacit consent of an individual, who has been well-informed. Tacit consent is assumed as long as the individual does not expressly raise any objections to the collection or processing.
- Sensitive personal information
‘Sensitive personal information’ is defined as personal information that would have a negative impact on an individual once it has been leaked or modified, for example, an individual’s personal identity card, fingerprints or religious views. For ‘sensitive personal information’, express consent should be obtained from the individual before collection and use. In particular, the Guidelines specify that evidence of the individual’s express consent should be retained.
- Extraterritorial transfer
Extraterritorial transfer of any personal information is also prohibited without the individual’s express consent, government permission or other explicit legal or regulatory permission.
- Security measures
Technical and organisational measures should be established to protect the personal information collected and to address the risk of unauthorised data leakage, loss, damage and breach.
- Retention and deletion
Personal information should be deleted once its intended use has been fulfilled.
What you need to do now
The Guidelines have already come into effect as of 1 February 2013. In parallel, the China Software Evaluation and Test Centre has announced it is forming a self-regulatory group to play a consultative role in future legislation in the personal data privacy arena. Although the Guidelines are not binding, they nevertheless show that China appears to be gathering momentum in regulating data privacy and may have a strong influence on how future regulations are drafted.In light of this, organisations should take active measures now to prepare their data collection, handling and processing/use practices for compliance with the best practice Guidelines. Some to-do actions include:
- reviewing existing data privacy and security practices;
- updating data collection / customer take-on documentation;
- reviewing processor contracts; and
- developing internal data privacy guidelines protocols.
We will be delighted to speak with you regarding this and any of your regional or global data privacy requirements.