Although somewhat sporadic, significant inroads are being made on privacy regulation and data protection in China, writes Scott Thiel
Privacy regulation in China can currently be described as very recent, uncertain, lacking in detail and in clear need of a dedicated regulator to offer practical guidance to the business community. However, the existing and emerging regulations are potentially far reaching and threaten significant sanctions for non-compliance. While it is easy to be apathetic in the face of the current uncertainty and limited enforcement activity to date, all businesses operating in China should be turning their compliance attention to this rapidly developing regulatory landscape.
The use of numbers is always important when setting the scene on matters in China: 200 billion unwanted messages are estimated to have been sent to mobile phones in the PRC in the first six months of last year, with the country now accounting for 22% of all global electronic spam. The legislative and judicial response to this growing privacy problem is moving at a pace that may well be surprising, particularly to businesses from Western markets.
There is currently no omnibus privacy regulation in the PRC. These consumer and citizen-orientated rights are largely codified in the following combination of laws, recent decisions and proposed developments:
[ihc-hide-content ihc_mb_type=”show” ihc_mb_who=”1″ ihc_mb_template=”2″ ]
• The Decision of the Standing Committee on 28 Dec 2012, expanding laws previously limited to internet service providers (ISPs) to the wider business community. While details are limited, the decision creates the legal basis in relation to: i) theft and sale of electronic personal data; ii) regulation on the collection and use of data; iii) information security obligations; iv) confidentiality; and v) specific regulations on the use of data for marketing activities.
• The Guidelines for Personal Information Protection Within Information System (February 2013). While these are currently non-binding, there is a clear expectation that these guidelines are likely to form the legal basis for future privacy regulation, and could potentially be adopted with retrospective legal effect.
• Amendment to article 29 of the new Consumer Rights Law concerns consumer personal information, the wording for which mirrors the Standing Committee Decision, thereby expanding its application to the realm of consumer rights protection.
• Industry and issue-specific regulations, which also exist and are continuing to emerge, the latest proposal being an amendment to the Advertising Law that would ban e-spamming. As with many of the other recent amendments, the proposed sanctions and enforcement regime are somewhat unclear, however this is no reason to underestimate their potential. The newly revised Consumer Rights and Interest Protection Law of the People’s Republic of China is effective from 15 March 2014. This is the first revision of the old Consumer Rights Law since 1993, and can be viewed as an attempt by the central government to bring the law in this area up to date, to keep pace with practices of modern business and other countries’ legislation, and to bolster the privacy rights of individuals.
A comparison between article 29 of the new Consumer Rights Law and the relevant Standing Committee Decision provides some insight into the steady increase in the scope of Chinese privacy regulation:
1. The decision applies to electronic personal information, while article 29 applies to consumer personal information, including information in both electronic and non-electronic form;
2. In terms of sending commercial information to customers, instead of limiting the sending of commercial information in electronic form through a landline, mobile phone or emails as the decision does, the new Consumer Rights Law regulates the sending of commercial information altogether without stipulating the form or method by which the information is communicated; and
3. Compared to the decision, the new Consumer Rights Law carries more specific and harsher penalties for violating a consumer’s personal information rights.
Article 29 of the new Consumer Rights Law and the decision of the Standing Committee create broad obligations about the need to provide notification to, and obtain consent from, individuals. However, it does not currently address the required formats or approach to such format notification and the consent. Given this deficiency, current best practice is to apply the recommendations in the guidelines when developing the data subject documentation that accompanies the collection of their data.
The new Consumer Rights Law will ensure that consumers will have the “right to have personal information corrected in accordance with the law” when purchasing or using merchandise or services. Articles 14 and 29 of the Consumer Rights Law specifically apply to data protection, and require that operators explicitly state what they will do with the data and the purpose of collecting it, that operators should not illegally disclose or sell data, and should take necessary measures to protect the data, and not send commercial information to a customer when it has not been requested.
The addition of data privacy protection to the Consumer Rights Law reflects a general trend of data privacy regulation development in China. Government authorities are becoming more interested in data privacy and more willing to take protective measures when it comes to personal information protection. This change in attitude can also be witnessed from the fact that a breach of article 29 may now result in the business operator facing consequences such as confiscation of illegal earnings in conjunction with a fine between twice and 10 times the value of the illegal earnings. Where there are no illegal earnings, a fine below RMB500,000 (US$81,000) may be imposed.
Sanctions already available under existing privacy laws include warnings, fines, confiscation of illegal proceeds, cancellation of PRC incorporation, licence revocation or cancellation of recordal, closure of website, and bans against responsible persons. Criminal liability is also possible, as is civil liability for claims made by complainants.
Despite its somewhat piecemeal approach, China is currently undertaking a huge leap on privacy regulation and all businesses are well advised to review and update their personal data practices within this key and expanding market.
[/ihc-hide-content]
Scott Thiel is a foreign legal consultant with DLA Piper and location head of the intellectual property and technology team in Hong Kong.

















