Chinese Data Privacy Regulations

Disclaimer: Neither InteliSecure nor the author of this post is purporting to offer legal advice in this blog. The author is not an attorney nor is InteliSecure a law firm, nor is either party making a representation on behalf of a law firm. Nothing in this blog should be construed as legal advice and should not be relied on as such.

Introduction to Chinese Data Privacy

The European Union’s General Data Protection Regulation (GDPR) has rightly received much attention on the global stage. However, less attention has been given to similar regulations being passed in jurisdictions throughout the world. In this post, we will discuss China’s data protection regulations. Although they are not as concise and specific as the European Union’s GDPR, there are specific provisions that one must comply with when collecting personal information about Chinese citizens.

China aims many of its current privacy regulations at telecom providers, or more broadly, organizations that provide networks to the public. There is a specific law known as the Regulation on Personal Information Protection of Telecom and Internet Users that specifically defines the additional protections that are in place for such users. There is legitimate debate with respect to organizations who provide internet access to their employees and whether that provision of access makes them a provider of internet and telecom services, or if the regulation’s scope is limited to actual Internet Service Providers (ISPs). For the purpose of this blog, we will assume that organizations will need to comply with that regulation as well.

The other regulations that make up the China data privacy legal framework include the Decision of the Standing Committee on the National People’s Congress on Revising the Consumer Rights Protection Law of the People’s Republic of China, Administrative Measures for Online Transactions, Personal Information Security Measures for Mailing and Courier Services, Medical Records Administration Measures of Medical Institutions, and Measures for Administration of Population Health Information (PHI). Since the regulatory environment in China is not contained in a single piece of legislation, organizations operating in the People’s Republic of China must be cognizant of any new regulations or changes to existing regulations in order to remain in compliance. Further, multiple regulations have the opportunity to become contradictory, although reading through these regulations as they currently exist has not revealed any obvious issues.

Sections

Definition of Personal Information
Scope
Data Processing
Rights of Individual Data Subjects
Security Requirements
Third Party Processing and Electronic Communication
Data Transfer Rules and Agreements
Conclusion

Definition of Personal Information

China seems to define personal information in a fairly broad manner. Essentially any piece of information that can identify a user when used independently or in conjunction with another piece of information is considered personal information. Since the “other piece” of information to be used is not defined, the scope of what is personal information becomes very large. Specific examples include name, date of birth, telephone numbers, name, gender, occupation, document numbers, health conditions, consumption habits, addresses, account numbers, etc. Information about the time and location of specific activities related to users is also considered personal information.

Another category of personal information that should be protected is the information defined as “population health information”. This information is also more broadly defined in China than it is in other countries as it can include basic demographic information as well as medical and health information relating to individuals, or statistics related to the broader population with respect to medical information.

Scope

The current scope of the Chinese Data Privacy regulations are far more limited than the scope of the European Union’s GDPR regulation in that the Chinese Data Privacy Regulation applies only to the jurisdictional scope of the People’s Republic of China excluding Hong Kong, Macau, and Taiwan. Similarly to GDPR, the regulations are designed to govern the collection and use of personal information as defined in the preceding section

Also, the Chinese government has not, as of yet, created a regulatory infrastructure that requires an organization to register prior to processing sensitive information. There is no specific Data Protection Authority like there is in GDPR that is a single point of contact for organizations attempting to comply with data privacy regulations. Instead, there is a regulatory body for each of the regulations listed above that has the authority to impose penalties.

Data Processing

Chinese law, similar to other data privacy laws around the world, requires that an organization obtain consent to collect, store and process personal information prior to processing. That consent must also be specific to the activities for which the information is intended to be used. However, the Chinese regulations are somewhat vague with the format in which consent must be gathered. For example, it does not specifically stipulate that consent must be written and there are even interpretations that consent may be implied as well as explicit. This creates a measure of ambiguity that will likely be litigated in the coming years. It is likely prudent to obtain written consent for organizations that do not wish to be part of that litigation.

With respect to processing data, consent is not the ultimate test in the Chinese regulatory environment. Even if an organization gains consent from the data subject, the use of the information still must “comply with the principles of legitimacy, rightfulness, and necessity.”

Additionally, there are specific exceptions to the need for consent for satisfying needs of national security, which essentially gives the Chinese government a blanket exception, and for an on-going criminal investigation.

Rights of Individual Data Subjects

With respect to rights individuals have under the various Chinese regulations, the regulations can become confusing. The only one of the regulations that specifically stipulates rights that a user has is the Regulation on Personal Information Protection of Telecom and Internet Users (MIIT Regulation). The confusing part of this particular regulation is that while it clearly applies to telecom companies providing networks in traditional Internet Service Provider fashion, some interpretations could extend it to anyone who provides a network for use, which could extend to WiFi hotspots and corporate networks. Each organization operating in the People’s Republic should work with legal counsel to determine if they are in scope for this regulation.

Assuming it is determined your organization is in scope, there are specific pieces of information you must provide to those using a network. The regulation stipulates organizations must provide specific information on the purpose, method and scope of the data that is being collected about them on the network, the ways in which users can inquire about and correct information, and also the penalties associated with refusing to provide such information. It is important to remember that under Chinese law, a user’s online browsing history or a record of where they were physically located and when are considered personal information, meaning many basic logging functions for security and even networking products like hotspots would be collecting, storing and processing personal information.

The right to be forgotten is a common theme in many Data Privacy regulations. China has its own form of the idea in which the individual does not have a mechanism to request he or she be purged from systems. However, when a user stops doing business with an organization, it is incumbent upon the organization to cease collecting information, purge the information they have collected, and to provide services for de-registering phone or account numbers. Therefore, organizations determined to be in scope of the MIIT regulations must have the capability to search for and remove all instances of customer information, and make that search and removal process part of the process of de-provisioning a customer.

Security Requirements

As with other provisions, the most specific and stringent requirement relates to the MIIT regulations. They dictate that organizations must, at a minimum, institute the following security measures:

  • To specify the responsibilities of each department, post and branch in terms of managing the security of personal information.
  • To establish work processes and security management systems for the collection and use of personal information and any related activities.
  • To manage the authority of different staff members and agents, review the batch export, duplication and destruction of information, and take measures to prevent the leak of confidential information.
  • To properly keep the carriers recording users’ personal information, such as paper medium, optical media and magnetic medium, and take appropriate secure storage measures.
  • To conduct access inspection of the information system that stores users’ personal information, and take intrusion prevention, anti-virus and other measures.
  • To record the staff members who perform operations of users’ personal information, including the time and place of such operations and the matters involved.
  • To carry out communications network security protection work as required by the relevant Telecommunications Authority.
  • Other necessary measures prescribed by the relevant Telecommunications Authority.

It should be noted that these are the minimum requirements and that it is encouraged to take security measures above and beyond these mandates.

Third Party Processing and Electronic Communication

The Chinese Data Privacy regulations put a specific burden on traditional marketing activities by limiting third party processing of data and setting requirements that must be met in order to communicate with data subjects electronically. What this means is that purchasing contacts from another organization, unless the organization received explicit permission the share that information with third parties, is prohibited. Further, sending marketing information to data subjects is also limited by stating that the data subject must request the information, or at least consent to receiving the information, prior to the information being sent. Further, advertisements must be clearly labeled as advertisements when they are sent with the words “Ad” or “Advertisement” prominently displayed. There must also be a clear option for users to opt out of subsequent communications.

Data Transfer Rules and Agreements

Contrary to popular belief, there are currently no specific legal requirements for the transfer of personal information outside of China. There are no data residency requirements that require the information stay within the People’s Republic of China and there are not currently restrictions on replicating information to offshore entities as part of a security program. However, industrial regulations and rules that are specifically applicable to Chinese companies may apply to specific data being collected.

For example, the processing of personal information collected by commercial banks, must be stored, handled and analyzed within the territory of China and such personal information is not allowed to be transferred overseas.

A specific provision strictly prohibits transferring any information offshore that contains state secrets belonging to the People’s Republic of China. The question, then, is what constitutes a state secret?  I have not been able to find a satisfactory answer to that question in any of the regulations.

Conclusion

There is much discussion currently around the European Union’s General Data Protection Regulation (GDPR) and for good reason. However, that is not the only Data Privacy regulation that a multinational business must be concerned with. This blog was focused on China, but there are other regulations that are important to consider as well. Brazil has passed their Data Protection Bill of Law No. 5276/2016 which has similarities to GDPR and Chinese regulations, and there are more governments around the world that are passing similar legislation on a consistent basis. It is important for organizations to have capabilities to implement Data Privacy best practices. Further, most regulations assume an organization has a clear idea of how information is collected, stored, and processed in their organization. It is important for every organization to ensure that they are able to map flows of specific information as a basic foundational principle of an Information Security program.