The rapid evolution of internet technology has necessitated the definition of ‘personal private information’ being expanded. While traditionally it included names, ID numbers, phone numbers, bank accounts and addresses, the definition now encompasses text messages, social media accounts and passwords, online transaction records and shopping and travel information, and with more personal information out in cyberspace comes more opportunity for data theft. 

Richard Zhang, Director of Management Consulting, KPMG China, explains what the Chinese Government has done so far to tackle this problem, and says that preventative measures are only likely to increase, in the near term at least.

The rising challenge

Private information is used in many situations – booking flight or train tickets, checking in at a hotel, getting a credit card from the bank, purchasing insurance products or visiting a hospital. There is a high probability that personal information could be exposed and collected during these processes. In some cases, the collected information could possibly be illegally used for activities such as insurance telemarketing, advertising or even telecom fraud.

The issue of privacy protection has raised huge challenges for the Chinese Government, and existing measures to protect privacy and restrict the collection and usage of private information still need to be strengthened.

Personal information crime: the facts

Over the past decade, telecom fraud in China has been increasing at an annual rate of 20 to 30 per cent. In the first seven months of 2016 alone, around 355,000 cases of telecom fraud were recorded, an increase of 36.4 per cent compared with 2015. These cases have directly resulted in a loss of CNY 11.4 billion. Some of the crimes and incidents have caused a significant social impact along with substantial financial loss:

• In August 2016, a teenager died due to a heart attack after her university tuition fee was stolen during a targeted telecom fraud.
• In September 2016, a college professor lost around CNY 17 million, also a victim of targeted telecom fraud.

These incidents quickly drew national focus, putting great pressure on the government. Similar tragedies have occurred, with most of these incidents occurring because personal information was leaked and utilised during telecom fraud.

The Chinese Government has been fighting against personal information crime, especially telecom fraud. By October 2016, the government had solved 93,000 related crimes, preventing the loss of CNY 4.87 billion. In addition to fighting crime, the government is also looking into the root causes and is working on improving the laws and regulations in order to better protect personal information.

Existing laws and regulations

The Chinese Government has published several laws and regulations in which the requirements for protecting private information have been raised, and important terms have been defined:

• Organisations should establish and enforce information security management policies and procedures to protect systems and data – Computer Information System Security Protection Ordinance (enacted in 1994).
• Definition of ‘consumer personal information’ is provided – Consumer Protection Law (first enacted in 1994, amended in 2013).
• Consent from consumers should be obtained before collecting consumer personal information – Measures for Penalties for Infringing upon the Rights and Interests of Consumers (enacted in 2015).
• Definition of ‘user personal information’ is provided – Several Provisions on Regulating the Market Order of Internet Information Services (enacted in 2012).
• Organisations providing Internet services (e.g. company websites) should protect their collected user personal information – Guidelines of Protecting Telecommunication and Internet User Information (enacted in 2013).

Moreover, the Cybersecurity Law was adopted at the National People’s Congress in November 2016, after a year of legislative process, and is scheduled to become effective from June 2017. Critical articles for privacy protection under the new law include:

• Article 22: Where network products and services have functions to collect user information, the provider shall indicate this to users and obtain agreement; where citizens’ personal information is involved, this shall abide by the provisions of this Law, as well as relevant laws and administrative regulations, concerning the protection of citizens’ personal information.
• Article 41: Network operators collecting and using personal information shall abide by principles of legality, propriety and necessity, disclosing their rules for its collection and use, explicitly stating the purposes, means and scope for collecting or using information, and obtaining the consent of the person whose data is gathered.
• Article 44: Individuals or organisations must not steal or use other illegal methods to acquire personal information, and must not sell or unlawfully provide others with citizens’ personal information.

The Cybersecurity Law proffers specific requirements regarding the collection, use and protection of private information. The above articles clarified requirements for the collection of personal information, emphasising that personal information can only be collected after the user agrees to its purpose, method and scope.

Industrial privacy protection requirements

From an industrial perspective, the level of private information protection varies based on different industries:

• The regulatory authorities in the finance industry, such as the China Banking Regulatory Commission (CBRC) and the People’s Bank of China (PBOC), have been emphasising protection of personal information. In December 2016, the PBOC released a new regulation to protect the rights of financial consumers. The policy clearly states that private information obtained through financial business processes should be kept confidential. Illegal use/copy/storage/leaking of private information is prohibited. This regulation could be viewed as an enforcement measure in the finance industry following the privacy protection requirements raised in the Cybersecurity Law.
• For the telecom industry, in 2013, the Ministry of Industry and Information Technology (MIIT) released regulations to protect the personal information of telecom and internet users. The policy has stated the security requirements for telecom companies while collecting and using client personal information. This regulation has been the foundation for fighting against telecom fraud crimes.
• For other industries (like healthcare and education), though currently the supervision is not as strong as in the financial and telecom industries, the authorities are aware of the importance of protecting personal information. Following the enactment of the Cybersecurity Law, we can foresee that regulators will likely publish a series of industry-wide regulations to enhance the protection of personal information.

Privacy protection in the future

Privacy protection will continue to be a hot topic going forward. Both government and other organisations will need to step forward and continue to work on feasible privacy protection practices.

From a governmental perspective, as the Cybersecurity Law will become effective in June 2017, the Chinese State Council, the MIIT and other related industrial regulators will likely publish regulations and guidelines containing more detailed and practical requirements for privacy protection.

From an organisational perspective, if personal information is to be collected and used during the business process, the organisation will need to comply with the privacy protection requirements raised in the Cybersecurity Law and other detailed regulations. For instance, healthcare organisations in China will likely face regulations similar to the Health Insurance Portability and Accountability Act (HIPAA) to protect the privacy of patients; financial organisations will likely face stricter regulations, perhaps similar to the European Commission’s General Data Protection Regulation (GDPR), on the collection and use of client personal information.

Regardless of what China’s privacy protection requirements will be in the future, the overall trend is that privacy protection is becoming stricter, and companies and organisations will certainly be required to meet these protection requirements.

For more information please contact: Richard Zhang (+21 2212 2637)

KPMG is a global network of independent member firms offering audit, tax and advisory services. The firms work closely with clients, helping them to mitigate risks and grasp opportunities.

Member firms’ clients include business corporations, governments and public sector agencies and not-for-profit organizations. They look to KPMG for a consistent standard of service based on high order professional capabilities, industry insight and local knowledge.

KPMG member firms can be found in 152 countries. Collectively they employ more than 189,000 people across a range of disciplines.

Sustaining and enhancing the quality of this professional workforce is KPMG’s primary objective. Wherever our firms operate, we want them to be no less than the professional employers of choice.