The present and future of data protection in China

thumb-printAs global connectivity increases, so does the importance of effective data protection. Omar Puertas and Chesy Chen of law firm Cuatrecasas, Gonçalves Pereira analyse the still-developing data protection regime in China. They advise enterprises dealing in data-intensive industries to be on top of their game, increase awareness among all staff of the rules governing data protection in China and tighten up internal security controls.

As technical innovations have developed to enable us to store more data for a longer time, companies and governments have been focusing on the implications of big-data, turning their attention to the rules that govern data collection, processing and, eventually, transferring. While some countries and regions have already developed comprehensive regulations that provide a stable framework to address these issues, China has only just started the process. The immaturity of Chinese laws and the scattered nature of the rules applying to data protection preclude proper analysis of the country’s data protection regime.

Instead, when studying the wide array of laws, regulations and administrative provisions to determine what kind of protection is provided and how it can be reasonably expected to be enforced, we find a number of principles and stipulations of Chinese national law—criminal, civil and tort laws—and sector-specific provisions enacted by administrative, judicial and local authorities (financial, health and consumer protection regulations).

Within this normative diversity there is a certain degree of homogeneity under the umbrella of “freedom and privacy of correspondence” established in Article 40 of the 1982 Constitution of the People’s Republic of China. However, although Article 40 acts as a general guiding principle[1] to protect the ‘right to privacy’—which is the essence of data protection—such a generic postulate would be difficult to enforce in specific cases.

Therefore, the first question to be raised is what kind of data is protected? Generally, except for state secrets, ‘personal information’ enjoys legal protection in China, as stipulated by the two main regulatory and supervisory authorities responsible for data issues:

  • The Ministry of Industry and Information Technology (MIIT) considers that ‘personal information’ is defined as information that: (i) can be used to identify the user; and (ii) that concerns the user’s time zone and location, including name, date of birth, identification number, address, telephone number, account number and associated passwords.[2]
  • Reinforcing this basic definition, the Measures for Punishment of Infringements on Consumer Rights and Interests (15th March, 2015), enacted by the State Administration for Industry and Commerce (SAIC), adds that personal information is the information collected by business operators while providing goods or services, including gender, occupation, residential address, contact details, income, health conditions and consumer habits.

Only after ‘data’ is defined can we address the issue of general data protection. Protection is structured around two elements: principles and requirements of data protection. Both are considered to take place, at least, when data is collected and processed for any purpose or under any conditions, and additional principles and requirements take place when data is used in other ways, such as commercialisation.

The basic principles of data protection, which are not interconnected, comprise legality, legitimacy and necessity but also involve others that are more specific. For example, while legitimacy implies the existence of a reasonable purpose for collecting and processing data, necessity requires the amount of data collected to be within the range required for the provision of service. Also, consent from the individual whose data is being collected and confidentiality of that information are general principles that must always be taken into account.

Regarding data protection requirements, the MIIT imposes certain safety measures on telecom business operators and Internet information service providers (Articles 13–15) that, given the scarcity of general provisions, may well be considered as such. These safety measures include determining the responsibilities of every department managing personal information, establishing security measures to prevent leaks and taking the necessary measures to prevent intrusion.

A dual approach is necessary, as specific data protection rules in China depend on two variables: the type of data and how it is used. While regulations protect data because of its nature, e.g. health and financial data, they also protect it as a result of what the individual, entity or organisation does with it, e.g. data collection, transfer or analysis.

Based on how data is used three different situations should be considered. First, when the information is processed by third parties on behalf of the data controller, explicit consent is required.  Second, when information has been lost or damaged (e.g. a data leak), the business operator must notify the authorities (although it is not required to inform the data subject). Third, article 253(a) of the Criminal Law prohibits the sale of individual’s financial, educational or medical treatment information obtained in the performance of duties of certain key entities such as banks, hospitals and schools.

Data-lockThen there are specific data protection rules depending on the data’s nature. They include different regulations and administrative provisions raising the protection standards for certain kinds of personal information, including medical records, population health information, information collected by commercial banks and credit information collected by credit reporting entities.

The competent administrative authorities in each sector establish additional requirements regarding this ‘special data’, which generally comprises the obligation to store, handle and analyse all the information collected within Chinese territory. However, since this information is mostly controlled by public or semi-public entities, most will have no effect on EU-based enterprises doing business in China.

Nonetheless, one exception should be noted: foreign commercial banks, whose business environment is highly regulated in China. In May 2011, the People’s Bank of China issued the Notice to Urge Banking Financial Institutions to Protect Personal Financial Information (Notice on PFI) barring banks from storing, processing or analysing outside China PFI that is collected in China, and from providing PFI collected in China to entities abroad.

In addition, the banking sector is subject to the new rules introduced by the internal guidelines jointly issued by the China Banking Regulatory Committee (CBRC) and the Ministry of Industry and Information Technology (MIIT) on 3rd December, 2014, (Circular 317). These require banks’ IT suppliers to hand over their source codes for in-depth examination and to build an interface for invasive checking (a backdoor) into their systems when necessary.

This example shows that, while China continues raising the standard for data protection—in particular, the information collected and processed in specific sectors—foreign businesses should be aware of the importance of compliance in this area. The fast-changing and vague nature of the currently applicable rules in China makes it advisable to increase awareness at management level and improve staff training on data protection.

Given the current stage of development of the Chinese regulatory environment, businesses operating in data-intensive industries should maintain a logging and reporting system to access protected data, review and update collection practices, develop their data processing and analysis departments within Chinese territory and provide sufficient protection by means of appropriate security measures.

Cuatrecasas, Gonçalves Pereira is a leading law firm in Spain and Portugal. Its 25 offices worldwide (including Shanghai since 2007) and over 950 lawyers offer added-value legal advice on all areas of business law. With a multidisciplinary team of Chinese, Spanish and Portuguese lawyers and first-hand understanding of China’s legal system, business world and culture, it has been supporting and accompanying Chinese companies investing in Spain, Portugal, Latin America and Africa for the last two decades, as well as European and Latin American companies on their investments in China and Asia.

[1] See Articles 99-102 of the Civil Law, protection of the rights of ‘reputation’ and ‘honour’ in close connection with the right to ‘privacy’ provided by Article 40 of the Constitution. Similarly, Article 2 of the Tort Law reinforces this protection.

[2] Internet Information Services Regulations (MIIT 2011 Regulation); Telecommunications and Internet Personal User Data Protection Regulations (MIIT 2013 Regulation); Information Security Technology – Guidelines for Personal Information within Public and Commercial Services Systems (MIIT 2013 Guidelines).