China has not yet established a comprehensive and systematic personal information protection legislation. The PRC Constitution and the General Principles of the Civil Law of the PRC (1986) both refer vaguely to certain personal rights, but privacy is not expressly provided in them. The Tort Liability Law (2009) does refer to privacy, but (with the exception of medical information) it doesn't specifically define the types of information that must be kept private. Instead, it merely acknowledges the existence of such a right.
These laws were enacted by the National People’s Congress (NPC) and are supported by various administrative regulations enacted by the ministries. For years, China has been discussing and working on a draft Personal Information Protection Law, and a draft was made available internally among the authorities in 2005, but there is no schedule for promulgation of this law.
Because the NPC and State Council have been dragging their heels, the Ministry of Information and Industry of China (MIIT) has published a draft document called Information Security Technology - Guide for Personal Information Protection (the “Draft Guide”). If the Draft Guide is eventually enacted, it will be enacted by the Administration for Quality Supervision, Inspection and Quarantine (AQSIQ) and the Standardisation Administration of China (SAC). It will not be enacted by the MIIT itself, because it is written in the form of an industrial standard, which fall into the scope of authority of AQSIQ and SAC. It will, however, have legal force.
The Draft Guide, if enacted, will be the first single systematic standard to regulate management and processing of personal information carried out by information administrators (信息管理者) (such as websites). The major features of the Draft Guide are summarised below.
The Draft Guide governs the use of information systems to manage personal information. It grants various rights to the individual whose personal information is managed (个人信息主体)(the “Individual”), including the right to or refuse the information administrator’s management of his/her personal information, alteration rights, and others.
The Draft Guide requires the information administrator to take a series of measures to protect personal information, summarised as follows:
(a) Transfer - The information administrator should obtain express consent from the Individual before transferring personal information to others. Without authorisation under the law or approval by relevant competent authority, the information administrator may not transfer personal information to information administrators registered outside China (the “Transfer Restriction”). This provision may have a significant impact on multinational companies saving employees’ personal information outside China.
(b) Management and subcontracting - The information administrator should ensure the security of personal information when the administrator or a subcontractor processes the information.
(c) Collection - The information administrator must collect personal information directly from the Individual in a “legitimate” manner.
(d) Utilisation, blocking and deletion of information - Without express consent from the Individual, the information administrator should not make any personal information public. The information administrator must delete relevant personal information upon the Individual’s request where such request is based on reasonable grounds.
(e) Information management - The information administrator should set up personal information protection policies, take precautionary measures and counter-measures, to prevent illegal use of personal information.
If the Draft Guide is promulgated and takes effect, it is a significant step for privacy rights of individuals in China. At the same time, it will have a material impact on the operation of multinational companies, internet content providers (ICPs), and internet service providers (ISPs), especially those who have stored PRC individual’s personal information outside China.
The affected entities will have to revisit their personal information management system, such as storage and use of employees’ personal information, personal information of ICP and ISP end-users, etc.
The Transfer Restriction, if enacted, will require multinational companies’ employees’ personal information saved outside China to be deleted and re-saved in China. The provision is, at present, worded too broadly, and multinational companies should keep a close eye on the development of this guide.
Mallesons Stephen Jaques is licensed in China as a foreign law firm and, as is the case for all international law firms, we are not authorised to issue legal opinions on matters of Chinese law. This publication is only a general outline. It is not legal advice. You should seek professional advice before taking any action based on its contents.