Network operators in China face fines multiple 'unlawful gains' made from misusing personal data

Out-Law News | 08 Nov 2016 | 5:10 pm | 1 min. read

Businesses that own or manage networks in China, as well as those that provide network services in the country, could be forced to pay fines of up to 10 times the value of "unlawful gains" made from mis-using personal data under new cybersecurity laws set to come into force next year.

The new legislation, finalised earlier this month, will come into effect on 1 June 2017.

According to an unofficial English translation by China Law Translate, network operators will be required to abide by rules governing their collection, use and sharing of personal information, defined under the legislation  as "all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person's identity".

The rules prohibit network operators from collecting personal information that is "unrelated to the services they provide" or from disclosing, tampering with or destroying the data they gather. The will be banned from sharing personal information unless they have "the consent of the person whose information was collected" except where the data has been anonymised.

The network operators must adopt "technological measures" and other necessary steps to secure personal information from being leaked, destroyed or lost and will be obliged to report breaches "promptly" to both users and Chinese authorities. Where a network operator fails to comply with the new rules on personal information they can be forced by consumers to delete the personal data they store about them.

The new legislation outlines potential sanctions network operators could face for breaching the specific provisions on personal information. One possible penalty is a fine of up to 10 times the "unlawful gains" made from infringing the rules. Alternative penalties could include the closing down of websites, or the cancellation of operations permits or business licenses.

The law defines 'networks' broadly as "systems comprised of computers or other information terminals and related equipment that follow certain rules and procedures for information gathering, storage, transmission, exchange and processing".

Beyond issues of data privacy, network operators in China will be new network security obligations. These include requirements to "internal security management systems and operating rules", and adopt technological measures to "prevent computer viruses, network attacks, network intrusions and other actions endangering network security".

Network product and service providers face similar obligations. They are required to "immediately adopt remedial measures" upon discovering security flaws or vulnerabilities in their products or services, and must provide continuous "security maintenance" unless otherwise agreed with clients.

Operators of Chinese critical national infrastructure face stiffer restrictions on their operations under the new legislation. They will generally be prohibited from storing personal information outside of China, be expected to put in place, test and act on "emergency response plans for network security incidents" and will be expected to "provide technical support" to Chinese authorities.