New China data protection measures welcome but fragmented regime poses compliance challenge for businesses, say experts

Out-Law News | 05 Aug 2013 | 4:03 pm | 3 min. read

The rise of personal data theft in China means new data protection rules set to come into force from next month in the country should be welcomed although overlapping privacy laws make compliance a challenge for businesses, an expert has said.

Public prosecutors in Shanghai have reported seeing 30 cases of personal data theft in the first half of 2013 compared to just one in the first six months of last year, according to a report by China Daily. The cases largely involve employees selling on personal information, with many of those individuals employed by online shopping companies, the prosecutors said.

"More than half of the suspects committed the crime by taking advantage of their positions, and their motive is to promote products or obtain money by the transaction," Gu Xiaomin, director of the public prosecution division of the Shanghai People's Procuratorate, said, according to the China Daily report.

From 1 September telecommunications and internet information service providers (IISPs) operating in the People's Republic of China (PRC) will be subject to new rules governing the protection of personal information.

Technology, media and telecoms expert Peter Bullock of Pinsent Masons, the law firm behind, said the Telecommunications and Internet Personal User Data Protection Regulations were to be welcomed. The regulations are the latest in a number of rules on data protection that apply in the PRC, he added.

"Although China's regulators have used data protection as an instrument of control for many years – for example as long ago as 2000 the Administrative Measures Governing Internet Information Services required IISPs and ISPs to retain copies of user details for 60 days and make them available to State authorities; with similar provisions regulating those offering Internet Bulletin Boards and e-commerce services – such regulation of the handling of data was a far cry from doing anything which protected the rights of the internet-using citizen, often referred to as 'netizens in China," Bullock said.

"However, as the rise of social media increases the opportunities for excessive use of personal data, and identity theft, China oriented spam reached epidemic proportions, and the security of data increasingly became important for the well-being of citizens, last year the authorities finally started to produce laws which tended to follow data protection principles recognised in EU model data protecting jurisdictions," he added.

Late last year the Chinese Government established new rules that require citizens to provide their real names to service providers when using the internet. The service providers are required, under the terms of the rules, to immediately cease providing services to individuals if it is spotted that they have failed to provide their real names. The Government said at the time that the decision "aims to ensure internet information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations and safeguard national security and social public interest".

The sending of commercial digital information to citizens' mobile devices or email addresses was also prohibited under the terms of the new rules, unless individuals' consent has been obtained.

In January the Chinese Government also published non-binding guidelines that set out different expectations around the treatment of both general personal data and more sensitive personal information.

The guidelines set out data protection measures broadly similar to rules effective within the EU. Organisations collecting personal data are prohibited to do so unless to fulfill a "specific and clear purpose" and must delete the information once they have used it for the purposes for which it was collected. The guidelines also promote the concept of data minimisation and explain that organisations should obtain express consent of data subjects in order to process sensitive personal data.

However, Shanghai-based technology law expert Kening Li of Pinsent Masons said that there are anomalies in data protection rules issued in China that do not help businesses to comply with the framework.

"The various ministries issuing these laws do so without reference to any of the other laws issued by other bodies," Li said. "This creates a great deal of confusion and the prospect of overlapping and inconsistent laws applying within the same sector."

Li said that the definition of 'personal data' contained within the impending new Telecommunications and Internet Personal User Data Protection Regulations is different from how the term is defined under the guidelines issued by the Ministry of Industry and Information Technology (MIIT) earlier this year.

The expert said that a part of the new Regulations also contradict some older rules implemented within the various municipalities of China.

"Article 9 of the new Regulations requires telecommunications business operators and IISPs to cease collection and use of personal user data once users unsubscribe to their service," Li said. "This is at odds with some of the older, still subsisting regulations which require service providers to keep customer data for longer, set periods."

However, Li said that the Regulations were nevertheless to be welcomed.

"It is to be welcomed that China is making strides to give Chinese citizens protection to their personal data, backed with the force of law," he said. "It is somewhat frustrating that these laws are being issued in a fragmentary fashion, although this is normal practice in the PRC. As always with China regulation, it remains to be seen how these laws will be enforced – such as which companies will face enforcement action and the alacrity with which regulators will act, and whether or not with meaningful penalties against transgressors."