Is it Time to Revise Your Company's Personal Data Privacy Policies? New Legislation Demonstrates China Is Serious About Personal Data Privacy

• Publication year: 2014
• Author: By Russell Leu, Sheppard Mullin Richter & Hampton LLP*

Is It Time to Revise Your Company's Personal Data Privacy Policies? New Legislation Demonstrates China Is Serious About Personal Data Privacy

By Russell Leu, Sheppard Mullin Richter & Hampton LLP*

A common question a foreign company doing business in China asks is how to administer and maintain the personal data of its employees, especially when such personal data is collected, transmitted or stored online. Companies doing business in China should take heed that China is now paying more attention to online personal data privacy protection, and this especially may include a company's handling of an individual employee's personal data. For companies seeking to enter China's lucrative e-commerce market, this summary may provide a starting point on structuring a business plan. Recently, China has enacted new personal data privacy laws which govern the collection, use, maintenance and dissemination of personal data. These laws are directed at a wide range of groups, including network service providers, business enterprises and business operators, organizations and government institutions. The new laws were developed in response to two growing pains - employees of government institutions which collected large amounts of data electronically in the course of their business activities were selling or unlawfully providing third parties with personal data, and secondly, China's consumers have developed an enormous appetite to spend domestically via e-commerce. China's e-commerce is a lucrative retail market with serious business implications as 40% of its population uses the internet, and its economy has benefited greatly from domestic e-commerce retail spending. In 2012, Chinese consumers spent RMB 1.3 trillion on online purchases, and it is estimated that by 2015, online purchases will reach RMB 3.3 trillion.¹

Last year, Chinese lawmakers passed a set of significant laws addressing personal data privacy. To ensure compliance, companies should be aware of the various new rules and regulations affecting the collection, processing, and use of personal information. The passage of this new legislation presents an opportune time for companies to internally review existing data collection and management policies and practices; determine whether these policies and practices comply with the new laws; and where necessary, develop or revise appropriate policies and practices.

I. CHINESE LEGISLATION ON PERSONAL DATA PRIVACY

In the last few years, Chinese lawmakers have taken significant steps to protect personal information and ensure data privacy. At the end of 2011, the Standing Committee of the National People's Congress ("NPC") passed the 2012 Decision on Strengthening Network Information Protection² ("Decision"), followed by the Information Security Technology-Guide for Personal Information Protection within Public and Commercial Systems³(the "Guide"), which came into effect in February 2013. A few months later, on March 15, 2012, the Certain Regulations on Standardizing the Order of the Internet Information Service Market⁴ (the " Regulations") became effective. Most recently, China passed the Amendment to the Law of the People's Republic of China on the Protection of Consumer Rights and Interests⁵ ("Consumer Amendment"), which became effective on March 15, 2014. The following summaries explain key aspects of these laws.

A. The Decision

On December 28, 2012, the NPC put into effect the 2012 Decision on Strengthening Network Information Protection. The law governs the collection, handling, and use of personal electronic information, which is defined as information that can indicate the identity of individual citizens or affect their personal privacy.⁶ The law regulates network services providers, businesses and public institutions, when collecting in their business activities and using personal electronic information.

The Decision requires that network service providers, businesses and public institutions obtain consent from the subject of the information, as well as specify the purpose, ways, and scope of the information's collection and use.⁷ It also requires providers to keep the collected data strictly confidential and prohibits their disclosure, alteration sale, or illegal transfer.^. In addition, parties must develop measures to...