China has yet to promulgate a specific and standalone privacy or data protection law. However, pursuant to the amended Law of the PRC on the Protection of Consumer Rights and Interests (which came into effect in March 2014), business operators which provide goods or services to PRC consumers, among other things: i) should adopt the principles of legality, legitimacy and necessity in their collection and use of consumers’ personal data; ii) should explicitly inform the consumers the purposes, scope and manner of data collection and use and obtain their consent to the same; iii) should disclose its personal data collection and use practices and must not collect or use the personal data of consumers in contrary to any laws or regulations or beyond the scope as agreed with the consumers; iv) must keep the consumers’ personal data strictly confidential, and must not disclose, sell or unlawfully provide the same to a third party; v) should adopt technical and other necessary measures to ensure that the personal data is secure and to prevent data leakage or loss; vi) should take remedial steps at once where data leakage or loss occurs; vi) must only send commercial messages to consumers with their consent or at their request, or where they have not expressly declined the receipt of the same. If a business operator violates the above provisions and infringes upon the personal information of consumers, the State Ad-ministration for Industry and Commerce or its local counterparts may issue a warning, confiscate illegal income, impose a fine of not less than once but not more than 10 times the illegal income, and/or the imposition of a fine of not more than RMB500,000 (approximately USD83,000) if there is no illegal income. In serious circumstances, the business operator will be ordered to cease business and reorganize, and its business licence will be revoked.
Individuals may bring a civil claim for monetary damages for any harm suffered, and may also demand an apology from the offender. Under China’s Tortious Liability Law (which came into effect on 1 July 2010), violation of another’s “civil rights and interests” would give rise to tortious liability and privacy rights are expressly listed as a form of civil rights and interests.
The PRC Criminal Code makes it an offence for individuals working in financial institutions, telecommunications companies, transportation companies, educational institutions, medical institutions, or government organizations who sell or illegally provide personal information collected during the course of work or provision of services. Offenders may be detained or jailed for not more than 3 years. and/or fined. Individuals stealing or illegally obtaining such information will be subject to the same penalties in serious cases. Where an organisation commits the above offences, it will be subject to a penalty and its officers who are directly responsible for this will be subject to the penalties that are applicable to individual offenders as discussed above. Recently, there are proposed amendments to these provisions: i) the offence of sale or illegal provision of personal data will be applicable to all industries across the board (instead of the 6 designated industries); b) introducing a new offence: anyone selling or illegally providing personal information of an individual to a third party without the individual’s consent will be subject to detention or imprisonment for not more than 2 years, and/or imposition of a fine. Note such proposed amendments have not been passed yet.
Selected Enforcement Actions / General Comments
he authorities have stepped up their efforts in enforcing the laws in relation to the sale of personal data and the sensitivity regarding the use of personal data continues to increase from prior years. Further, the authorities are keen to combat the practice of “doxing” (i.e. Internet users banding together to expose an individual to public humiliation by disclosing the individual’s personal information or “private affairs”) which has become very common in China in recent years. One example is the passage of the Provisions of the Supreme People’s Court on Several Issues concerning the Application of the Rules Regarding Cases of the Infringement of Personal Rights over Information Networks which came into effect in October 2014. The Provisions expressly prohibit “doxing” but may be read to apply more broadly to the online disclosure of personal information on the Internet in general.