by Paul Jones

China has been working on a form of privacy legislation since 2003, generally based on the European model. Drafts were produced in 2005, but the drafting has not moved forward very quickly.

However in November 2010 a major dispute arose between two internet service providers, Tencent Holdings Ltd., the operator of the QQ messaging system and Qihoo 360 Technology (listed on the NYSE) and known for its anti-virus and security software, and  in which access to customer data was a major concern and a large number of subscribers were inconvenienced. Various government ministries intervened in the dispute, most likely because so many subscribers were being harmed in an essentially commercial dispute and since then there has been an increased effort to finalize and adopt rules regarding behavior on the internet and e-commerce.

Decision On Strengthening the Protection of Network Information

On December 28, 2012 the Standing Committee of the National People’s Congress adopted what they called a “决定” or “Decision,” namely “关于加强网络信息保护的决定” (Decision On Strengthening the Protection of Network Information).

 The Decision came into effect on the date of adoption. As one commentary has noted “the decision merely affirms legal obligations already put in place by prior legislation”. The most significant aspect of the Decision is that it was issued by the Standing Committee of the NPC. This is the same body that adopted the Anti-Monopoly Law in 2007.

The PRC is a civil law jurisdiction. The laws adopted by the higher authorities tend to set out general principles and lower level regulations adopted by government ministries provide more detailed rules for the implementation of the principles. Until the adoption of the Decision the NPC had not adopted a set of principles on privacy protection, perhaps in part because it was waiting for the completion of the omnibus privacy law that appeared in draft in 2005. But the Tencent – Qihoo dispute meant that some rules were needed for the internet. The rules in the Decision apply only to electronic information concerning the privacy of individual citizens.

MIIT Guidelines

This coming Friday, February 1^st, another set of rules will come into effect that assist in the implementation of the principles. On November 5, 2012 the PRC Standardization Administration (中国国家标准化管理委员会) issued a National Standard entitled “信息安全技朮 公共及商用服务信息系统个人信息保护指南” (Guideline for Personal Information Protection for Information Systems in Public and Commercial Services). The Guide does not have the force of law.

Unfortunately the current text of the Standard is not yet available online. However a draft version entitled ”信息安全技术个人信息保护指南” (Information Security Technology – Guide for Personal Information Protection) was released February 10, 2011.

The Guide is not a general privacy protection system, but rather like the early privacy laws in the German State of Hesse and in in Taiwan, it is limited to processing of personal information that involves the use of an information system. An English commentary is available here.

The two new items become additional parts of the PRC personal information protection rules, alongside a number of other laws and regulations. Hopefully, as has happened in other areas of the law, all these rules will be consolidated into a more concise and easier to read framework when the general privacy law is eventually adopted.

Shanghai Court Fines Dun & Bradstreet for Data Collection Practices

Do the PRC privacy laws work? According to a WSJ story on January 9, 2013 a court in Shanghai fined Dun & Bradstreet’s local unit 1 million Yuan ($160,648 USD) and fined a couple of employees as well for the improper purchase of data on more than 150 million Chinese citizens.

WSJ Story (subscription required)