Privacy & Information Security Law Blog

On December 28, 2012, the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China passed the Resolution of the Standing Committee of the NPC Relating to Strengthening the Protection of Information on the Internet (the “Regulations”). The Regulations contain significant and far-reaching requirements applicable to the collection and processing of electronic personal information via the Internet.

The Standing Committee of the NPC is a subsection of the full national legislature that meets several times a year (the full legislature meets only once a year). The Standing Committee is empowered to pass laws that are national in scope, but aren’t at the “basic law” level. “Basic laws” are those that have nationwide application and relate to fundamental elements of the state and society. The Standing Committee also has the authority to amend and supplement national laws, including basic laws passed by the full session of the NPC.

The Regulations begin with two broad statements that, on their face, are not limited to information processing on the Internet: (1) the State will protect electronic information that can identify individuals and implicate their private affairs, and (2) no organization or individual may misappropriate or otherwise obtain electronic personal information by unlawful means, or sell or otherwise unlawfully provide it to other persons. Interestingly, the first statement comes rather close to providing a general definition of “personal information.” It characterizes the information that is subject to State protection as “electronic information that can distinguish the individual identities of [Chinese] citizens” and touches upon the individual private affairs of Chinese citizens.

The Regulations then set forth a number of requirements that are more specifically directed at Internet service providers (“ISPs”) and other businesses that handle electronic personal information (typically referring to non-profit enterprises), including:

• ISPs and other businesses (non-profits) must adopt and comply with rules for their collection and use of electronic personal information, and make the rules publicly known.
• ISPs and other businesses must clearly state the purpose, means and scope of their collection and use of electronic personal information, and obtain the consent of the data subject for such collection and use.
• ISPs and other businesses must maintain electronic personal information in strict confidentiality.
• ISPs and other businesses must not divulge, alter or destroy electronic personal information obtained in the course of their business activities, and may not sell it to other persons.
• ISPs and other businesses must adopt information security safeguards, and must take immediate remedial measures when they discover users distributing information illegally.
• ISPs must report to relevant government agencies when they discover users distributing information illegally.

The Regulations contain one provision which could actually erode the protection of personal privacy: ISPs must require that customers provide their real names on agreements for the provision of access- or information-related services.

The Regulations also include a private right of action for aggrieved individuals.

The text of the Regulations is fairly brief, and it is not yet clear how certain terms (such as the data subject consent requirement) will be interpreted or applied, but since they were passed by the Standing Committee of the NPC, the Regulations will be effective nationwide. Although the Regulations impose rules of very broad application, their scope is limited to electronic personal information and, for the most part, only Internet-related processing. It would be fair to say that the Regulations are a particularly broad and far-reaching development in the piecemeal, sector-by-sector emergence of a patchwork regulatory framework addressing the handling of personal information in China.