background image
F A L L 2 0 1 3
the development of data protection in
Decision on Strengthening the Protec-
tion of Internet Data
On December 28, 2012, the Stand-
ing Committee of the National People's
Congress published the Decision on
Strengthening the Protection of Internet
Data (the "Decision"). The Decision sets
forth requirements for certain internet
service providers ("ISPs"), telephone
companies, and other organizations,
including government agencies, that
collect personal information in digital
form in the course of providing services
(collectively "Data Collectors").
In particular, the Decision requires
that Data Collectors:
i. Inform individuals of the purpose,
manner and scope of their collection
of electronic personal information;
ii. Obtain consent from users before col-
lecting electronic personal informa-
iii. Strictly maintain the confidentiality
of all electronic personal information
collected during the course of their
iv. Develop and publish policies for
the collection and use of electronic
personal information; and
v. Take immediate remedial measures
and notify the competent authori-
ties in the event of a discovered or
suspected disclosure or leak of the
stored electronic personal informa-
Data Collectors that fail to comply
with the above-listed requirements may
be subject to fines, confiscation of any
illicit gains, revocation of licenses and
registrations, termination of websites,
as well as potential civil liability to the
affected users.
The Decision contains one provision
that may be counterproductive to the
protection of personal information. This
provision, often referred to as the "Real
Name Provision," requires that users
provide their real names when entering
into an agreement for the provision of
While the Decision is the first na-
tional, binding regulation regarding data
protection, it contains only 12 broadly
worded articles. Therefore, Data Col-
lectors will probably have to wait for
an official guideline or interpretation
regarding the implementation impact of
these requirements, including the Real
Name Provision.
Guideline for Personal Information Pro-
tection Within Information Systems for
Public and Commercial Services
On November 15, 2012, the Ministry of
Industry and Information Technology (the
"MIIT") issued the Information Technol-
ogy Security Guideline for Personal
Information Protection Within Informa-
tion Systems for Public and Commercial
Services (the "Guideline"). Although
the Guideline is not legally binding, it is
relevant insofar as it provides the basic
principles on which further regulations
will likely be based.
The Guideline provides the first
national definition of "personal informa-
tion," which it defines as "information
that can identify users independently or
in combination with other information."
The Guideline also identifies two catego-
ries of personal information: sensitive
personal information," which is informa-
tion that, if disclosed, could have adverse
effects on the individual, and "general
personal information," which includes all
other personal information.
Additionally, the Guideline provides
eight principles that should be followed
in the handling of personal information:
i. Organizations should have a clear
and justifiable purpose for collecting
personal information;
ii. Organizations should collect the
minimum amount of data required for
such purpose;
iii. Organizations should publish the
purpose, manner, and scope of their
personal information collection;
iv. Organizations must obtain express
consent before collecting sensitive
personal information;
v. Organizations must ensure that all
information collected is complete and
vi. Organizations shall strictly maintain
the confidentiality of personal infor-
mation and take appropriate mea-
sures to ensure that such personal
information is kept secure;
vii. Organizations shall no longer use
personal information once the
original purpose for which it was col-
lected has been completed; and
viii. Organizations must establish and
implement appropriate internal poli-
cies for the maintenance of personal
It is worth noting that many of the
above-listed principles mirror some
of the requirements established in the
While the Guideline came into effect
on February 1, 2013, no official text has
been released. Also, it is important to re-
member that the Guideline is not legally
binding. Nevertheless, the Guideline
is the first national standard for data
protection that applies to all industries,
and therefore should be reviewed by all
companies in the development of their
data protection policies and procedures
in China.
China recently increased its focus on
data protection issues, in particular,
those regarding personal information
submitted electronically. Although
China does not yet have a comprehen-
sive national data protection plan, the
Government has published a number of
administrative regulations and related
advisory rules over the past year that
have significantly advanced data protec-
tion issues in China.
These regulations, some of which are
binding and some of which are merely
advisory, will likely become the founda-
tion on which China's data privacy laws
are built. Therefore, foreign companies
will benefit from familiarizing them-
selves with these policies, even those
which are not binding, as the principles
will likely be incorporated into subse-
quent regulations.