One big step for data protection in China?

The PRC Standardisation Administration issued a national standard entitled the "Information security technology – Guideline for personal information protection within information system for public and commercial services" (信息安全技朮 公共及商用服务信息系统个人信息保护指南) (the Guidelines) on 5 November 2012. The Guidelines will take effect on 1 February 2013. Michelle Chan, Karen Ip and Clarice Yue provide an overview of key features and some observations below

Background

The Ministry of Industry and Information Technology (MIIT), the regulator of telecom industry in China, first proposed the Guidelines in January 2011 for public consultation. A draft was then submitted for the national standard approval this year.

The Guidelines were a response to numerous incidents involving the misuse of personal information in China. Most recently, it was reported that personal information such as name and identity card number had been extracted from the quick response code (also known as two-dimensional code "二维码") on the train tickets issued by the Ministry of Railways.

Who has to comply with the Guidelines?

Although the Guidelines were proposed by the MIIT and implemented as a national standard, they are intended to regulate all organisations and entities on the protection of personal information. For instance, any service provider in the telecommunications, health and financial services sector, are expected to follow the Guidelines. Notable exceptions are government bodies that exercise any public administration function.

Key limitation of the Guidelines

The Guidelines are only applicable to any processing of personal information that involves the use of an "information system" (eg, a computing system). The Guidelines therefore are quite limited in scope when compared to usual data protection law whereby no distinction is drawn on whether an information system is involved or not.

Main features of the Guidelines

The formal text of the Guidelines has not yet been made available publicly. Based on the draft submitted by the MIIT for approval, the Guidelines will cover the following main areas:

• General principles such as data processor should have a specific objective for handling information, delete such information after achieving the objective, and obtain the data subject's consent before processing.
• Sensitive personal information (ie, which would result in negative implications on the data subject in the event of breach) should only be collected upon the express consent of the data subject.
• The affected data subjects should be notified in the event of security breach and the relevant regulatory body should be informed in any "major" incidents.

Express consent from the data subject is required for any transfer beyond the PRC (unless permitted by law or the relevant regulatory body)

Observations

Under PRC law, the Guidelines do not have the force of law. This is reflected in the fact that the Guidelines do not appear to contain any penalties in the event that they are not complied with. Nevertheless, as a national standard, they are expected to be followed by all relevant organisations and entities.

It should also be noted that the Guidelines must be considered alongside other data protection measures already in place. For example, the existing requirements for granting type approvals for mobile devices and specific requirements on internet content providers relating to handling of personal data, both of which were discussed in our previous publications. It is important for service providers and data processors to comply with these sector-specific regulations on data protection.

Whilst a general data protection law is still being legislated in the PRC, it is clear that the protection of personal information has been the focus of regulators in recent years and the latest Guidelines may well be an important step towards a unified legal framework for data protection.