New Trends of Legal Regulation on Personal Information Protection in China and the Relevant Practical Measures

“Tele sales may be in jail”, “It is convenient for employees to conduct leave request procedure and check wages via APPs, but I was told there might be huge risk.” …… Recently, a series of laws, regulations, judicial interpretations related to the protection of personal information (hereinafter referred to “PI”) are released, and many news related to risks are reported, which make more and more enterprises feel upset about the relevant risks.

However, a comprehensive knowledge of this topic is very important in managing the relevant risks. Enterprises shall get to know 2 key aspects: 1) which regulations on the protection of “PI” are related to its operation; 2) how to reduce the relevant legal risks.

From June 1, 2017, the newly released laws and regulations on the protection of “PI” and internet security include: “Cybersecurity Law”, “Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases of Infringing on Citizens’ Personal Information” (hereinafter referred to “Interpretation”), “Provisions on Administration over the Internet News Information Services” and rules for the implementation. In view of the current laws and those newly released laws and regulations, enterprises could reduce legal risks from the aspects in regulating the collection, use and transfer of “PI”.

Firstly, the main principles concerning the collection of “PI” include the principle of legally collection, the principle of obtaining consent in advance, and the principle of necessity.

For the principle of legally collection, which means that nobody shall obtain “PI” by illegal means, such as purchase, or hack. According to “Interpretation”, criminal punishment shall be imposed if illegal procurement, sale or provision of more than 50 pieces of information concerning geographic location, content of correspondence, credit history, and financial assets of an individual.

Article 22 of “Cybersecurity Law” prescribes that where network products and services have the function of collecting users’ information, their providers shall explicitly notify their users and obtain their consent. In practice, in order to have a more comprehensive knowledge of the users’ experience, or develop potential users, some enterprises may have to collect “PI” of users or potential users. While collecting “PI”, enterprises shall obtain the consent of the relevant users or potential users by reasonable methods. Meanwhile, as introduced in the beginning, more and more enterprises tend to use internet platform or APPs to manage employees’ “PI”. Although “Information Security Technology — Guidelines on Personal Information Protection of Public and Commercial Service Information Systems” (hereinafter referred to as the “Guidelines”) stipulates that the subject of personal information shall be deemed consentient when he or she raises no clear objection. However, considering that China attach importance to the protection of “PI” (especially a growing voice of the demand for “Personal Information Protection Law”), it is recommended that enterprises should be more careful. For example, while collecting “PI”, an enterprise could set a button on the registration page on website or in an APP. The button shall state as “I have read and agree to the terms of use and privacy policy”. The registration will be accomplished only when the user clicks the button. This procedure could be deemed as the user has given consent to the enterprise for collecting “PI”.

Regarding the principle of necessity, the “Guidelines” clearly stipulates it as the principle of minimum information necessary for the performance of tasks. Therefore, whether it is employees’ information or information of users/ potential users, the enterprise should only collect information that is within the range of minimum information necessary for the performance of tasks that is consistent with the purpose.

Secondly, the use of “PI” is controlled mainly from two aspects:
(1)The limitation of the purposes of use
“Guidelines” stipulates that any enterprise shall not change the purposes of “PI” handling to process, use or transfer when the relevant subject has no knowledge of such change, and shall delete “PI” involved within the shortest period of time after the handling purposes are fulfilled.There is an incorrect opinion that many enterprises believe “PI” collected legally by themselves are their own property, so they can use “PI” at their own doctrine.

(2)The reasonable information protection measures
According to “Cybersecurity Law”, network operators shall take technical measures and other necessary measures to ensure the security of “PI” they have collected, and prevent “PI” from being divulged, damaged or lost. When “PI” is or might be divulged, damaged or lost, they shall take remedial measures immediately, notify the users in a timely manner in accordance with relevant provisions and report to relevant competent authorities. In practice, enterprises should take strict encryption measures for “PI” stored by the network platform or APPs, to prevent internal staffs from disclosing illegally or third-party from stealing; the persons who have the right to access to “PI” shall be limited to internal staffs and/or third parties who must to know those information; in addition, enterprises shall conduct periodic safety assessment to storage devices. In practice, when “PI” is divulged, enterprises shall notify users in a timely manner, so that users can take remedial measures immediately. Enterprises shall report to relevant competent authorities, with the inspection of law enforcement agencies.

Further, it is noted that “Cybersecurity Law” has prescribed for the first time that “PI” collected within the territory of China, if it shall be sent abroad, a security assessment shall be carried out according to the measures formulated by the national Internet information department in conjunction with the relevant departments of the State Council. Therefore, “PI” collected by enterprises should be stored in China. If “PI” has to be sent abroad, enterprises shall conduct the examination and approval procedure.