Issue No. 15, December 2015
www.asiallians.com
PERSONAL INFORMATION PROTECTION UNDER AMENDMENT IX
TO THE CHINESE CRIMINAL LAW
The Chinese Internet industry has been developing at a rapid speed especially in the B2C and C2C ecommerce.
On November 11th, 2015, the sales volume of Taobao (a B2C platform owned by Alibaba Group) reached
CNY 91.2 billion (around 14 billion USD), with around 680 million online deals completed and the packages
delivered all across the country.
Large number of information and data are consecutively circulating, such as names, addresses, ID and
passport information, mobile and credit card numbers, etc. And such information is handled by a large
number of persons, including but not limited to Internet websites and platforms' employees, engineers,
customer and after-sale services, delivery men, not mentioning possible handling by public servants and
governmental bodies, such as Public Security Departments.
In 2015, C-trip, one of the most profitable online travel agencies in China, was hacked and, according to
public media reports, approximately 16,800 users' personal data were leaked, including credit and
payment card numbers and CVV, which were not encrypted. Calls poured from credit card users to their
banks to ban the use of their credit cards.
Under such situation, the Standing Committee of the National People's Congress has enacted the
Amendment IX to the Chinese Criminal Law (hereinafter "amendment IX"), which became binding on 1
November 2015. Among many other changes, data protection is highly strengthened.
Existing Laws and/or Regulations with Data
Protection
The New Amendment IX Regarding to Data
Protection
read more
read more
Existing Laws and/or Regulations with Data Protection
• The Decision on Strengthening Online Information Protection.
The Decision on Strengthening Online Information Protection (the "Decision") was issued by Standing
Committee of the National People's Congress on December 28th, 2012. The Decision is designed to
protect sensitive information that may potentially identify an individual or leak personal privacy.1 Such
decision applies to companies/entities in both the public and private sectors, including governmental
officials. Nevertheless, personal information protection only lies in digital scope. Although comments
said this Decision lays a milestone for the legislation in privacy protection in China, its wording remains
vague; its provisions are general and no significant penalty nor punishment are enacted.
• The Guide of Personal Information Protection on Information Security Technology, Public and
Commercial Information Service System.
On February the 1st, 2013, the Guide of Personal Information Protection on Information Security
Technology, Public and Commercial Information Service System (hereinafter the "Guide") was issued by
Ministry of Industry and Information Technology. The "Guide" is the first national standard of personal
information protection. It is not a law, whereas they clarify key expectations for various organizations
(except governmental agencies), collecting personal information. It also outlines how personal
information is to be handled in four phases: collection, processing, transfer, and deletion. Because it is
only a guideline with definitions and standards of personal information, its implementation has been
difficult to be assessed.
• Rules for Protection of Personal Information Protection of Telecom and Internet Users (the
“Rules”)
The Rules were formulated in accordance with the Decision on Strengthening Protection of Network
Information (the “Decision”), issued by the Ministry of Industry and Information Technology(“MIIT”)
which came into effect on September 1st , 2013. Because telecommunications operators and Internet
information service providers (collectively, the “Operators”) in China do not attach sufficient importance
to user’s personal information security, the rules apply to activities involving the collection of personal
data in the course of providing telecommunications and Internet information services. And it is
implemented by the telecommunications regulatory authority, composed of MIIT and its local
counterparts.
The Rules set up the definition of personal information; standards of collection and use of information;
management of agents; security assurance measures and legal liability. With these regulations, the
Rules are intended to make clear the guidelines that Operators must comply with when collecting and
using user personal information in the course of providing their services. The measures should be taken
by the Operators in order to protect the users’ lawful interests.2
• Regulation on Medical Records Management in Medical Institutions
This Regulation aims to strengthen medical records management in medical institutions, ensuring
medical quality and safety and safeguarding the legitimate rights and interests of doctors and patients.
The Regulation also set up the definition of medical records. It applies to medical record management in
all kinds of medical institutions at all levels. Medical institutions and medical staff shall strictly protect
patient privacy. Any leakage of patients’ medical records for non-medical, non-teaching or non-research
purposes is forbidden.
• Consumer Rights and Interests Protection Law, PRC
The newly revised PRC Consumer Rights and Interest Protection Law came into effect on March 15th,
2014 fills the gap between the legislations and the development of Internet industry. In this newly
Consumer Rights and Interest Protection Law, there are two articles dealing with the protection of
consumer's personal information.
Art. 14 provides that consumers shall have the right to have personal information protected in
accordance with the law when purchasing and using merchandise or services.
Art. 29 provides a series of measures when businessmen collect or use consumer personal information
obtained either online or offline.
Further, Art. 29 also requires the consent of the consumers when a business operator collects and uses
their information.
However, it does not define the format of such a consent, and whether it shall be given in oral or in a
written form. The revised law was launched with the background of changes of consumption patterns,
payment modes and so forth. Although perfectible, it initiates a legislation trend to pay more attention
on personal information protection and makes the Consumer Rights Law an internal part of the laws and
regulations governing data privacy in China.
• Measures for Administration of Population Health Information (the “Measures”)
The measures are issued by the National Health and Family Planning Commission, coming into effect on
May 14th, 2014.
The Measures define population health information as the basic population information, medical service
information and other population health information generated by medical, health and family planning
service agencies of various levels in their service and management process in accordance with the
national laws and regulations and their duties.
• Administrative Measures for Online Transactions.
The newly Administrative Measures for Online Transactions came into effect on March 14th, 2015. This
administrative measures apply to all online sales of products or services, including via mobile
applications. It regulates the activities of individuals, enterprises and other entities that engage in
applicable online transactions with consumers or other enterprises or entities, especially regarding to
payments and settlements in connection with product or service sales, Internet access, server hosting,
website and webpage design, third-party transaction platforms, credit ratings and virtual space rental,
including cloud applications.
Back to top
The New Amendment IX Regarding to Data Protection
Basically, there are two aspects which are amended in contrast with the previous one.
(i) Scope of Entity and penalties increased for the crime of "illegal acquisition of citizen's personal
information" and the crime of "sale and/or illegal provision of citizen's personal information."
Article 253(1) of the Criminal Law is revised as follows: "Whoever, in violation of the relevant provisions of
the State, sells or provides others with the personal information of a citizen with serious circumstances
shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention and
concurrently or separately sentenced to a fine; if the circumstances are severe, the person shall be
sentenced to fixed-term imprisonment of three to seven years and concurrently sentenced to a fine."
Previously, Chinese Criminal Law prohibits employees of government agencies or institutions in the
financial, telecommunication, transportation, education or medical sectors from selling or otherwise
unlawfully providing to third parties personal data of any Chinese citizen to which these employees have
access in the course of performing duties or services at any such agency or institution.
However, in accordance with this amendment, Art. 253(1) is now for all entities.
Therefore, Article 253 allows a stricter protection of personal information.
(ii) Crime of failing to perform the information network security management obligation of network service
providers introduced in the Amendment IX.
One article is added after the Article 286 of Criminal Law to be the Article 286-1, providing that in any of
the following circumstances where network service providers do not perform information network security
management duties as provided by law or administrative regulations, and fail to make corrections upon
being ordered by the oversight and management department, they could face sentence of up to three
years imprisonment, short-term detention or put under surveillance, and/or a fine.
Back to top
Conclusion
Being deemed as a signal to the IT industry and all entities dealing with management of data, Amendment
IX is intended to increase the protection of personal data handled through Internet. Currently and as
above mentioned, relevant rules are scrambled all across numerous legislative and administrative papers.
Thus, it is important for entrepreneurs and multi-national companies expanding business in China
through/with Internet tools, to treat customers/users information more carefully than ever so as to avoid
unnecessary troubles and eventually criminal liability.
1
China: the Strengthening of Online Private Information Protection, see in
http://www.hldataprotection.com/2013/01/articles/consumer-privacy
2
China: Rules for the protection of personal information of telecommunications and internet users. See in
http://www.twobirds.com/en/news/articles/2013/china/rules-for-the-protection-of-personal-information-oftelecommunications-and-internet-users
All ASIA NEWS are available on our website www.asiallians.com.
This ASIA NEWS is informative in nature and cannot be deemed as a legal opinion. It is issued on a free of charge basis and for the viewer's private use.
All information contained herein is of the sole responsibility of the viewer.
ASIALLIANS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
If you do not wish to receive
our newsletter, click here.
[email protected]
[email protected]
[email protected]
Send to a friend.
[email protected]
[email protected]
[email protected]
[email protected]
Subscribe to our newsletter