Cybersecurity

China Adopts New Administrative Measure To Protect Internet Privacy And Personal Information

In China, which is the primary supplier and assembler of computers and computer parts, including mobile phones and other related or derivative devices, more than 600 million people are online daily, according to the World Bank. Such statistics indicate that the number of Internet users in China now far surpasses the number in the European Union (which has the second-largest number of users) as well as in the United States (the third-highest number of users).

Western businesses rely on the Internet to order products, goods and services from China, but they are also anxious to use the Internet to try to sell to the burgeoning middle-class consumer markets in China. Although China has thriving markets and resources for Internet transactions – from the ubiquitous Alibaba and its subsidiary Taobao (the Chinese equivalent to eBay), to Renren (the Chinese equivalent to Facebook) and Tencent (a powerful Internet services portal) – security and privacy have always been a concern for commercial transactions over the Internet in China. Those concerns are in addition to worries about the political information and control issues in China and many other countries.

Visitors to China often remark on how few consumers use credit cards at retail establishments out of fears about identity theft. It had been clear to many in the West that to continue the growth of Internet usage and bolster its commercial aspects, China would need to adopt strong privacy and information protection regulations. Until recently, however, there have been a few regulations that apply only in part, or tangentially, to Internet transactions. And an interim regulation that lacked specificity was by definition only a short-term set of regulations and did not, among other things, protect businesses that engaged in commerce with other businesses over the Internet.

On March 15, 2014, the newly adopted Administrative Measures for Online Transactions (the “Administrative Measures”) came into effect in China. The Administrative Measures were issued in advance by the PRC’s State Administration for Industry and Commerce (the “SAIC”) on January 26, 2014, and now supersede the prior Interim Measures for the Administration of Online Commodities Trading and Relevant Services. The new Administrative Measures apply to all online sales of products or services, including via mobile applications. They regulate the activities of individuals, enterprises and other entities (the “Regulated Persons”) that engage in applicable online transactions with consumers or other enterprises or entities (the “Protected Class”). Those include (inter alia) payments and settlements in connection with product or service sales, Internet access, server hosting, website and webpage design, third-party transaction platforms, credit ratings and virtual space rental, including cloud applications. The fact that privacy protections – including with respect to personal information and also business secrets – will now extend to enterprises and other entities that engage in commercial transactions online (and not merely individual consumers) is particularly significant.

Duties Imposed On Regulated Persons

The Administrative Measures impose duties and regulations on how Regulated Persons can collect and use information regarding consumers and also relating to other members of the Protected Class. Under the Administrative Measures, Regulated Persons must:

  • Clearly inform members of the Protected Class regarding the purposes, methods and scope of collection and use (the “Regulated Activities”) of their data (the “Protected Data”);
  • Obtain prior consent from members of the Protected Class, with regard to the Regulated Activities and the Protected Data;
  • Create, adopt and publish policies for lawful Regulated Activities with respect to Protected Data;
  • Maintain Protected Data in strict confidence, and not disclose, sell, license or otherwise illegally provide Protected Data to third parties, and adopt satisfactory procedures to ensure that no unlawful disclosures of information shall occur;
  • Collect credit ratings information with respect to members of the Protected Class through established, legitimate channels, and not arbitrarily adjust credit ratings information, nor use credit information for any unlawful purposes (and violators will be subject to specific penalties); and
  • Desist from sending any commercial information to members of the Protected Class without such members’ express consent or request (Protected Class members may expressly opt to refuse delivery or receipt of such commercial information).

The scope of the new Administrative Measures also includes regulation of third-party business transaction platform providers (which therefore are also “Regulated Persons”), which must establish systems to protect information and must report to SAIC any violations or accidental leaks that may occur. Such third-party platform providers might include such Chinese hallmarks as Taobao and Alibaba. Also, consumers can also file complaints to SAIC regarding alleged violations by Regulated Persons.

Except with respect to wrongful uses or abuses of credit information as discussed above, the new Administrative Measures do not yet provide any specific or new penalties for violations of the Internet privacy rights of members of the Protected Class. Instead, infringers may be subject to penalties and fines under other existing laws, such as consumer rights laws, and legal prohibitions (and penalties) for infringement of trade secrets. Legal scholars in China expect that new penalties will be developed in the future.

Finally, the Administrative Measures also provide new regulations and oversight by the SAIC with respect to Internet-related “offline” activities by Regulated Persons, such as shipping and delivery. This also can be particularly useful for Western businesses in their Internet-based dealings in China.

As with many other newly adopted legal regulations in China, Western – as well as Chinese – businesses will have to observe carefully how the Administrative Measures will be interpreted and applied, now and in the future. However, the mere adoption of these new regulations alone indicates the PRC’s determination to protect information rights in connection with online transactions.

Published .