China’s population exceeds 1.3 billion people, with over 40 percent of its population using the Internet. Last year, total online sales in China grew to nearly $200 billion, an increase of over 60 percent from 2011. There are signs that the value of China’s e-commerce market value will soon surpass that of the United States, making China attractive to international companies in many industries. But some companies have been reluctant to enter China’s online marketplace because of the uncertain privacy and security landscape.
In an apparent effort to encourage consumer engagement in the e-commerce market and establish baseline security standards, the Chinese government has in the past several months released laws, regulations and guidelines focused on privacy and security issues. At the end of 2012, the National People’s Congress issued a law regulating the collection and use of personal electronic information. In April, the People’s Congress released draft amendments to the country’s 20-year old consumer protection law, and China’s Ministry of Industry and Information Technology (MIIT) issued regulations governing the release of pre-installed apps on smart devices. In February, MIIT issued non-binding data privacy guidelines. In this post, we briefly summarize some of the notable takeaways from these and other initiatives.
Decision on Strengthening Protection of Online Information (the Decision)
The Decision, which was enacted in December 2012, governs businesses and organizations, including public institutions, that collect personal electronic information. “Personal electronic information is defined as electronic information capable of identifying an individual or affecting personal privacy. The decision includes the following provisions:
- Organizations collecting personal electronic information must publish policies regarding their data practices.
- Individuals must be informed of the purpose, method, and scope of data collection.
- Organizations must obtain individuals’ consent prior to collecting personal electronic information.
- Organizations must implement measures to protect individuals’ personal electronic information against theft, loss, and damage.
- Organizations must refrain from selling or illegally disclosing personal electronic information.
- Organizations must take immediate remedial measures if personal electronic information is compromised.
- Organizations must refrain from sending commercial electronic communications to a recipient’s landline, mobile phone, or email address without consent.
Draft Amendments to Consumer Protection Law
The national legislature released draft amendments to the 1993 Law of Consumer Rights and Interests on April 28, 2013, and the amendments were open for public comment through May 31. The draft would amend almost half of the current law’s clauses to address e-commerce issues. The privacy and security amendments to the consumer protection law align with the Decision’s provisions regarding notice, consent, disclosure of personal electronic information, electronic commercial communications and the requirements for security and remedial actions. The updated consumer protection laws would also give certain associations the right to file suits against companies that infringe the rights of large groups of consumers.
Regulation of Smart Devices
In April, MIIT issued a regulation regarding smart devices that takes effect November 1, 2013. The regulation prohibits smart device manufacturers from pre-installing apps that:
1) collect or modify users’ personal information without their consent;
2) access networks without expressly notifying users and obtaining their consent;
3) affect the normal operations of a smart device or the safe operation of a telecommunications network;
4) contain content restricted by Chinese law; e.g., obscenity and anti-government speech, or
5) infringe on the safety or security of users’ personal information.
Device manufacturers must already obtain network access licenses for the devices they manufacture. The new regulation will require manufacturers to include in their applications information about the configuration of pre-installed apps and the devices’ operating systems.
On February 1, MIIT issued non-binding guidelines for organizations that collect, use, and disclose personal information through information systems. Although the guidelines do not have the force of law, they may well serve as the basis for comprehensive privacy laws or regulations or serve as a reference in enforcement actions or litigation. The guidelines require that organizations processing information that alone or in combination with other information is capable of identifying an individual do the following:
1) notify individuals of the purpose and scope of processing prior to collection;
2) obtain individuals’ consent prior to collecting information;
3) process information only as consistent with the notice given at the time of collection;
4) provide reasonable security measures to protect personal information;
5) retain information no longer than as required to meet the purposes for which it was collected, and
6) obtain express consent for the processing of sensitive data and for cross-border transfers of any personal information.
As these initiatives illustrate, China is focused on data privacy and security issues, no doubt in part to promote the growth of China’s e-commerce market. MIIT’s guidelines do not provide a definition of “sensitive data,” and it is not clear the extent to which the guidelines will serve as the basis for a comprehensive data privacy law. The Decision does not specify how individual consent to data practices should be obtained, nor does it elaborate on the types of remedial measures that organizations should take when personal information is compromised. MIIT’s smart device regulation may apply only to pre-installed apps, but some wonder whether future regulations will apply to apps installed post-purchase. And we must wait to see what form the final version of the amendments to the consumer protection law, as well as any associated regulations, will take.
Companies looking to enter into or invest in the Chinese e-commerce market should of course take careful note of the current landscape to ensure that business practices align with legal and regulatory requirements. But perhaps more importantly, they should also monitor for signs of how China’s privacy and security frameworks, and enforcement of same, will take shape in the future. MIIT’s guidelines suggest that cross-border transfers may be permitted only with express consent. That, along with other privacy and security regulations, could significantly impact business models.