In 2011, the Ministry of Industry and Information Technology of
the People's Republic of China (MIIT) published two draft
regulations that are related to data privacy.
As a background, China has not yet enacted comprehensive laws or regulations governing the collection, use and transfer of personal data. Although a draft Personal Information Protection Law (个人信息保护法) has been pending since 2003, some observers are pessimistic about the likelihood of its enactment in the near future due to the complicated interplay between privacy protection and disclosures in Chinese political system. However, some provinces and cities are in the process of local privacy law legislation. For example, the local bar association just submitted a Report on the Practicality and Necessity of Personal Data Protection Legislation in the City of Shenzhen, which is China's most successful Special Economic Zone ("SEZ"). SEZ's have flexibility with respect to governmental actions that enable business to be done.
On January 30, 2011, the MIIT issued a draft Information Security Technology – Guide of Personal Information Protection (信息安全技术个人信息保护指南, the "Guidelines") for comment. The Guidelines define personal information liberally, grant data subjects broad rights and tightly restrain data processors' ability to transfer information. For example, a data processor generally cannot collect, alter, transmit, use, block or erase personal data without the person's consent. Depending on the purpose, a data processor also has the duty to keep personal data accurate, complete and up-to-date. If a data processor authorizes a third-party to process personal data under its control, it must notify the persons before the collection of data. More importantly, a data processor cannot transfer personal information to another entity without the persons' express consent. In perhaps the most devastating provision for the outsourcing industry, a data processer is prohibited from transferring personal information to a foreign data processor without express authorization of the law or from the government. The Guidelines are silent as to its applicability to foreign citizens' personal data.
Also, the MIIT published a draft Internet Information Service Regulations (互联网信息服务管理规定, the "Internet Regulations") on July 27, 2011, which includes provisions regulating the processing of personal information by entities providing internet information service or related products in China. In addition to the similar requirements of obtaining consent and general prohibition of data transfer, the Internet Regulations also impose a duty to report serious security breaches to the MIIT.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.