On 5 August 2016, the State Administration for Industry and Commerce (SAIC) released the draft Implementation of the Law of the People's Republic of China on Protection of Consumer Rights and Interests (the "Draft") for public comment. According to an official release issued at the same time, the Draft focuses on product recall, fraud, online shopping return policies, personal information protection, and the enforcement of consumer rights. The Draft consists of 70 articles, with a few addressing consumer privacy (Articles 22, 23, and 57).

Notable provisions in the Draft compared to existing provisions in the Measures of the Punishment of Conduct Infringing the Rights and Interests of Consumers, include the expansion of the definition of personal information (Article 22) to cover biometric data and the imposition of general privacy obligations on business operators. The latter are reminiscent of general international privacy principles and include the following obligations on business operators, namely that they:

  • Collect data by lawful and fair means and only collect data that is necessary for the purpose of collection and use. They must notify consumers of the purpose, method, and scope of the collection, and consumers' consent must be obtained prior to the collection.
  • Retain data/documents evidencing the fulfilment of notification obligations and consumer consent for at least five years.
  • Establish an information security system to ensure the security of consumers' personal data. They shall not disclose, modify, or destroy consumers' personal data or provide such information to any third parties without the consumers' prior consent except where such personal information has irreversibly been de-identified. Business operators shall have procedures in place to deal with data breaches effectively and the shall notify consumers promptly in the event of a breach.

New provisions relating to direct marketing (Article 23) have been introduced, requiring the express consent of consumers before any commercial electronic messages can be sent or before any commercial promotional calls can be made. In the event that consumers agree to receive commercial electronic messages or commercial promotional calls, the cost of such messages or calls cannot be passed on to them without express agreement.

Any violation of the general privacy provisions or the direct marketing provisions attracts a penalty (Article 57) ranging from confiscation of the illegal income, a fine ranging from one to five times of the illegally obtained income (or under RMB 500,000 if there is no illegal income), and/or the suspension of a business operator's license in egregious circumstances.

While some of the privacy provisions in the Draft (such as the three data collection principles) re-articulate provisions in earlier regulations, the five-year retention of records and the breach notification are new requirements. In anticipation of the Draft being adopted in the near future, companies should use the opportunity now to re-evaluate their existing privacy policies and direct marketing practices to ensure that they are in compliance with the notification and consent obligations, and they have a system in place that records the consents received from customers. Finally, given the new breach notification requirements, companies should consider articulating a security incident response plan to handle breach-related obligations, and provide training to relevant front-line staff who will have to deal with the breach.

Visit us at www.mayerbrownjsm.com

Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2016. The Mayer Brown Practices. All rights reserved.

This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.