China: Privacy & Cybersecurity Update Issue 3 | October 2014 - Asia

China

Standard Terms of Internet-Trading-Platform Contracts Address Seller's Liability with Consumer's Personal Information
On July 30, the State Administration of Industry and Commerce promulgated guidelines (source document in Chinese) on the Standard Terms of Internet-Trading-Platform Contracts (Article 10) to provide that, under the standard terms, the seller cannot preclude its liability with respect to the security of the consumer's personal information.

Local People's Governments Must Report to Superior Department if Disclosing Personal Privacy Information
On August 7, the State Council promulgated interim regulations (source document in Chinese) on the Disclosure of Enterprise Information (Article 3) to provide that relevant departments of local people's governments at or above the county level shall report to their respective superior competent departments for approval if the enterprise information to be disclosed by the former implicates personal privacy.

Personal Information to be Deleted when Publishing Administrative Penalty Information
On August 19, the State Administration for Industry and Commerce promulgated interim provisions (source document in Chinese) on the Publication of Administrative Penalty Information. Article 6 provides that when publishing administrative penalty information, the administrations shall delete relevant personal information.

Chinese Convict British-American Investigators for Selling Illegally Obtained Personal Information
A Chinese court in Shanghai convicted a British-American couple of illegally purchasing the personal information of more than 250 Chinese citizens and selling the information to clients. The couple's company had been hired by GlaxoSmithKline to conduct an internal investigation at the time of their arrest. The arrest took place days after the Chinese government publicly alleged that Glaxo employees had participated in bribery.

Hong Kong

Hong Kong Recruitment Media Pledges to Fight Blind Recruitment Advertisements
On August 4, six major recruitment media companies pledged to fight blind recruitment advertisements. Such advertisements solicit job applicants' personal data without disclosing the advertisers' identities, in violation of the Personal Data (Privacy) Ordinance for failing to collect personal data by lawful and fair means.

Hong Kong Privacy Commissioner Urges Expansion of Do-Not-Call Registers to Include Person-to-Person Calls
On August 5, the Privacy Commissioner for Personal Data urged the Administration to expand the do-not-call registers to include person-to-person calls. The do-not-call registers allow telephone subscribers to register their telephone numbers to prevent unsolicited commercial electronic messages.

Japan

Japanese Government Submits Bill for Basic Act of Cybersecurity
On June 11, a bill (source document in Japanese)—Basic Act of Cybersecurity—was submitted to the House of Representatives. The bill, aimed at improving cybersecurity, was passed by the House of Representatives on June 13 and sent to the House of Councillors.

Ministry of Economy, Trade, and Industry Reviews Ministerial Guidelines on Personal Information Protection Act
On August 15, the minister of the Ministry of Economy, Trade, and Industry ("METI") announced that the ministry would review and revise its ministerial guidelines on the Personal Information Protection Act. In the wake of a recent massive customer data breach incident, METI found that the guidelines needed to be revised in order to reinforce certain security measures to be taken by companies, including improved control and supervision over data processing vendors.

Singapore

Singapore Penalizes First Offenders Under New Personal Data Protection Act
In August, Star Zest Home Tuition and its sole director became the first offenders penalized under the do-not-call rules of Singapore's Personal Data Protection Act of 2012 for sending advertising messages to Singapore phone numbers registered with the Do Not Call Registry. The agency and director were fined S$39,000.

Personal Data Protection Commission Publishes Advisory Guidelines for Education, Health Care, and Social Service Sectors
On September 11, the Personal Data Protection Commission of Singapore published three sector-specific advisory guidelines for the education, health care, and social services sectors respectively, bringing the total number of advisory guidelines published to date to five (the other two sectors covered were telecommunications and real estate agency).

Do Not Call Registry Results Valid for 30 Days
Effective July 2, organizations that compare internal marketing lists with the Do Not Call Registry can rely on the results of that registry for up to 30 days (down from the previous 60 days).

Taiwan

Ministry of Justice Submits Draft Bill to Relax Requirements Under Communication and Surveillance Act
The Ministry of Justice submitted a draft bill for the Executive Yuan (source document in Chinese) to relax the limitations imposed on prosecutors' requests for communication records and to allow prosecutors to obtain such records in an emergency.

Executive Yuan to Submit Bill Authorizing Establishment of National Communication Safety Technology Center
The Executive Yuan seeks to submit a bill (source document in Chinese) authorizing the establishment of a National Communication Safety Technology Center. If such a bill is passed, the Executive Yuan can relocate a technical center (source document in Chinese) employing approximately 100 people to the jurisdiction of the Ministry of Science and Technology. The current proposal is that the National Communication Safety Technology Center will focus on certain aspects of information safety in the public and private sectors.

National Communication Commission Aims to Address Issues Derived from Cross-Strait Serving Trade Agreement
Due to the "China issue," the National Communication Commission ("NCC") prohibits the use of telecom systems built by PRC manufacturers and has imposed restrictions on PRC nationals entering certain telecom equipment rooms. The NCC also has imposed strict rules on capital investments from the PRC in "Type II Telecommunication" in Taiwan, requiring PRC companies to first obtain ISO/IEC certification before making any such investment in Taiwan, preventing them from removing customer data, sales department and system/equipment to the PRC, and precluding them from providing computer maintenance to Taiwanese telecom companies. The NCC aims to provide unified definitions for all services relating to telecommunication so that the types of investments allowed under the Cross-Strait Serving Trade Agreement are clearly defined.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.