China's first national standard on personal information
protection, namely the Guide of Personal Information Protection on
Information Security Technology, Public and Commercial Information
Service System (the "Guide") became effective on February
1, 2013. Only about one month earlier, the Decision on
Strengthening Online Information Protection (the
"Decision") was adopted by Standing Committee of the
National People's Congress on December 28, 2012 and became
effective on the same day. Both of the moves show that China has
taken the significant first step on enhancing personal information
The Decision, which has the force of law, provides fairly broad
guiding principles and requirements for not only the internet
service providers but also other entities in collecting and using
personal electronic information, such as, explicitly indicating the
purpose, manner and scope of collecting and using such information
and obtaining the consent of the citizen whose information is
collected, publishing their policies for collecting and using such
information, not divulging, distorting or destroying such
information, and not selling or illegally providing others with
such information, and etc. In very general terms, violators may
face penalties including, but not limited to, warnings, fines,
confiscation of illegal gains, license revocations, filing
cancellations and website closures. Responsible individuals can
potentially be subject to a ban on engaging in web-related business
activities, as well as administrative, civil and even criminal
The Guide, although it lacks the force of law, still represents
a significant step forward in the fight for personal information
protection in China and serves as an important guidepost for
China's future lawmaking. According to the Guide, handling
(including collecting, processing, transferring and deleting) of
personal information must be for specific, clear and reasonable
purposes, and should be subject to the permission of the individual
who has been well-informed. Such information should be deleted once
its intended use has been fulfilled. In addition, express consent
of the individual concerned is required when transferring his or
her personal information outside of China.
Both the Decision and the Guide take a relatively restrictive
position on the transfer of personal information between data
processors and could create difficulties for multinational
corporations relying on third party data processing companies or
routinely sharing information between affiliates. Additionally,
companies will need to pay more attention to their compliance of
business activities under e-commerce environments.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On 12 August 2016, the Cyberspace Administration of China (CAC), the General Administration of Quality Supervision, the Inspection and Quarantine of China (GAQSIQ), and the Standardisation Administration of China (SAC) jointly released Several Guidelines to Strengthen National Cybersecurity Standardisation (the "Guidelines").
On July 21, the Personal Data Protection Commission ("PDPC") imposed a $5,000 fine on Toh-Shi Printing Singapore for its failure to implement proper and adequate verification procedures...
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).