The Situation: In the two years since China enacted the Cybersecurity Law, which granted authorities broad powers to monitor and investigate activities falling under its purview, authorities have increasingly penalized violators for not complying with the Law's data privacy provisions.
The Result: Since the Cybersecurity Law came into effect in June 2017, numerous instances of zealous enforcement have been reported. Chinese law enforcement has used related laws and regulations to crackdown on offenses relating to national security and public order. It has also devoted significant efforts to penalize companies for data privacy violations under the Cybersecurity Law.
Looking Ahead: Companies can expect enforcement actions to continue. They should regularly and thoroughly review their data privacy policies and implementation procedures to ensure they are in compliance.
On June 1, 2017, China enacted the Cybersecurity Law consolidating prior legal provisions on cybersecurity and data privacy into an omnibus regulation. Since its enactment, Chinese authorities have continued enforcement efforts without abatement. Penalties have been imposed against companies that have failed to, inter alia, (i) publish policies on personal information collection and use; (ii) specify the types of personal information to be collected; (iii) obtain consent prior to data collection or use; (iv) inform data subjects of channels to correct personal information or adopting unreasonable conditions for searching, correction, or deletion of data subject's personal information; (v) seek consent from data subjects by means of default consent, bundled consent, or forced consent; (vi) implement necessary security measures to adequately protect personal information. This commentary examines key enforcement cases addressing important enforcement trends.
We previously shared some high-profile investigations carried out by Chinese authorities, following the enactment of the Cybersecurity Law, against major companies, including internet giants Tencent Holdings Limited, Sina Corporation, and Baidu, Inc. (See China's New Cybersecurity Law Brings Enforcement Crackdown.)
The Chinese Ministry of Public Security implemented the "Clean Internet Campaign 2018" and "Clean Internet Campaign 2019" to crackdown on cybercrime and infringement of personal information. More than 57,000 cybercrime cases were detected, around 83,000 suspects were arrested, and 34,000 administrative penalties were imposed.
Many apps do not provide a deregistration function for the purpose of retaining users. Some social media apps even require users to fulfil unreasonable requests in order to cancel their accounts, for instance, to first provide a purchase history, which may have been compiled over several years, upload a photo with their faces and their identity cards, or deregister other apps. In August 2018, the Shanghai Communications Administration issued rectification orders against 20 companies for failure to activate their deregistration function, frustrating users' attempts to cancel their accounts. Article 43 of the Cybersecurity Law, and Article 9 Paragraph 4 of the Provisions on Protecting the Personal Information of Telecommunications and Internet Users (effective September 1, 2013) prescribe that companies must allow users to delete their personal information and cancel their accounts. Article 24 of the E-Commerce Law of the People's Republic of China (effective January 1, 2019) also requires e-commerce businesses to expressly state the means of and procedures for user deregistration and shall not establish unreasonable conditions for searching, correction, or deletion of user information and user deregistration.
In December 2018, the Ministry of Industry and Information Technology of the People's Republic of China ("MIIT") interrogated representatives of Suzhou Tongcheng E-dragon Network Technology Co., Ltd., which specializes in providing travel-related products and services, regarding its program on the WeChat platform. Citing the Cybersecurity Law, the Decision of the Standing Committee of the National People's Congress on Strengthening Information Protection on Networks (effective December 28, 2012), and the Provisions on Protecting the Personal Information of Telecommunications and Internet Users, MIIT ruled that the program failed to properly publish its policy on personal information collection and use, and linked its users' accounts to the loyalty program of China Railway Corporation (on the website www.12306.cn) without seeking further consent from users. The company was ordered to rectify its actions to duly protect the right to know and freedom of choice of users.
In February 2019, MIIT issued rectification orders against five apps for failure to activate their deregistration function, frustrating users' attempts to cancel their accounts.
Also in February 2019, more than 40 apps were admonished by MIIT in the Notice of Telecommunication Service Quality (Issue No. 1 of 2019) for having promoted internet apps to users through bundled consent. The apps were mainly internet game apps that could have been downloaded from 16 different app stores, which MIIT took down. Several other apps were cited by MIIT for having failed to display their personal information collection policies, and rectification orders were issued.
In April 2019, Guangdong Communications Administration interrogated several companies including Guangzhou UC Network Technology Co., Ltd. (developer of PP Assistant) and Guangdong Pacific Internet Information Service Co., Ltd. (PConline), and took down apps that failed to protect personal information. Guangdong Communications Administration issued warnings to companies such as Shanxi Yitang New Culture Communication Co., Beijing Xiangyu Financial Services Co., Ltd., and Beijing Yucheng Technology Co., Ltd. regarding 20 apps for (i) not having user service and privacy agreements displayed on account registration pages; (ii) having incorporated hidden clauses in privacy agreements that permitted the companies to access passwords and verification codes from the users' mobile service provider; (iii) not specifying the types of personal information to be collected; (iv) not obtaining users' consent before installing other apps; (v) requiring users to install other apps as a condition for app activation; (vi) not having the deregistration function.
The Cybersecurity Law and the Information Security Technology—Personal Information Security Specification (effective May 1, 2018) requires companies to explicitly notify users prior to collecting personal information. They shall also seek consent from users by means other than default consent, bundled consent, or forced consent, and provide them with the choice to opt out of receiving unwanted information. As of June 11, 2019, law enforcement received more than 5,500 complaints about unlawful collection of personal information by internet or mobile apps. Chinese law enforcement interrogated company representatives, took down apps from app stores, and ordered administrative penalties (such as issuing rectification orders and demanding the submission of reports on corrective actions within one month).
In July 2019, MIIT took down apps and issued rectification orders against 18 companies, including Beijing Changyou Times Digital Co., Ltd., Beijing Tianying Jiuzhou Network Technology Co., Ltd., and Beijing Cat Eye Culture Media Co., Ltd., for failure to publicize rules for collecting and using personal information, obtaining consent prior to data collection, and/or informing users of channels to correct personal information. MIIT also issued orders against mobile apps Buding Xiao Dai, Jiu Miao Dai, and Mai Ya Dai for failure to obtain users' consent prior to collecting and using personal information.
Three Key Takeaways
- The Chinese cybersecurity and data privacy enforcement authorities, while using related laws and regulations for cracking down on offenses relating to national security and public order, has also devoted significant efforts to enforcement against data privacy violations.
- Going forward, national and local Chinese authorities are expected to stay active in protecting personal information and taking enforcement actions.
- Companies should thoroughly review their policies and implementation to ensure that they are in compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.