In the era of Big Data and the Internet of Everything (IoE), users are increasingly attentive to how their personal information is handled. Confidential personal information such as mobile numbers and personal ID are increasingly requested to activate numerous daily life functions, for instance, SMS authentication code for website or app registration or login. Additionally, companies request facial, voice, or other biometric features as authentication or verification such as facial recognition or voice print.
Thus, jurisdictions around the world have stepped up efforts to regulate the collection and use of personal information and address privacy issues. In China, a series of cybersecurity and data security laws, rules, and regulations have been adopted to regulate the collection, use, and other processing of personal information. Enforcing departments are considerably active and sanction violators who illegally collect and process personal information.
Often companies failing to protect users' personal information can face both trust and compliance crises. Namely, a lack of meticulous and thorough personal information security compliance can damage user confidence and impact companies' public image. Equally, increased legal and regulatory attention to personal information protection inevitably increases compliance obligations for companies to reduce risks and resolve incidents quickly.
In the below, we examine an administrative case in which the company failed to adopt the necessary personal information security measures.
Company A, a restaurant chain operating in Shanghai, failed to inform customers of the collected personal information's purpose and scope. The enforcing department ordered Company A to rectify such action and fined an administrative fine of 500,000 RMB.
Company A utilised a Wechat mini app for customers to scan their Wechat QR code to order and pay for food. The mini-app requested customers to authorise their mobile number to complete their food order, however, the purpose and scope of the collected mobile number were not stated clearly. During the verification, enforcers noted that the collection of mobile phone numbers is not an essential function of the food ordering procedure and Company A had not clearly stated the purpose, method, and scope of mobile phone numbers' collection and usage.
Additionally, Company A did not implement the following control measures with personnel and third parties handling the collected data:
- Failure to sign a confidentiality agreement with personnel handling the collected data;
- Failure to determine the responsibilities related to leaking secrets to personnel and third parties;
- Failure to formulate emergency response plans such as data breach disposal;
- Failure to establish security verification during the export of data including member ID, card number, card type, validity period, card status, card sales time, card terminal number, card store, name, gender, mobile phone number, card balance" and other data containing consumers' personal information;
- Failure to encrypt the exported documents;
- Failure to adopt technical measures and other necessary measures to ensure the security of personal information.
In the administrative case, Company A failed to implement a control mechanism to ensure the collected personal information was lawfully handled. Specifically, the Personal Information Protection Law Article 51 outlines an internal management system and operational procedure for processing personal information. Companies are obliged to implement compliance procedures based on the following factors:
- The purpose and method of processing personal information;
- The type of personal information processed;
- The impact on personal rights and interests.
Personal information compliance measures shall include the following:
- Internal management system and operating procedures;
- Personal information classification;
- Appropriate technical security measures such as encryption and de-identification;
- Personnel authorisation to operate the processing of personal information;
- Regular security education and training for employees;
- Emergency plans for personal information security incidents.
Additionally, the Measures for the Supervision and Administration of Online Transactions ('Measures'), effective from 1 May 2021, stipulate specific provisions for the collection and use of consumers' personal information via online transaction operators.
The Measures require companies who collect and use the personal information of online consumers to implement the following:
- Follow principles of legality, justification, and necessity in the collection;
- Expressly indicate the purposes, manners, and scope of the collection and use of personal information; and
- Obtain the consent of the consumers.
Examining third parties
Companies handling large data volumes, such as hospitality, logistics, consumer finance, and other industries may outsource the processing to a third party. In the administrative case, Company A did not ensure that the third party processed the data correctly by conducting a personal information protection impact assessment ('Assessment') as provisioned in Article 55 of PIPL.
The Assessment should ensure that information is processed in compliance, by evaluating the information protection capability, cybersecurity measures, and internal governance. If the third party is located outside of China, companies may need to conduct a security assessment before the data can be transferred. Specifically, the Measures for the Security Assessment of Outbound Data Transfers, effective from 1 September 2022, require companies to conduct a security assessment when transferring personal information of more than 100,000 individuals in accumulative from 1 January of the preceding year or transferring sensitive personal information of more than 100,000 individuals in accumulative from 1 January of the preceding year.
Personal information is regulated through national and industry bodies. National laws and regulations are issued by the following national departments.
- Cyberspace Administration of China ("CAC")
- Ministry of Public Security of the People's Republic of China ("MPS")
- Ministry of Industry and Information Technology of the People's Republic of China ("MIIT")
- State Administration for Market Regulation ("SAMR")
Specific industry or sectoral bodies regulate personal information according to their respective industries or sectors and include the following:
- People's Bank of China
- China Banking and Insurance Regulatory Commission
- National Health Commission
- Ministry of Education
- China Consumers Association
Personal information infringers are subject to administrative penalties set forth in the PIPL and Cybersecurity Law and include rectification orders, warnings, confiscation of illegal gains, suspension or termination of the relevant service, fines, shutdown of website, revocation of the relevant business permit, or revocation of business license, depending on the circumstances of each case.
Violations will be recorded on credit files and publicly disclosed, and any public security administration violations will be subject to penalties according to public security administration rules.
Violations that constitute as a crime will face criminal liability. Under the Criminal Law, if an organisation commits a crime, any directly liable officers or other directly liable individuals of the organisation shall be convicted and punished in accordance with the applicable conviction.
PIPL requires enterprises to establish a comprehensive a control mechanism to manage the collection of personal information. Companies should continuously monitor relevant regulations and update such systems to align with the changing landscape. At Horizons, we have developed data compliance frameworks for large to medium-sized companies in China.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.