Home  Contact Us
  Follow Us On:
Advertising Advertising Free Newsletter Free E-Newsletter
      2024       2023       2022       2021       2020       2019       2018       2017       2016       2015       2014       2013       2012       2011       2010       2009       2008

LEGAL: Personal Information Protection of Consumers (PART II)
Share to

Personal Information Protection of Consumers


By Manuel Torres (Managing Partner of Garrigues China), Lucy Luo (Principal Associate), Xuezhou Chen (Corporate Associate)

BT 201703 LEGAL 02This is the second part of the article introducing relevant laws and regulations regarding personal information protection of final consumers of multinational retailing enterprises who operate stores both online and offline in China. Please check previous issue of February 2017 to read the first part.

2. Sending Commercial Electronic Information

1) Consent of consumers

In accordance with the Consumer Protection Law, Business operators shall not send commercial information to consumers who have not requested such information or who have not consented to or who have explicitly refused the receipt of such information. Therefore, consent of consumers shall be obtained before sending commercial electronic information.

However, the PRC laws and regulations do not state clearly on how the consent should be made. In practice, it is suggested to provide the consumers with clear options to accept or refuse commercial electronic information.

In addition, when continuing to deliver commercial electronic information, it is suggested to provide clear option for consumers to choose to suspend such service or any part of it at any time.

2) Notification regarding data controller

The existing PRC laws and regulations do not provide any special requirements when it is a foreign entity that sends commercial electronic information. However, in practice, business operators usually disclose the information of the data controller to consumers. If the data controller is different from the entity who is directly collecting the data and it is necessary to transfer personal information to the data controller, according to the Guidance, it is advised to inform the subject person explicitly of the purpose of transfer, the specific contents and scope of application of personal information to be transferred and the name, address and contact information of the data controller.

BT 201703 LEGAL 01
3. Cross-border Transfer of Personal Information

The existing PRC laws and regulations do not specifically stipulate on cross-border transfer of personal information. However, according to PRC Cyber Security Law, the cyber operator should not provide personal information to a third party without the consent of the subject person, except for that the personal information has been specially processed so that it could not be used to identify the specific person and could not be restored. Also, Guidance provides that the administrator of personal information shall not transfer personal information to overseas receiver including any individual overseas or any organization or institution registered overseas, except for that there is (i) expressed consent of the subject person; (ii) explicit requirement of the law; or (iii) approval of competent authority. Although said rules have not yet become laws and regulations, they could still be referred to as guidelines for daily operation.

In practice, for multinational companies, it is suggested to explicitly advise consumers about the sharing party of personal information, purpose of the sharing and scope of information shared. Also, the transferor should make sure that the receiving entity has adequate ability to protect personal information and personal information will not be accessed by any individual, organization or institution other than the receiving entity.

In addition, in accordance with the PRC Cyber Security Law, the state especially values the protection of key information infrastructures. Such infrastructures may include those used for finance and other important industries and fields and other key information infrastructures that will result in serious damage to national security, national economy and people's livelihood and public interests if they are destroyed, lost functions or subject to data leakage.

It is required that key information infrastructure operators shall store personal information and important data gathered and produced during operations within the PRC territory. Where it is really necessary to provide such information and data to overseas parties due to business requirements, a security assessment shall be conducted in accordance with measures formulated by the national cyberspace administration authority in concert with relevant departments under the State Council.

Business operators might not be directly collecting key financial information of their consumers, such as their payment code, if they engage third parties to provide payment service. However, if any key financial information of its consumers has been or will be collected by the business operator, the business operator might be subject to special requirement on storing and transferring personal information for key information infrastructure operators. The PRC Cyber Security Law indicates that the State Council will further specify the scope and measures for security protection for key information infrastructures. We will keep a close eye on the relevant developments and keep you updated if there is any progress.

Current laws and regulations for personal information protection of consumers in China are relatively general. It is expected that the relevant authorities will promulgate more specific rules and restrictions in this regard. And business operators may be subject to stricter regulation in future. We will keep following the latest trend and rules in this field together with foreign companies doing business in China.

--- END ---

    Subscription    |     Advertising    |     Contact Us    |
Address: Magnetic Plaza, Building A4, 6th Floor, Binshui Xi Dao.
Nankai District. 300381 TIANJIN. PR CHINA
Tel: +86 22 23917700
E-mail: webmaster@businesstianjin.com
Copyright 2024 BusinessTianjin.com. All rights reserved.