Home  Contact Us
  Follow Us On:
Advertising Advertising Free Newsletter Free E-Newsletter
      2024       2023       2022       2021       2020       2019       2018       2017       2016       2015       2014       2013       2012       2011       2010       2009       2008

LEGAL: Personal Information Protection of Consumers (PART I)
Share to

Personal Information Protection of Consumers


By Manuel Torres (Managing Partner of Garrigues China), Lucy Luo (Principal Associate), Xuezhou Chen (Corporate Associate)

BT 201702 LEGAL 01
In China, currently there is no state law which is specialized in personal information protection. However, the government has been endeavoring to enhance such protection at various levels of laws and regulations, such as the PRC Cyber Security Law recently promulgated by the Standing Committee of the National People's Congress which will come into force on June 1st, 2017, the PRC Law on the Protection of Consumer Rights and Interests ("Consumer Protection Law"), the Provisions on Protection of Personal Information of Telecommunication and Internet Users released by the Ministry of Industry and Information Technology ("Order 24") and the Decision of Standing Committee of the National People's Congress on Strengthening Network Information Protection ("Strengthening Decision"). In addition, the National Committee of Information Security Standardization Technology has publicized the Information Security Technology – Guidance for Personal Information Protection with Information System for Public and Commercial Services ("Guidance"), which took effect on February 1st, 2013. The Guidance, as an instructive document, lacks the enforcement effect as laws and regulations. However, it provides detailed rules on protection and may indicate the future trend of legislation.

Among the above PRC laws and regulations, the Consumer Protection Law governs personal information collection made through business operated both online and offline, and the rest mainly focus on regulating personal information collection made through the Internet.

In this article, we will focus on introducing relevant laws and regulations regarding personal information protection of final consumers of multinational retailing enterprises who operate stores both online and offline in China.

BT 201702 LEGAL 02
1. Collection and Use of Personal Information

1) General principle and definition

Under the PRC laws and regulations, the collection or use of personal information by business operators shall generally follow the principles of legitimacy, justification and necessity. In accordance with Order 24 governing the Internet information service providers , "personal information" refers to the information that can identify the person individually or in combination with other information and that is collected in the course of provision of services by the Internet information service providers, such as name, birth date, ID No., address, telephone number, account number and code of the user, and the information on the time and place when and where the user uses the aforementioned service.

In addition, the Guidance further divides the personal information into personal sensitive information and personal general information. The personal sensitive information refers to the information that may have adverse effect on the subject person once it is leaked or modified, which may include ID card numbers, mobile numbers, races, political viewpoints, religion and belief, genes and fingerprints, etc. The personal general information refers to any personal information other than the personal sensitive information.

2) General requirements

To collect personal information, business operators shall expressly inform consumers about the purpose, method and scope of collection or use of information, ways to inquire or correct information and consequences of refusal to provide information. Business operators shall also offer effective contact information for receiving consumers' complaint regarding personal information protection.

3) Consent of consumers

Although the existing laws and regulations do not state explicitly how the consent shall be made, business operators shall obtain consent of the consumers for collection of personal information and the Guidance provides the following guideline:-

- when collecting personal general information, the subject person may be deemed to offer tacit consent if there exists no explicit objection; where the subject person explicitly objects, it is required to cease collecting or to delete personal information;

- at the time of collecting personal sensitive information, business operators shall obtain the expressed consent from the subject person and the expressed consent shall be recorded.

In practice, for offline stores, it is advised to obtain the consumers' written consent, e.g. through their signatures on information collection cards. And all signed information collection cards shall be well kept. For the online stores, it is suggested to demonstrate consumers' consent through their clicking on the "proceed" or "submit" button.

For consumers who have already purchased products from stores before, if the stores would like to collect new personal information, consent of the consumers is still required. When collection of personal information continues, the Guidance instructed that functions shall be provided for the subject person to allocate, adjust or close the function to collect personal information. In practice, it is also suggested to obtain consumers' consent if the general requirements of collection or use as stated above are changed.

The consent of the consumers shall be of full civil effect. As instructed by the Guidance, it is advised not to collect personal sensitive information directly from person with no or limited civil capabilities such as juveniles less than 16 years old. Where necessary, the expressed consent of the legal guardian is required. For general consumers, it is suggested to have them confirm on the satisfaction of age (of or more than 16 years old) and full civil capabilities through ticking on the information collection cards or on the relevant provisions online.

In addition, the PRC Cyber Security Law prescribes that if individuals discover that Internet service providers gather or use their personal information in violation of the provisions of laws and administrative regulations or the mutual agreements between parties, they have the right to request the Internet service providers to delete their personal information.

BT 201702 LEGAL 03
4) Principle of necessity

In general, the personal information collection shall follow the principle of necessity. In this regard, Order 24 further stipulates that Internet information service providers may not collect personal information of the subject person other than those necessary for them to provide service, nor use the information for any other purpose other than provision of service.

5) Announcement of rules

In accordance with the relevant PRC laws and regulations, the business operators shall announce their rules for collection and use of personal information.

PRC laws and regulations do not provide clear rules for the method of such announcement, whether through written document or oral communication. However, in practice, it is suggested to provide consumers the rules for collection and use of information in writing, whether in actual stores or online.

For the contents of the rules, the existing PRC laws and regulations generally require the following compulsory information:

- Purpose, method and scope of collection or use of information;
- Ways to inquire or correct information;
- Consequences of refusal to provide information; and
- Effective contact information for receiving consumers' complaint regarding personal information protection.

Additionally, the Guidance also provides some instruction on the contents of rules for reference.

6) Penalties for infringement on personal information

According to the recently promulgated PRC Cyber Security Law, if the right of personal information protection is infringed, the business operator shall be ordered to rectify the violation and be subject to a warning, confiscation of illegal gains, or a fine of no less than one but no more than ten times the illegal gains or be subject to a combination thereof as the case may be; where there is no illegal gain, a fine of no more than RMB 1 million shall be imposed; and a fine of no less than RMB 10,000 but no more than RMB 100,000 shall be imposed on the persons directly in charge and other directly responsible persons. Where the circumstances are serious, the business operators shall be ordered to suspend relevant business, stop the business for rectification or close down the website or relevant business permits or its business license may be revoked.

Where the infringement on personal information is serious, it may also constitute a crime under the PRC Criminal Law.

--- END ---

    Subscription    |     Advertising    |     Contact Us    |
Address: Magnetic Plaza, Building A4, 6th Floor, Binshui Xi Dao.
Nankai District. 300381 TIANJIN. PR CHINA
Tel: +86 22 23917700
E-mail: webmaster@businesstianjin.com
Copyright 2024 BusinessTianjin.com. All rights reserved.