China Adopts Privacy Legislation Strengthening Online Personal Data Protection


China’s top legislature, the Standing Committee of the National People’s Congress, closed out 2012 with the approval of rules to enhance the protection of online personal information. The “Decision of the Standing Committee of the National People’s Congress to Strengthen the Protection of Internet Data” (“Decision”), which took effect upon its December 28, 2012 passage, has the same legal effect as law and was enacted to “to protect network information security, protect the lawful interests of citizens, legal persons and other organizations, [and] safeguard national security and social order ....” Though the Decision’s primary purpose is to protect the personal online information of Chinese citizens, it includes an identity management policy requiring Internet users to use their real names to identify themselves to service providers, including internet or telecommunications operators.

The Decision reflects China’s recent push to address the issue of online personal data protection, and follows a Chinese Ministry of Industry and Information regulation, which took effect in March 2012, requiring Chinese websites to follow stricter rules on user consent to the collection and sharing of their personal data.  Specific regulations regarding the protection of online data include the following:

  • Internet service providers (ISPs), public service units (PSUs), and other organizations that collect or use an individual’s electronic information during business activities must clearly indicate the objectives, methods, and scope of collection and use of information and obtain consent for collection from the data subject.
  • ISPs must strictly safeguard the privacy and strengthen the management of personal digital information.
  • Chinese citizens have the right to compel an ISP to delete personally identifying or private information about them or to take measures to terminate certain “harassing” activities.
  • ISPs are required to instantly stop the transmission of illegal information once it is spotted and take relevant measures, including removing the information and saving records, before reporting to supervisory authorities.
  • Organizations and individuals are banned from obtaining personal digital information via theft or other illegal means, and prohibited from selling or illegally providing the information to others.
  • “Supervising Departments” are empowered to take measures to prevent, stop, or punish those who infringe on online privacy, obtain personal digital information through illegal means, or sell or illegally provide information to others, and ISPs are required to give support during investigations.

Violators of the Decision rules are subject to liability including warnings, fines, confiscation of unlawful income, cancellation of permits or cancellation of fines, closure of websites, prohibition of relevant responsible personnel from future engagement in the in the network service business, and other civil, administrative and even criminal punishments. Violations may also be recorded in the “social credibility files” and be made public.

Still, questions remain about the implementation of the Decision. Because the Decision itself is fairly broad and is meant to be more like a set of guiding principles than a law, many of the provisions lack the specificity essential for accurate understanding and compliance. For example, there is no guidance regarding which governmental department or agency will supervise or enforce the rules. Time will tell whether or not more implementing rules will clarify some of these ambiguities.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.