New PRC Consumer Rights Law fills legal void governing data privacy protections – get ready for 3/15/2014 effective date

more+
less-

The newly revised Consumer Rights and Interests Protection Law of the People’s Republic of China (the Consumer Rights Law, promulgated on October 25, 2013 and becoming effective March 15,2014) is the first revision of China’s old Consumer Rights Law since its promulgation in 1993. The new Consumer Rights Law is an attempt to bring the law in this area up to date to respond to modern business practices. Among the additions are rules governing the collection, use and security of consumer personal information.

The PRC does not have a comprehensive data protection law.  Prior to the promulgation of the new Consumer Rights Law, general data privacy protection in China has been largely regulated by the Decision of the National People’s Congress Standing Committee on Strengthening Internet Information Protection (the Decision) and the National Standard on Information Security Technology – Guideline for Personal Information Protection Within Information System for Public and Commercial Services (the Guideline)i along with other protection provisions scattered across different PRC laws and regulations.

Though the Decision is in part applicable to consumer personal information, it covers consumer personal information in electronic form only. The addition of data privacy protection in the new Consumer Rights Law should fill this legal void and make the Consumer Rights Law an integral part of the laws and regulations governing data privacy in China.

Articles 14 and 29 of the new Consumer Rights Law contain its privacy obligations. Article 14 states that consumers shall have the “right to have personal information protected in accordance with the law” when purchasing and using merchandise or services and Article 29 requires the following measures when businesses collect or use consumer personal information obtained either online or offline:

(a)     Purpose, method, scope and rules of collection and use of personal information shall be explicitly stated and consented to by consumers

(b)     Business operators shall keep the personal information confidential and not disclose, sell or illegally provide the personal information to others

(c)     Business operators shall also take technical or necessary measures to ensure information security and to prevent information disclosure or loss and

(d)     Sending commercial information to consumers is prohibited where the consumer has not consented or requested it, or where the consumer has indicated that he/she does not want to be sent such information.

Although Article 29 requires the business operator to notify consumers of the information set out in (a) above and to obtain the consumer's consent, Article 29 does not define the format of such notification and consent. Neither does Article 29 stipulate whether the notification has to be given orally or in written form or whether opt-in, opt-out, oral or written consent is required.

Despite the limitations mentioned above, compliance with Article 29 of the new Consumer Rights Law is strongly recommended. The addition of data privacy protection to the Consumer Rights Law reflects a general trend toward data privacy regulation in China. PRC government authorities are becoming more interested in data privacy and more willing to take steps toward enforcing private sector personal information protection. This change in attitude is evidenced by the fact that a breach of Article 29 may now result in the business operator facing such consequences as confiscation of illegal earnings in conjunction with a fine between twice and ten times the value of the illegal earningsWhere there are no illegal earnings, a fine below RMB 500,000 may be imposed.

While we expect authorities will more often than not issue warnings before bringing enforcement actions, businesses that collect or use consumer information should consider strategies to be able to comply by the time this law takes effect on March 15, 2014.

i While the Guideline is only a technical guide and thus not legally binding. It was drafted under the guidance of the Ministry of Industry and Information Technology and thus may be used as a standard in practice.