17 August 2016
On 5 August 2016, the State Administration for Industry and Commerce (SAIC) released the draft Implementation of the Law of the People’s Republic of China on Protection of Consumer Rights and Interests (the “Draft”) for public comment. According to an official release issued at the same time, the Draft focuses on product recall, fraud, online shopping return policies, personal information protection, and the enforcement of consumer rights. The Draft consists of 70 articles, with a few addressing consumer privacy (Articles 22, 23, and 57).
Notable provisions in the Draft compared to existing provisions in the Measures of the Punishment of Conduct Infringing the Rights and Interests of Consumers, include the expansion of the definition of personal information (Article 22) to cover biometric data and the imposition of general privacy obligations on business operators. The latter are reminiscent of general international privacy principles and include the following obligations on business operators, namely that they:
- Collect data by lawful and fair means and only collect data that is necessary for the purpose of collection and use. They must notify consumers of the purpose, method, and scope of the collection, and consumers’ consent must be obtained prior to the collection.
- Retain data/documents evidencing the fulfilment of notification obligations and consumer consent for at least five years.
- Establish an information security system to ensure the security of consumers’ personal data. They shall not disclose, modify, or destroy consumers’ personal data or provide such information to any third parties without the consumers’ prior consent except where such personal information has irreversibly been de-identified. Business operators shall have procedures in place to deal with data breaches effectively and the shall notify consumers promptly in the event of a breach.
New provisions relating to direct marketing (Article 23) have been introduced, requiring the express consent of consumers before any commercial electronic messages can be sent or before any commercial promotional calls can be made. In the event that consumers agree to receive commercial electronic messages or commercial promotional calls, the cost of such messages or calls cannot be passed on to them without express agreement.
Any violation of the general privacy provisions or the direct marketing provisions attracts a penalty (Article 57) ranging from confiscation of the illegal income, a fine ranging from one to five times of the illegally obtained income (or under RMB 500,000 if there is no illegal income), and/or the suspension of a business operator’s license in egregious circumstances.
While some of the privacy provisions in the Draft (such as the three data collection principles) re-articulate provisions in earlier regulations, the five-year retention of records and the breach notification are new requirements. In anticipation of the Draft being adopted in the near future, companies should use the opportunity now to re-evaluate their existing privacy policies and direct marketing practices to ensure that they are in compliance with the notification and consent obligations, and they have a system in place that records the consents received from customers. Finally, given the new breach notification requirements, companies should consider articulating a security incident response plan to handle breach-related obligations, and provide training to relevant front-line staff who will have to deal with the breach.