China Introduces New Data Privacy Protections in Amended Consumer Protection Law

China’s legislature recently passed an amendment to the country’s Consumer Rights Protection Law (the “Amendment”). The Amendment introduces, for the first time, express requirements for consumer-facing businesses and protections for consumers in relation to the collection, use and retention of personal data. The new privacy requirements form part of an overall package aimed at regulating the rapidly expanding online retail market in China. Commentators suggest that the Amendment is a response to government concern regarding online practices and consumer confidence. The new personal data requirements follow various privacy and information security incidents involving online retailers and service providers in China that hit the media in 2011. The Amendment provides that consumer business operators must: obtain the consent of consumers when collecting their personal data; follow the principles of fairness and necessity in collecting and using such data; and make their privacy policies publicly available. In addition, companies must keep consumer personal  data confidential and not disclose, sell or illegally disclose this to others. This includes an obligations to adopt appropriate technical and other measures to ensure security and to take immediate remedial action in the event of any disclosure, theft or loss of information. The Amendment prescribes specific remedies and penalties that may apply. These include civil liability such as a company’s obligation to compensate and take action to restore a consumer’s reputation, as well as administrative actions such as fines of up to ten times an unlawful gain or RMB 500,000 (approx. US$80,000) where there is no gain. In serious circumstances a company’s right to operate may be suspended or even revoked. Infringements will be recorded by regulatory authorities and may be made public. The Amendment becomes effective on March 15^th, 2014. The new consumer privacy requirements are a significant development and seem to be part of China’s drive to tighten up this area in general, including the Information Security Technology – Guidelines for Personal Information Protection published in February 2013.

Tip: While there is currently little further detail or guidance on how the Amendment will be interpreted and enforced, companies should review their current situation and try to adopt clear policies and best practices for China, drawing on their international policies. Foreign-invested companies, in particular, may be scrutinized given government sensitivity regarding data on Chinese nationals being transferred or held overseas and it is not uncommon for one “offender” to be singled out in order to send a message to the market.