Gordon A. Milner and Paul D. McKenzie
Privacy + Data Security, China, Financial Services, and Finance
Legal assistant Fang Jingxiao in the firm's Beijing office provided valuable assistance on this article.
The People’s Republic of China (“PRC”) does not possess a comprehensive legal framework to regulate the use and disclosure of personal data. Although the introduction of a national, generally applicable data privacy law remains elusive, recent months have seen a resurgent, if piecemeal, legislative interest in the topic. Notable developments in 2009 have included an amendment to the national Criminal Law to criminalize the sale or other unlawful disclosure of personal data by government officials and employees in certain key industries, and further legislative progress of the draft Torts Liability Law, a long-debated measure with potentially important privacy implications. More detailed information about these developments and the overall data protection regime in China can be found in our earlier client alert here.
The increasing legislative interest in privacy protection in China is also reflected in the draft Credit Reporting Regulations (“Regulations”), which were issued for public comment on October 13, 2009, by the Legislative Affairs Office of the State Council (“SCLAO”), China’s cabinet-level body. The draft Regulations govern the establishment, operation, and administration of credit reporting agencies (“CRAs”) in China. Although they are not limited in scope to data privacy issues, if enacted in their present form, the draft Regulations would impose a number of obligations upon CRAs with respect to data privacy.
Chapter 5 of the draft Regulations deals exclusively with the requirements for protection of privacy and trade secrets during the data collection activities of CRAs and financial institutions. It enumerates the types of personal information that CRAs are prohibited from collecting, the procedures CRAs and financial institutions need to fulfill before collecting or disseminating information about individuals or corporate entities, and individuals’ and corporate entities’ rights of complaint and objection. Information that CRAs may not collect includes data relating to ethnicity, religious beliefs, political affiliation, medical history, genetic information, and fingerprints.
Importantly, before they can disclose credit information about an individual or entity to third parties, CRAs would be required to notify the data subject of the designated recipient of the data and of the possible adverse consequences of the disclosure and obtain the data subject’s written consent. CRAs would also have to obtain written consent before collecting information concerning income, deposits, securities, real estate, and tax payments. Users of credit information would not be allowed to use the information for any purposes other than those agreed upon by the information owners and the CRAs, and would not be allowed to provide the information to unauthorized third parties.
Compliance under the Regulations will be primarily policed and supervised by the People’s Bank of China (“PBOC”), China’s central bank. It is worth noting that the draft Regulations expressly exempt the Credit Reference Center of the PBOC from certain of the data privacy requirements.
Drafting of the Regulations commenced in 2002 with a preliminary draft completed the same year. However, the earlier iterations were not available to the public, and the current draft is the first to be released for public review and comment. The public consultation period ends on Sunday, November 1. The SCLAO Work Plan for 2009 provides that the State Council should strive to complete the passage of the Regulations in 2009. As such, it is likely that the Regulations will be enacted by the end of this year or the beginning of next year.
The draft Regulations are available (in Chinese) here.
©1996-2019 Morrison & Foerster LLP. All rights reserved.