Korea had first established legal measures to protect privacy by legislating the Act on Promotion of Information and Communications Network Utilization and Information Protection in 2001, then presented a new law called Personal Information Protection Act.
Businesses not only had to make large investments to encrypt information on their database, but also changed the entire work procedure when the government prohibited their collecting ID numbers from consumers.
Corporate practices regarding privacy protection are always heavily influenced by the legal system, and companies sometimes need to make additional investments or switch their work procedure to abide newly introduced laws.
From the 90s in which China started being called the world’s factory due to their cheap labor costs until present as the world’s largest market with the population of 1.5 billion, many international corporations including Korean companies have entered the Chinese market.
China recently began to establish laws and regulations to protect their own people, businesses, and industries, including laws that aim to protect personal information.
In China, incidents of privacy breach took place one after another, including using others’ ID cards and selling and buying ID cards online, as well as the privacy breach case last year through which personal information of over fifty million people were leaked through social security system of at least thirty different local authorities.
In order to prevent these incidents and protect personal information, China created a series of laws. Korean companies in the Chinese market are also subjected to abide these laws, and their businesses will be encumbered if they break these laws. For this reason, it’s important to learn about the Chinese privacy laws and find the right way to cope with it.
Even though the draft for the privacy law was submitted in 2005, China is yet to establish an organized and comprehensive law aiming to protect personal information unlike Korea already has the Personal Information Protection Act. Chinese laws related to privacy are still more scattered among various laws legislated in different fields. For this reason, the definition of ‘personal information’ which would be the basis of the entire privacy law has not even been made clearly.
So far, there are three different definition made for personal information according to the three major laws related to privacy such as Decision on Strengthening Network Information Protection, Regulations on Information Protection of Telecommunication and Network Users, and Administrative Measures for Medical Information.
Laws regarding to privacy are largely divided into general laws and partial laws. General laws include Constitution and Decision on Strengthening Network Information Protection, while partial laws include Consumer Protection Law, Regulations on Information Protection on Telecommunication and Network Users, Administrative Measures for Online Transactions, Personal Information Protection Measures for Postal and Transportation Services, Administrative Measures for Medical Records, and Administrative Measures for Medical information. The objectives of these laws are as follows.
Figuring out how to cope with multiple laws may be difficult for many companies. In the next chapter, let’s take a look at the key content of Decision on Strengthening Network Information Protection which is the representative of all privacy related laws, then how companies can work with the law.
Decision on Strengthening Network Information Protection (hereafter DSNIP)has 20 articles. As you can see from its title, its regulations are only applied to personal information on the internet only.
DSNIP states that two types of information can be taken as personal information
① Information which identifies individuals
This includesname, sex, age, address, and phone number through which your identity can be breached.
② Privacy related information
This includes information revolving around your private life such as your personal activities and spaces.
It also defined those who may breach personal electronic information to be internet service provider, other companies or businesses, government institution and its employees, other organizations and individuals. Among these, companies and businesses can be defined as follows.
① Internet service provider
The definition of internet service provider comes from Tort Liability Act article 36, which includes internet technology providers and internet content providers. This definition is similar to that of ‘information communication service provider’ in Korea’s Act on Information and Communication Network.
② Other companies and businesses
This means companies and other businesses which acquire personal electronic information legally or illegally. It includes all companies, except for internet service providers already mentioned above, that collect or process personal information on the internet.
As we see, every company that collected or processes any personal information on the internet can be subjected to this regulations, and Korean companies in China would also have to abide their rules.
What penalties would Korean companies have to face in China if they violate the privacy related laws, then? China takes the same principle as Korea, which is the principle of ‘nullapoena sine lege’. In other words, actions that are not stipulated on the regulations cannot be considered criminal, and the law cannot be applied analogically either.
Even though Criminal Law in China states the punishment for unlawful acquisition, it doesn’t stipulate any penalty for other situations. Civil Law (Tort Liability Act) is established in a bit different way. It only stipulates elements of unlawful actions, and each action’s lawfulness is judged based on these elements as long as the case isn’t considered special.
Article 36 of Tort Liability Act defines that an illegal action on the internet as a general tort, and the specific list of illegal activities are defined on DSNIP. If a Korean company violates the elements of illegal action would have to be liable according to Criminal and Civil Law. The specific illegal actions violating personal electronic information stipulated by DSNIP can be largely divided into the following ten types.
① Unlawful acquisition of personal electronic information
Acquiring personal electronic information while failing to comply the regulation falls into this category. Companies must follow the principle of legality, legitimacy, and necessity, and specify the reason and method of the information collection/usage as well as the range of information being collected and used. They also have to have the agreement from the person providing the information and open their rules on collecting and using personal information in the process.
② Unlawful selling of personal electronic information
This includes selling others’ personal information illegally in order to take personal profit. The case in 2011 where a large Korean retail company collected personal information through a giveaway event and sold it to an insurance company can be an example.
③ Unlawful provision of personal electronic information
Even if one does not seek to profit, providing personal information to others unlawfully can be considered illegal. In 2008, a Korean telecommunication company provided consumers’ personal information to their subsidiary telemarketing company. This type of provision can be taken as an illegal act.
④ Unlawful breach of personal electronic information
Regardless of intention and negligence, breaching personal information and breaking the responsibility of confidentiality can be considered as an illegal action.
⑤ Unlawful falsification of personal information
Even though this clause is mostly for companies that intentionally falsify personal information they have illegally, falsification by accident can also be liable when it causes serious consequences.
⑥ Unlawful destruction of personal electronic information
This accounts for intentional and accidental destruction of personal information caused by lack of caution. As the Korean law only focuses on the collection, storage, and usage of information, Korean companies in Chinese market need to be extra cautious when making decision to destroy it.
⑦ Loss of personal electronic information
Companies have duty to properly keep personal information they legally collected, and neglecting this duty and losing personal information can be legally liable.
⑧ Violation of privacy caused by unlawful subscription for electronic information
If a company wishes to send electronic information, they need the agreement of the recipient. Sending commercial information through phone, cell phone, and email without the recipient’s subscription or after the subscription has been cancelled is considered liable. It is similar to the Korean regulation on sending advertisements.
⑨ Not taking immediate actions after personal electronic information breach
If personal information is violated or breached, the victim has the right to demand the company to delete the victim’s information or to take other actions to lessen the damage. When companies are requested, they hold the duty to take measures for relief. Neglecting this duty will make the company liable.
Compared to the Korean law, which bestows victims the rights to stop processing personal information and to modify/delete the information, this is considered a bit less strict.
⑩ Other unlawful actions
Even though it wasn’t mentioned above, any actions that violates the article 1 which stipulates the duty ‘to protect personal electronic information which may identify individuals or related to individuals’ privacy’ can also be considered legally liable.
These ten types of illegal activities specified by on DSNIP are generally similar to that from Information and Communication Network Law and Personal Information Protection Act in Korea.
Yet, unlike the Korean law which stipulates the very specifics of administrative and technological liability and duty of companies through subordinate laws and regulations, the Chinese law, DSNIP, is more declaratory and conceptual.
Korean companies in Chinese market may have difficulties implementing protective measures as they do in Korea. It is also a bit different in Korea, as there are cases where companies that had a major information breach are found not guilty, as long as it is proved that they sincerely fulfilled their duty to manage information.
Since the regulations of DSNIP cover wide range of actions, it can be harder to prove that companies fulfilled their duty to the court. The Chinese authority indeed have decided to give penalties for breaking the law, not only civil liability but also punishment such as warning, fine, confiscation of profit through illegal activities, withdraw of business license, registration cancellation, and website shutdown.
Therefore, companies that have already entered the Chinese market or are planning to in the future need to understand these laws better and examine it with in-company legal organizations as well as outside law firms to get rid of possible violations in the business procedure.
Chinese authority stated that there are three problems to be addressed related to personal information protection. These include lack of legislation and enforcement of the related laws, the low level of laws that are suggested so far, and abuse of and excessive demand for ID cards.
Yet, we can also see that China did not cease their effort to introduce better laws for personal information protection since implementation of DSNIP in 2012, as they have implemented Regulations on ID number collection and use in 2013 while planning to upgrade the entire legal system related to personal information protection within the next ten years.
It is likely there will be more rules and regulations added to the existing laws in the future. Making connection with legal organizations with deep understanding in Chinese legal system can be a good way to get ready for the changing legal environment.
Written by Sanghyun Lee, LG CNS