It seems that China is putting an end on anonymous and pseudonymous Internet activity while billing severe new restrictions on Internet use by Chinese citizens as necessary to combat spam and protect individuals’ personal information. Though China does not currently have a comprehensive legal framework to regulate the collection, (including process and retain) and disclosure of personal data, the Chinese legislator, especially with the growing importance of e-commerce, is implementing a new legal framework to regulate the protection of these information and disclosure or real identity to be communicated at least to the Internet Service Provider. This in order not only to better protect personal data (and thus privacy of individuals), but also to foster e-commerce and improving the treatment of these information when released in cyberspace.
It is interesting to note that this topic is not only related to e-commerce only, in fact protection of personal information is also connected to foreign enterprises doing business in China. Corporations should consider adopting safeguards to protect employee personal data to reduce the risk of unauthorized disclosure of personal information and to prevent claims of infringement of privacy.
As a matter of fact, in response to the increasing occurrences of inappropriate collection and use of personal data on a massive scale, and in consideration of the lack of a comprehensive personal data protection legislation at the national level, many provinces in China have adopted, or are considering adopting personal data protection regulations by their own. For example, Jiangsu province enacted data protection regulations last year that prohibit the sale, illegal use or disclosure of personal data; the Jiangsu regulations also prohibit theft or purchase of personal data. If this situation occurs, this could complicate the development of a coherent and predictable legal framework regulating both “privacy” and the use of personal data on the Internet. In recent years personal data protection legislation has been widely discussed in China and the concept of privacy has emerged when before was not so considered. In particular protection of personal information has become of crucial importance mainly because employees of institutions that gather and store personal data of users and clients in the course of their business (such as internet companies, telecommunication companies, banks and insurance companies) are selling the personal data of their clients for profit or disclose the data to third parties inappropriately.
In particular new regulations issued by the Chinese legislator require Internet users to give their full, real names to Internet service providers and call on ISPs to delete “forbidden postings and report them to the government.” The Chinese government and its proxies have been on a hair trigger of late with regards to Internet activity deemed dangerous, for example,
blocking access
to Google-run sites and services in November (2012).
China’s new regulations for ISPs, defined as “any entity providing Internet access, including over fixed-line or mobile phones,” require them to “demand that users provide true information about their identities” when contracting for Internet services.
China already has a long record of censoring Internet activity in the country. The government has been known to block access to foreign websites and shut down domestic sites, scrub unwelcome political content and comments, and even arrest individuals for Internet activity deemed counter to the country’s interests.
Some in China were defending the new Internet regulations. A
China Daily
op-ed
called them a way to “bring order and rules to China’s cyberspace.”
As for privacy specifically, it must be underlined that the right to privacy is upheld in principle by
Constitution of the People’s Republic of China
(hereinafter “PRC Constitution”) and Civil Law Principles. Despite the fact that the term “privacy” is referenced in certain PRC laws and judicial interpretations, the scope of privacy protection (including the right to restrict public access to personal information) has not yet been expressly codified, or addressed in detail by the Chinese legislator (
rectius
, on February 2013 has entered into force the new so called “Code of Conduct” for personal data protection but it is not legally binding). To be more precise
the PRC Standardisation Administration issued a national standard entitled the “Information security technology – Guideline for personal information protection within information system for public and commercial services” (
信息安全技朮
公共及商用服务信息系统个人信息保护指南
) (the Guidelines) on 5 November 2012. The Guidelines took effect on 1 February 2013; these Guidelines are also known as “Code of Conduct for personal data protection”.
However, on March 15, 2012, some rules, legally binding, have been adopted in order to regulate behavior on the Internet, i.e. the so called
Provisions on Regulating Market Orders of Internet Information
Services
(issued by the Ministry of Industry and Information Technology of the PRC (MIIT Provisions) may be a first step in a positive direction. the MIIT Provisions took effect on March 15, 2012).
However, a specific or dedicated law which deals with the correct use of personal information in other areas has not been adopted yet, and this situation could impede the correct and smooth development of this new form of doing business in the Internet, and could slow down e-commerce in China. Thus, privacy and data protection should be regarded by the Chinese legislator as a priority to be put on focus, if the Central government is to use e-commerce as a tool to boost internal consumption and, thus, in order to sustain the Chinese economy. As it has clearly emerged from the situation we have initiated to explain, China needs nowadays a more comprehensive and disciplined national personal data protection legislation. Though some rules exist, a definite framework has not been put into place, and the existing pieces of legislation need to be re-organized and refined.
Cristiano Rizzi