Net companies’ duty to protect personal data

According to the Criminal Law and the Cyber Security Law, personal data of a citizen means any information recorded by electronic or other means, which either alone or jointly with other information identifies or reflects the activities of a particular natural person. Given the significant commercial value that can be achieved by using personal data to place advertisements precisely, unauthorized access to personal data has become rampant in recent years, causing undue disturbance to peoples’ life or affairs, and, not infrequently, unlawful damage to those with less social experience.

Q: How is personal data protected through legislation in China, given the significant damage that may arise out of unauthorized access to personal data?

A: The Cyber Security Law and the Law on the Protection of Consumer Rights and Interests, among other laws, require that ex-ante and in-process measures must be taken to protect personal data. Specific obligations of parties involved are defined in the Cyber Security Law with the aim of preventing personal data of citizens from unauthorized access, disclosure or use. The General Principles of the Civil Law, the Tort Liability Law, the Ninth Amendment to the Criminal Law and many other laws, regulations and rules provide the legal basis for holding parties concerned civilly and criminally liable.

In view of the fact that nowadays personal data are mostly collected and disclosed through the internet, China has introduced some laws and regulations governing internet platforms, players and service providers to regulate relevant activities properly. These include, but are not limited to, the Cyber Security Law, the Regulations on Protecting Personal Data of Telecommunications and Internet Users, and the Measures for the Administration of Internet E-mail Services. However, given the number of laws, regulations, authorities and agencies involved in personal data protection, further regulations concerning collaboration and the division of labour and duties are needed.

Q: What are the major duties that internet platforms take in protecting user data under existing laws and regulations?

A: First, collection, sharing, sub-licensing and use of personal data, in connection with the supply or provision of any product for which any personal data need to be collected or made available, must be done in such a manner as to ensure that transparency of users’ personal data is properly controlled, users are clearly aware of their personal data being collected, users’ consent is obtained and the information is processed anonymously (i.e., excluding the possibility of identifying the users). The authors suggest that internet platforms should at least include a clause on “privacy protection” or “user personal data protection” or any other similar terms or conditions in their user or service agreement. Alternatively, they can formulate and publish a separate personal data or privacy protection policy that contains detailed rules on collection, management and protection of users’ personal data.

Second, in order to comply with provisions of applicable laws and regulations concerning network services and data protection, internet platforms should ensure that they have a well-established network data security mechanism in place. The authors suggest that network operators and platform service providers should repair and maintain their systems regularly in their ordinary course of business, and update software in a timely manner to eliminate system vulnerabilities. It is worth noting that refusal to fulfil personal data protection obligations intentionally may give rise to administrative penalties and even constitute the crime of refusing to fulfil information and network security management obligations.

Third, internet platforms should establish a network data security complaints and whistleblowing system that publishes, without limitation, a description of any complaint received, the means through which it is received, the procedures by which it is handled, as well as the outcomes, enabling receipt of complaints or concerns about network data security in a timely manner. The authors suggest that internet platforms should check and address complaints or concerns received from their customers, and maintain relevant records.

Fourth, according to the stipulations applicable to operators of critical information infrastructure (CII), who are also considered internet platforms, the personal data collected and generated by CII operators in connection with their operating activities in China must be stored in China and not transmitted to any place outside China unless the competent authority completes a security assessment to its satisfaction. It is expected that further operating rules will be introduced regarding these stipulations. Before that, the authors suggest that CII operators suspend transmission of personal data to any place outside China.

Q: How should an internet company respond if any user brings a lawsuit against it on the ground of personal data breach?

A: Courts generally impute fault-based liability, and most of them incline to reverse the burden of proof in hearing this kind of case. Therefore, an internet company may take the following steps if a lawsuit of alleged personal data breach is initiated against it. First, it needs to determine whether it is the only party with access to the personal data involved. If two or more parties may have access to the data, the internet company may prove to the court the possibility of such access by any other person. Then the burden of proving the infringer will be shifted to the holder of right or title in the personal data involved.

Second, it may consider submitting evidence that proves possibility of unauthorized disclosure by any other person or demonstrate the appropriate security measures taken by the company, thus eliminating the possibility of unauthorized disclosure by, or any fault of, the company. These may include level requirements imposed by the company in relation to access to user data, and records showing inquiry and access to user data by its employees.

Third, the company has to take all possible measures to prevent the personal data involved from further distribution, if it is likely that leakage or infringement of the data are attributable to any fault of the company.

Fourth, before sharing information with any third party, the internet company may enter into a written agreement with that third party that stipulates, among other things, their respective obligations in protecting user data and the liability for breach of the obligation to keep user data confidential.

Cheng Bing and Zhao Qian are attorneys at AnJie Law Firm