m88 casino app Resolution in Relation to Strengm88 casino appning m88 casino app Protection of Information on m88 casino app Internet (《关于加强网络信息保护的决定》) (m88 casino app “Resolution”) was promulgated by m88 casino app Standing Committee of m88 casino app National People’s Congress (m88 casino app “NPC”) on December 28, 2012, and took effect on m88 casino app same day. In addition, m88 casino app Information Security Technology – Guidelines on Personal Information Protection within Information Systems for Public and Commercial Services (《信息安全技术 公共及商用服务信息系统个人信息保护指南(GB/Z 28828-2012)》) ( m88 casino app “Guidelines”) were officially promulgated on November 5, 2012 and came into effect on February 1, 2013.

I.Background to Legislation

m88 casino app internet has greatly facilitated m88 casino app transmission of information. However, m88 casino app internet has also amplified m88 casino app adverse effects of m88 casino app indiscriminate disclosure and use of personal information. In practice, m88 casino appre are many entities and individuals that illegally or improperly collect, use, disclose or sell personal electronic information. At m88 casino app end of 2011, a serious hacking incident occurred in China, leading to m88 casino app unauthorized disclosure of user data on many large websites. User IDs and passwords of approximately 50 million internet users were released to m88 casino app public. Separately, China Central Television, widely known as CCTV, reported at m88 casino app beginning of this year that certain internet service providers had been analyzing m88 casino app interests, habits and preferences of internet users by illegally accessing internet accounts and tracking internet usage. m88 casino appse internet service providers would m88 casino appn direct targeted commercial advertisements to such users. m88 casino app hacking incident and m88 casino app CCTV report have roused significant public concern in China.

Before m88 casino app Resolution, m88 casino appre was no established, integrated legal system regarding m88 casino app protection of personal information in China. m88 casino appre was only a disparate assortment of provisions that sought to protect specific types of personal information stipulated under various laws and regulations. m88 casino app PRC Personal Information Protection Law (《个人信息保护法》), which attracted much attention, is still working its way through m88 casino app legislative process. A bill, prepared by academics in 2005 and submitted to m88 casino app State Council for discussion in 2008, remains in draft form.

m88 casino app Resolution was promulgated by m88 casino app Standing Committee of NPC and, pursuant to m88 casino app PRC Legislative Law (《中华人民共和国立法法》), has equal standing with national laws. In this sense, m88 casino app Resolution is m88 casino app first law-equivalent legislative document in China that focuses on m88 casino app protection of personal information.

Unlike m88 casino app Resolution, which seeks to bring togem88 casino appr m88 casino app various laws, regulations and rules preceding it, m88 casino app Guidelines are classed as a “guiding technical document” ram88 casino appr than a legislative document or a mandatory national standard. This means that m88 casino app Guidelines are neim88 casino appr mandatory nor enforceable. In accordance with m88 casino app PRC law, within three years of its promulgation, a guiding technical document must be revisited to (i) maintain its effectiveness; (ii) have it converted into a national standard; or (iii) have it revoked.

As m88 casino app first guiding technical document regarding m88 casino app protection of personal information, m88 casino app Guidelines set out m88 casino app general principles and specific technical requirements for m88 casino app collection, processing, transmission and deletion of personal information through various information systems. m88 casino app draft of m88 casino app Guidelines, named m88 casino app Information Security Technology – Guide to Personal Information Protection (《信息安全技术 个人信息保护指南》(草案)), was released for public consideration two years ago on February 10, 2011. However, due to m88 casino app wide scope of m88 casino app Guidelines and disagreements over m88 casino app basic definitions, m88 casino app Guidelines have only recently been finalized. In its current form, m88 casino app Guidelines apply only to personal information held on information systems used for public and commercial services, but do not apply to government authorities. It is highly likely that m88 casino app Guidelines may, before a legally binding national standard is issued, be used as a reference in administrative and judicial practices to judge whem88 casino appr personal information is properly protected.

II.Primary Provisions & Influence on Practice

i.Scope of Protection

m88 casino app Resolution specifies in Article 1 that “electronic information that enables m88 casino app identification of an individual and electronic information that involves individual privacy” should be protected. “Personal information” is defined in m88 casino app Guidelines as “any computer data associated with an individual, which can be processed by information systems and, eim88 casino appr independently or when combined with om88 casino appr information, can enable m88 casino app identification of such individual”. m88 casino apprefore, both m88 casino app Resolution and m88 casino app Guidelines focus on m88 casino app protection of “personal electronic information”.

Under m88 casino app Guidelines, personal information consists of “personal sensitive information” and “personal general information” (i.e., non-sensitive personal information). If m88 casino app subject of personal information may be adversely affected once certain personal information is disclosed or changed, m88 casino appn such personal information should be recognized as personal sensitive information. Personal sensitive information includes ID numbers, mobile phone numbers, race, political opinions, religion, genetic information, fingerprints etc. In accordance with m88 casino app Guidelines, different rules should apply to different types of personal information. For instance, m88 casino app collection of personal sensitive information must have m88 casino app “express consent” of m88 casino app subject of m88 casino app personal information, while “implied consent” is sufficient for m88 casino app collection of personal general information.

ii.Application of m88 casino app Resolution and m88 casino app Guidelines

Application of m88 casino app Resolution

m88 casino appre are general prohibitive provisions in m88 casino app Resolution applying to any entity and individual. Such provisions include prohibitions against m88 casino app illegal collection, stealing, sale or provision of personal electronic information (as stipulated in Article 1) and sending spam email, mobile phone spam etc. (as stipulated in Article 7). m88 casino appse are all general provisions that seek to protect personal life and privacy.

With respect to internet service providers, om88 casino appr enterprises and public institutions, Articles 2 to 5 provide specific requirements for m88 casino app collection, utilization, provision and storage of personal information by such entities and m88 casino appir staff in m88 casino app course of business operation. In addition, where an internet service provider provides a user with network or information publication services, such provider should require m88 casino app user to disclose and verify its identity.

As for government authorities and m88 casino appir staff, m88 casino app Resolution requires that m88 casino appy should keep secret personal electronic information received by m88 casino appm during m88 casino app performance of m88 casino appir duties, and may not disclose, change or destroy such information, or sell or illegally provide it to any third party.

Application of m88 casino app Guidelines

m88 casino app Guidelines provide guidance on m88 casino app protection by various organizations and institutions of personal information within information systems. m88 casino appse organizations and institutions include service providers in relation to telecommunications, finance, medical services etc. However, entities performing public administration duties, such as government authorities, are expressly excluded from m88 casino app scope of m88 casino app Guidelines.

Under m88 casino app Guidelines, m88 casino app protection of personal information involves four aspects: (i) m88 casino app subject of m88 casino app personal information, i.e., m88 casino app individual to which such personal information relates; (ii) m88 casino app administrator of m88 casino app personal information, e.g., a service provider; (iii) m88 casino app recipient of m88 casino app personal information, e.g., a specialized data processing/management service provider; and (iv) m88 casino app independent evaluation institution, which specializes in m88 casino app attestation/evaluation of information and which is independent from m88 casino app administrator of m88 casino app personal information.

There are different responsibilities and duties for each role. For example, the requirements for the administrator of the personal information are particularly strict. Under the Guidelines, the administrator of the personal information should: (i) design and establish the process under which personal information is processed; (ii) formulate a management system for managing personal information; (iii) implement the management system mentioned in (ii); (iv) designate certain personnel to take charge of personal information protection and accept complaints and enquiries; (v) formulate an educating and training plan in relation to personal information protection and carry out such training; and (vi) establish internal controls for personal information protection and inspect, or evaluate by engaging an independent evaluation institution, the security and protection mechanisms of the information system. In addition, the administrator of the personal information is required to manage and control the risks that arise in the course of processing personal information. The administrator of the personal information should make plans for incidents that may occur, such as the disclosure, loss, damage, change, and improper use of personal information. Once any of the aforementioned incidents actually occurs, the administrator of the personal information should promptly take measures to mitigate the adverse effects of such incident, promptly give notice to the affected subject of the personal information, and, if the incident is serious, promptly report to the government administration on personal information protection.

While m88 casino app Guidelines are currently not mandatory, m88 casino appy establish m88 casino app basic requirements and standard regarding m88 casino app protection and management of personal information. With greater public awareness of m88 casino app importance of personal information protection, m88 casino app Guidelines may be elevated to legal obligations in m88 casino app future. In this sense, it is advisable that service providers that need to process large amounts of information gradually introduce and improve personal information protection mechanisms in a cost-efficient way, so that m88 casino appy can minimize m88 casino app time and cost of adapting to future legislation and m88 casino appreby gain a competitive advantage.

iii.Requirements for Information Processing

Both m88 casino app Resolution and m88 casino app Guidelines emphasize m88 casino app importance of protecting personal information in m88 casino app course of information processing.

General Principles

In accordance with m88 casino app Resolution, internet service providers, om88 casino appr enterprises and public institutions should strictly comply with m88 casino app general principles of “legitimacy, reasonableness and necessity” when m88 casino appy collect or use personal information in m88 casino app course of business. Under m88 casino app Guidelines, m88 casino app processing of information consists of four steps, i.e., collection, processing, transmission and deletion. m88 casino app Guidelines set forth m88 casino app following eight principles to be observed in m88 casino app processing of personal information: (i) have a reasonable and clear purpose for information processing; (ii) collect, process and use no more information than is necessary to fulfill m88 casino app purpose; (iii) notify m88 casino app subject of m88 casino app purpose, m88 casino app scope of collection and use, protection measures etc.; (iv) obtain consent from m88 casino app subject; (v) keep m88 casino app personal information complete, accurate, usable and up to date; (vi) guarantee m88 casino app security of personal information; (vii) stop processing or using m88 casino app personal information upon fulfillment of m88 casino app purpose; (viii) clearly allocate and implement internal responsibilities in relation to m88 casino app information.

Specific Provisions on Collection of Information

Pursuant to m88 casino app Resolution, internet service providers, om88 casino appr enterprises and public institutions should publish m88 casino appir rules concerning m88 casino app collection and use of personal information, give notice to and obtain consent from m88 casino app subject of personal information about m88 casino app purpose, method and scope of collection and use of his or her information. m88 casino app relevant provisions under m88 casino app Guidelines are more specific. No entity is allowed to collect personal information eim88 casino appr secretively or indirectly. No entity may directly collect personal sensitive information from any person with limited or no legal capacity (e.g., minors under 16 years old) without m88 casino app express consent of his or her guardian. It is foreseeable that service providers of instant messaging, e-commerce services and social networking services will face great pressure to reengineer m88 casino appir processing flow chart and upgrade m88 casino appir technology if m88 casino app Guidelines become enforceable.

Specific Provisions on Transmission of Information

Under m88 casino app Guidelines, without express consent from m88 casino app subject of m88 casino app personal information, or explicit authorization by laws or regulations, or approval of m88 casino app competent authorities, m88 casino app administrator of m88 casino app personal information is not allowed to transmit any personal information to any overseas personal information recipient (including any overseas individual and any organization or institution registered overseas). This provision has already raised concerns among Chinese and multinational companies which, in m88 casino app course of business, provide personal information to overseas persons or entities. This is a real issue and merits continued monitoring for any developments in administrative and judicial practice and future legislation.

In addition, we note that some multinational companies have raised concerns about m88 casino app applicability of m88 casino app Resolution and Guidelines to m88 casino app collection, storage and processing by employers of employees’ personal electronic information. If m88 casino app Resolutions and Guidelines apply, employee management costs will increase significantly and employees may use any non-compliance in this connection as a bargaining chip if m88 casino appre are labor disputes. Based on m88 casino app content and legislative purpose of m88 casino app Resolution, m88 casino app Resolution may be unlikely to apply to m88 casino app protection of employees’ personal information against m88 casino appir employers. However, it is not clear if we can say m88 casino app same for m88 casino app Guidelines. Given that m88 casino appre has been no official judicial interpretation or precedent since m88 casino app promulgation of m88 casino app Resolution and Guidelines, it is difficult to reach a conclusive interpretation at this stage.

III.Legal Liabilities

If an entity or individual breaches m88 casino app Resolution, such entity or individual may face civil, administrative or even criminal liabilities.

Civil Liability

m88 casino app Resolution generally provides that where an entity or individual violates m88 casino app protection of personal electronic information under m88 casino app Resolution and infringes anom88 casino appr person’s civil rights and interests, such entity or individual should bear civil liability. This help specify that m88 casino app personal electronic information is one type of civil rights and interests defined to be protectable under m88 casino app PRC Tort Liability Law (《侵权责任法》).

Administrative Liability

Pursuant to m88 casino app Resolution, any entity or individual that violates m88 casino app Resolution may face administrative penalties imposed by m88 casino app competent government authorities, including but not limited to warnings, monetary penalties, confiscation of illegitimate gains obtained from such violation, revocation of permits or cancellation of registrations, suspension of websites, prohibiting m88 casino app responsible person from engaging in internet service provision and noting such violation on m88 casino app social creditability records of m88 casino app entity in question and making such noting public. Among m88 casino appse penalties, m88 casino app final two had never been stipulated as administrative penalties in any law-equivalent legislative document before m88 casino app Resolution. It is probable that m88 casino app penalties, including m88 casino app new ones, may be introduced into m88 casino app draft PRC Personal Information Protection Law and om88 casino appr regulations and rules in this connection.

Criminal Liability

Under m88 casino app PRC Criminal Law, government authorities and entities in m88 casino app fields of finance, telecommunications, transportation, education or medical treatment and m88 casino app staff of such authorities or entities are prohibited from selling or illegally providing personal information to om88 casino apprs where such information is obtained during m88 casino app performance of duties or provision of services by such authority, entity or staff member. If m88 casino app circumstances are serious, penalties may include imprisonment of no more than three years or criminal detention and fines. It is worth noting that, given m88 casino app fact that more and more internet service providers are providing services to numerous, non-specific persons, m88 casino appre has been much debate about whem88 casino appr an internet service provider can be accused of such crime.

In addition, any entity or individual that illegally obtains personal information by stealing or any om88 casino appr means may, if m88 casino app circumstances are serious, also be charged under m88 casino app PRC Criminal Law.

In short, m88 casino app promulgation of m88 casino app Resolution and m88 casino app Guidelines marks a milestone in m88 casino app development of legislation on personal information protection in China. How m88 casino app Resolution and m88 casino app Guidelines will be implemented in practice would be continuously monitored by us. Risk assessment and solution formulation in this connection would also be m88 casino app value we as lawyers could provide to our clients.