ALTA Law Research Series
Last Updated: 10 June 2010
China’s proposed Personal Information Protection Act (Part II): Enforcement aspects
Greenleaf, University of New South Wales Faculty of Law
2 April 2008
Published in (2008) 92 Privacy Laws & Business International Newsletter 11 - 14, April 2008
The Personal Information Protection Act drafted in 2005 by Professor Zhou Hanhua, director of the Institute of Law at the Chinese Academy of Social Sciences and a team of experts commissioned by the Chinese government, has not moved any closer to enactment following the March 2008 National People's Congress of the People’s Republic of China (PRC). Some well-informed PRC sources consider that it is now very unlikely that this draft will bear a strong resemblance for what is eventually enacted, or be the basis for it. However, it is still very valuable to consider what form of legislation was recommended by one group of Chinese experts. This article completes the picture by considering the recommended enforcement aspects (see Greenleaf PLBI Issue 91, p1 for the first part of this article).
The Act does not propose the creation of any ‘Privacy Commissioner’ or other body with national responsibility for administration or enforcement of the obligations and remedies in relation to privacy. Administration and enforcement is widely distributed among sectors and among the levels of government in the Chinese system. Although it has a superficial similarity to the absence of a central privacy authority in the United States, the model used is most similar to that adopted in Japan and in Chinese Taipei (Taiwan). OtherNorth Asian economies take a different approach from this PRC model: the Hong Kong SAR has a ‘Privacy Commissioner’ model similar to the UK, the rest of Europe, Canada and Australasia; and South Korea has a sui generis model with a central dispute resolution body.
The ‘information agencies’ administering the Act
Government agencies in charge of information resources, at each level of the Chinese government above county level, are responsible for the administration of the Act. I will call them the ‘appropriate information agency’. Chapter 4 (Implementation of Safeguards and Remedies) and Chapter 5 (Legal Liabilities) of the Act set out the various ways in which these agencies, and the Courts at each level of the Chinese government, have responsibilities to administer and enforce the Act.
Government officials in these information agencies are liable to administrative sanctions or criminal liabilities for a wide range of forms of maladministration of the Act, ranging from wrongful disapproval or approval of applications concerning Personal Information Processing, to incorrect imposition of fees or conduct of inspections, and wrongful imposition of sanctions.
General regulations are to be made at State Council level. The information agency of the State Council may formulate detailed implementation rules in accordance with the Act (Article 71). Both government agencies and other data processors have six months from the date in which the Act comes into force to bring themselves into conformity with the provisions of the Act (Article 70).
At the 2008 National People's Congress, a decision was made to establish a new Ministry of Industry and Information. It will absorb a number of the offices and ministries that participated in earlier discussions on a personal information protection legislation. However, it is too early to say what effect its establishment will have on either the legislative process in this area, or on the administration of any eventual legislation.
Enforcement against government agencies
In relation to complaints against government agencies concerning disclosure, correction or cessation of use of personal data , data subjects are first required to bring their complaints to the relevant information agency at the same level of government as the agency complained about. There is no specific provision concerning complaints about collection of information. Complaints are to be dealt with according to the Law on Administrative Review.
The appropriate information agency may engage outside experts to establish an independent Information Committee to carry out such an administrative review. It will act as the secretariat for such an Information Committee, which is not a standing institution. The experts should comprise more than one third of the Information Committee. Data Subjects may refuse to accept the administrative review decision, and may then file an administrative suit with a People’s Court to review the decision of the Information Committee. Government agencies whose breaches of the Act ‘cause damages to the lawful rights and interests of the Data Subjects should bear liability for compensation in accordance with law’. Data subjects can ‘directly file suits with a People’s Court in accordance with law’ (Article 64).
The appropriate information agency can order government agencies to take corrective actions, can impose administrative sanctions, and can impose criminal liabilities where appropriate, in nine specified types of breaches of the Act (covering most possible breaches). In addition, there are separate administrative sanctions or criminal liabilities specified for ‘violation of professional duties’, where government officials (or former government officials) are involved in unauthorised disclosure of personal information.
Professor Zhou’s Legislative Study Report points out that there is no general criminal liability for the violation of the right to personal information but that Articles 306, 307, 397 and 286 in China’s penal code may be relevant. However, this would require China’s Supreme Court to make a judicial interpretation of the Act based on these penal code provisions (Liu translation, 2007). This would also be relevant to the private sector.
Enforcement against the private sector and ‘other data processors’
The enforcement provisions against ‘other data processors’ (including local and foreign corporations, as well as any NGOs operating in China) are similar in many respects to the procedures for enforcement against government agencies.
Data subjects may complain to the appropriate information agency about a breach of the Act by other data processors, and request that the agency protect their rights and interests. The agency may require the subject of the complaint to provide it with ‘data processing reports’ and to take administrative measures such as freezing files, and may undertake an on-site inspection (which must be carried out by at least two inspectors, and authorised by the principals of the agency). The information agency can order corrections, cessation of processing, cessation of use or destruction of files, imposition of penalties or revocation of licences or registrations. They do not seem to be able to award compensation. However, data subjects can file suit directly with a People’s Court to seek compensation against other data processors (as they can with government agencies), or to request cessation of any breaches and remedial actions.
By another provision, the appropriate information agencies may take more punitive actions against other data processors, including ordering them to take corrective actions, imposing penalties, confiscating ‘illegal income’, revoking registration or licence certificates, and imposing criminal liabilities, for twelve specified forms of breach of the Act (covering most possible breaches of the principles). Unauthorised disclosures of personal information attract separate penalties for ‘violation of professional duties’.
Additionally, the appropriate information agencies are responsible for banning the unauthorised processing of personal information without registration or administrative licence (see the previous article). They can confiscate all resulting income, and impose heavy financial penalties.
Co-regulation by trade associations
The Act provides for complaint resolution by ‘self regulatory trade associations’, but this is more accurately described as ‘co-regulation’ because the Act sets strict conditions within which such complaint resolution must occur. Conditions for the operation of trade associations will be set at State Council level, and they must also be guided by local regulators. Unregistered or improperly registered trade associations can be fined.
It does not seem that data subjects must first complain to such a trade association, or to the non-government data processor, before requesting relief from the appropriate information agency or a People’s Court. A complaint to a trade association is a third option that can be pursued. A data subject may complain to the trade association to which a non-government data processor belongs, and the association is then to provide ‘opinions and suggestions’ to its member on how to handle the complaint. If the member refuses to accept these opinions and suggestions, the trade association may decide to ‘revoke the practice reliability authentication mark’ that it provides for its members, and to suspend its membership from the association. Trade associations are not therefore authorised to require remedial actions or compensation for breaches of the Act, but these could of course be part of the suggestions that they make to a member.
An appraisal of the 2005 ‘Expert Draft’
The privacy principles embodied in this legislation (both via the General Provisions in Part 1 and their elaborations in Parts 2 and 3 to government and non-government bodies), cover all key elements of information privacy laws that are usually found in international agreements and other national laws. The relative weakness of the principles in relation to collection and secondary uses are shared with both the OECD Guidelines and the APEC Privacy Framework. The finality principle is particularly weak in relation to the government sector. There are no deletion requirements (retention limits), but neither are there in the OECD or APEC principles. There are no special protections for ‘sensitive’ information, probably because they usually include information about a person’s political, religious or trade union affiliations, all of which are contentious in China (see Liu translation, 2007). Not all jurisdictions include sensitive information principles, and nor do the OECD or APEC. The exemptions defined for organisation are limited to state security agencies, the legislature and judiciary. The most uncertain and potentially contentious exemption is for small-scale and un-harmful processing, which places a considerable amount of discretion in the hands of the bureaucracy. Enforcement of the data export restrictions is completely a matter of Chinese government discretion, rather like in pre-Directive laws in European countries, and the Legislative Study Report suggests that these provisions may be there more for their retaliatory potential (Liu translation, 2007) rather than as any serious attempt to limit data exports in the interests of data subjects.
The draft Chinese Act provides an extensive array of enforcement mechanisms and remedies in relation to both public and private sectors. Although there is no national equivalent of a ‘Privacy Commissioner’, there are designated government agencies at each level of the Chinese government to handle privacy complaints. These agencies are able to order remedial actions to be taken by the data processor, and where appropriate to take more punitive actions against them. Complaints against public sector bodies must first go to the data processing agency. In both sectors, data subjects have the right to take a suit directly to the Courts, and this seems to be necessary in order for compensatory damages to be obtained. Although there is provision for co-regulation by industry associations, this seems to be an optional additional avenue of redress in the private sector. An innovative aspect of enforcement is the handling of complaints by independent Information Committees which may contain non-agency experts. This is similar to South Korea’s successful Personal Information Dispute Mediation Committees.
The principles in the Chinese Act are most similar to the OECD Guidelines, and seem little influenced by new elements in either the EU Directive or the APEC Privacy Framework. They share the weaknesses of the both OECD and APEC. When the question of EU ‘adequacy’ is asked, the Chinese position would most likely turn on how the provisions for small-scale and un-harmful processing, and for data exports, have in fact been implemented. A distinction could also be made between the government and non-government sectors, with the latter more likely to be considered ‘adequate’. In relation to enforcement, the draft law in principle seems to go beyond what is required by the OECD (nothing is required by APEC) and in principle meet what is required by the EU. Although EU adequacy should depend on whether these paper rights do in fact deliver a meaningful system of enforcement, and therefore on both the administrative regulations and their implementation, politics and trade play a major role in these decisions. Privacy for Chinese citizens and adequate protection for the interests of EU citizens are two very different things.
Future and significance of Chinese privacy legislation
Now that the March 2008 National People's Congress (NPC) has passed without enactment of legislation, it is perhaps unlikely that any further developments will take place until after the Beijing Olympics . As it is now considered unlikely by some PRC experts that the 2005 ‘Expert Draft’ will be the basis of any final legislation, the form and timetable for introduction of information privacy legislation in China remains unclear. Although it is possible that the Standing Committee of the NPC could enact legislation, or the State Council could do so as an administrative regulation, prior to the next NPC meeting in March 2009, it seems unlikely that this will happen. Development in relation to the new Ministry of Industry and Information may be significant. It may still be a long march before a law is enacted.
If eventually enacted, a Chinese Personal Information Protection Act will have major implications, particularly throughout Asia. It will signal to all developing countries with aspirations to become significant modern economies that information privacy legislation is part of the package. Within APEC it will mean that the major model for implementation of the APEC Privacy Framework will be national legislation. The APEC Privacy Subgroup’s current exclusive focus on the ‘Pathfinder’ projects concerning cross border data transfers (see Greenleaf, 2008) will appear as something of a sideshow if more Asian countries start to enact national privacy laws.
The Chinese ‘Expert Draft’ of 2005 may be far from perfect, but for Asian countries with no privacy legislation, something similar would be a big step forward. Elements of it are worthy of consideration by Asian countries contemplating privacy legislation, as it is a draft law originating in the Asian region which embodies considerable thought and expertise.
Part I of this article in the previous issue of Privacy Laws & Business International Reporter covered the background to the draft Act, its General Provisions, its specific provisions concerning each of the public and private sectors, and its data export provisions. The author wishes to gratefully acknowledge the assistance of the translation of the draft Act by Maisog and Zhao (Hunton & Williams LLP), but is responsible for all interpretations made. Mr Maisog may be contacted at <email@example.com>.
Greenleaf, Graham ‘APEC’s privacy Pathfinders – a dead end for consumers?’ Privacy Laws & Business International Newseletter, Issue 91, p12, February 2008
Korean Personal Information Dispute Mediation Committee Cases at <http://www.worldlii.org/kr/cases/KRPIDMC/>
Liu, Yue (draft English translation) summary of Zhou, Hanhua et al Legislative Study Report, 2007, unpublished, University of Oslo Faculty of Law
Maisog, Manuel E. and Zhao, Angela (English translation) Zhou, Hanhua et al Personal Information Protection Act of the People’s Republic of China (Experts’ Suggestion), 2006, Hunton & Williams LLP, Beijing, China
Zhou, Hanhua et al Personal Information Protection Act of the P.R.C. (Experts’ Suggestion) and Legislative Study Report, 2006, Institute of Law, Chinese Academy of Social Sciences, Beijing, China