China Expands Data Protection through 2013 Guidelines: A ‘Third Line’ for Personal Information Protection (With a Translation of the Guidelines)
Privacy Laws & Business International Report, Issue 122, 1, 4-6, April 2013
19 Pages Posted: 17 Jun 2013 Last revised: 27 Aug 2014
Date Written: April 16, 2013
China has added a third significant layer of regulation of data privacy in information systems, the Information Security Technology – Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems, released by the Ministry of Industry and Information Technology (MIIT) Standardization Administration on 21 January 2013, effective 1 February 2013.
In theory, these voluntary guidelines are not as important as the two regulatory instruments of 2011/12 covering part of the same territory (primarily Internet IISPs), the Decision of the Standing Committee of the National People’s Congress of December 28, 2012 (see http://ssrn.com/abstract=2251303), and the MIIT Regulation of December 2011 (see http://ssrn.com/abstract=2049232). However, these 2013 Guidelines apply to a much broader range of businesses, and they cover key issues (such as data exports, sensitive data, and subject access and correction rights), and provide some details, not covered in the earlier instruments. They may well indicate the standard that will be applied in these other laws, and even in such laws as the Tort Liability Law. The Guidelines set out obligations in three overlapping ways. This article analyses these three approaches, how the Guidelines differ from and add to the existing regulation of data privacy in China, and the significance they have for businesses operating in China.
An unofficial translation of the Guidelines is included in the article.
Keywords: Asia, China, data protection, guidelines, privacy
Suggested Citation: Suggested Citation