PI Protection in China – Highlights of a Developing Legal Framework June 25, 2015 by Lewis Barr mobile, privacy & security, social login For current Janrain customers and other companies interested in Janrain Customer Identity Management services hosted on Janrain’s platform infrastructure within the People’s Republic of China, we thought it would be helpful to provide an introduction to recent Chinese legal developments protecting the personal information of Chinese citizens with a focus on consents necessary for the collection of personal information. The highlights of China’s developing personal information protections that follow rely on secondary sources and are offered as a courtesy for general information purposes, not as legal advice. As China’s consumers use of mobile and online technologies has grown significantly in the past few years, so naturally have Chinese concerns regarding the treatment of their personal information shared through these technologies. In the past three years alone, China has enacted or issued the following substantive laws and agency guidelines regarding the treatment of personal information, although much remains to be seen as to how these laws and guidelines will be interpreted and enforced: 1.Resolution in Relation to Strengthening the Protection of Information on the Internet promulgated by the Standing Committee of the National People’s Congress (effective December 28, 2012); 2.Information Security Technology – Guidelines on Personal Information Protection within Information Systems for Public and Commercial Services (effective February 1, 2013); 3.Consumer Rights Protection Law of 1993 as amended by Decision of the Standing Committee of the National People’s Congress (effective March 15, 2014); and 4.Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers published by the State Administration for Industry and Commerce of the People’s Republic of China (effective March 15, 2015). China protects personal information (“PI”) which is information that by itself or in combination with other data enables the identification of an individual. Examples of protected information for a consumer include the consumer’s name, gender, birth date, and residential address. In some respects the Chinese protections for PI mirror those of the EU Privacy Directive. For example, a consumer must be informed of what information is being collected and the purpose for which her information is collected, and the use of the PI should be limited to the purpose for which it was collected and deleted once that purpose has been fulfilled. But cross-border transfer of PI is prohibited without the consumer’s explicit consent or government approval, except where required by law. While tacit consent of an informed user seems acceptable for general PI collection, the explicit consent of an informed consumer is required for the collection of PI deemed sensitive, such as a government ID, mobile phone number, and religious affiliation. Parental consent is needed prior to collecting the PI from a child under age 16. Also, an individual’s explicit consent is required before a business may send the individual an email unless the individual first requested information from the business. Because implementation of the law now on the books is still in process and further changes in this dynamic area of the law can be expected, it is advisable to consult with legal counsel with expertise in this area before engaging in marketing activity involving personal information in China. The following law firms, among others, provide counsel in this regard: Baker & McKenzie, DLA Piper, Hogan Lovells, Hunton and Williams, Jun He, and Morrison Foerster.