Skip to main content
IAM vs. CIAM CIAM Buyer's Guide Contact Us
Janrain respects your privacy and will treat the personal data you choose to share with us in accordance with our privacy policy.

PI Protection in China – Highlights of a Developing Legal Framework

By Lewis Barr | Posted on June 25, 2015

Blog Banner

For current Janrain customers and other companies interested in Janrain Customer Identity Management services hosted on Janrain’s platform infrastructure within the People’s Republic of China, we thought it would be helpful to provide an introduction to recent Chinese legal developments protecting the personal information of Chinese citizens with a focus on consents necessary for the collection of personal information. The highlights of China’s developing personal information protections that follow rely on secondary sources and are offered as a courtesy for general information purposes, not as legal advice.

As China’s consumers use of mobile and online technologies has grown significantly in the past few years, so naturally have Chinese concerns regarding the treatment of their personal information shared through these technologies. In the past three years alone, China has enacted or issued the following substantive laws and agency guidelines regarding the treatment of personal information, although much remains to be seen as to how these laws and guidelines will be interpreted and enforced:

1.Resolution in Relation to Strengthening the Protection of Information on the Internet promulgated by the Standing Committee of the National People’s Congress (effective December 28, 2012);

2.Information Security Technology – Guidelines on Personal Information Protection within Information Systems for Public and Commercial Services (effective February 1, 2013);

3.Consumer Rights Protection Law of 1993 as amended by Decision of the Standing Committee of the National People’s Congress (effective March 15, 2014); and

4.Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers published by the State Administration for Industry and Commerce of the People’s Republic of China (effective March 15, 2015).

China protects personal information (“PI”) which is information that by itself or in combination with other data enables the identification of an individual. Examples of protected information for a consumer include the consumer’s name, gender, birth date, and residential address. In some respects the Chinese protections for PI mirror those of the EU Privacy Directive. For example, a consumer must be informed of what information is being collected and the purpose for which her information is collected, and the use of the PI should be limited to the purpose for which it was collected and deleted once that purpose has been fulfilled. But cross-border transfer of PI is prohibited without the consumer’s explicit consent or government approval, except where required by law.

While tacit consent of an informed user seems acceptable for general PI collection, the explicit consent of an informed consumer is required for the collection of PI deemed sensitive, such as a government ID, mobile phone number, and religious affiliation. Parental consent is needed prior to collecting the PI from a child under age 16. Also, an individual’s explicit consent is required before a business may send the individual an email unless the individual first requested information from the business.

Because implementation of the law now on the books is still in process and further changes in this dynamic area of the law can be expected, it is advisable to consult with legal counsel with expertise in this area before engaging in marketing activity involving personal information in China. The following law firms, among others, provide counsel in this regard: Baker & McKenzie, DLA Piper, Hogan Lovells, Hunton and Williams, Jun He, and Morrison Foerster.

Popular Posts

About the author

Lewis Barr

General Counsel and VP, Privacy

Lewis manages Janrain's legal compliance and privacy functions as the company continues its international expansion. He brings more than 15 years of leadership in a wide range of legal and privacy-related matters for growing technology companies. Lewis also utilizes his diverse background as a litigator in private practice, federal appeals court staff attorney, and teacher. Prior to Janrain, Lewis was General Counsel and Secretary of Fios, Inc. and before that, he was General Counsel of New Edge Networks (now EarthLink Business). Lewis holds a Juris Doctor degree from the University of Missouri School of Law and a Bachelor's Degree from Georgetown University’s School of Foreign Service. He is also a Certified Information Privacy Professional (CIPP/US).

View all posts by Lewis Barr