How to Address Privacy Concerns of Internet Users?

When walking into a familiar restaurant near your home, you must be glad to see a waiter knowing your name, calling you by it like an old friend, and furnishing your most favorite dishes and beer without your specific instructions. however, how would you feel if you were in a large crowd and a stranger called your name loudly and exactly? You might feel shocked and offended. If finally finding that such person is a sales agent who totally didn’t have any connection with you before, you might feel unsafe, angry, or even desperate when it happens repeatedly. This story reflects the difference between customized services provision and privacy infringements. Where does law enforcement draw the line between privacy infringements and legitimate data collections aimed at providing tailored services, especially under the internet environment?

What’s going on?

According to the China Internet Network Information Center, the state network information centre of China, driven by strong economic growth, the number of internet users in China hit a new record high of 513 million and the number of websites operated in China reached 2.3 million by the end of 2011. However, fierce and unregulated competitions among commercial websites operators and weak protection for personal information have put hundreds of mil- lions of users’ online privacy right at risk.

In December 2011, personal information of over 6 million registered users of China Software Developer Network(one of the biggest online community of software developers in China, or“CSDN”) was leaked. Many famous internet companies in China, such as Renren Network, a Chinese social networking service provider similar to Facebook, were involved in such hacking case. It is reported that the personal information leaked from the CSDN has been used to seek profit by cheating and advertising.

On April 23, 2012, Pony Ma, founder and CEO of Tencent which is the most popular instant messaging services provider in China, said he was highly concerned about the risk of privacy infringements, while he was having a public conversation with Kevin Kelly, co-founder of Wired which is a magazine reporting on impact of new and developing technology. Indeed, Pony has a good reason to pay attention to the online privacy protection. Since 2010, Tencent has been involved in a high-profile and painful legal battle with Qihoo, an antivirus giant in China’s internet market. Among other charges, Tencent is accused of scanning users’ computers and uploading users’ personal information for the purpose of driving its corporate profits. Such dispute and legal battle between Tencent and Qihoo further draw public attention to the protection of personal information and online privacy.

China currently has not enacted a comprehensive law specifically addressing the issue of personal information and privacy protection, or a national level law that delineates how an internet company can legally collect, process, retain and utilize users’ personal information. However, many important rules relating to online personal data and privacy protection are scattered in diverse laws, regulations, industry rules and local ordinances. Although the foregoing rules do not address the privacy issues in a direct, coordinated and systematic way, such legal authorities shall be carefully assessed and considered when carrying on online business in China.

Criminal Law

On February 28, 2009, the Seventh Amendment to the PRC Criminal Law (“Criminal Law Amendment”) was promulgated and became effective. This is the first law criminalizing the sale or unlawful provision of certain kinds of personal data. The Criminal Law Amendment imposes criminal charges on governmental officials and employees in the financial, telecommunications, transportation, education or medical sectors who sell or illegally provide any citizen’s personal information obtained in the course of performing their duties and responsibilities. Additionally, under the Criminal Law Amendment, obtaining citizens’ personal data by theft or other illegal means also constitutes a crime.

In summary, persons or entities who engage in the following three activities will be subject to criminal liability up to three year’s imprisonment and/ or criminal fines: (i) sale of citizens’ personal information; (ii) illegal provision of citizens’ personal information; and(iii) illegally obtaining citizens’ personal information. In April 2012, China’s police authority launched a campaign to crack down on infringing on citizen’s right of personal information, with 1,936 suspects arrested. In August 2011, the Beijing Second Intermediate People’s Court issued its ruling on a famous case concerning selling, illegally providing and obtaining personal information. In this case, 23 defendants were accused of engaging in illegal actions leading to selling, illegally providing and obtaining personal information, and would face prison terms or suspended sentences. Particularly, among these 23 defendants, 5 defendants were employees of China Mobile, China Unicom and China Telecom which are the three biggest telecommunications carriers in China. These cases indicate China’s law enforcement agencies are increasingly taking measures to protect personal information.

Civil Law

At present, a unified and overarching civil law has not been codified in China. Over the past twenty-six years, the General Principles of Civil Law(“Civil Law Principles”) has played an important role governing the civil relationships among civil entities. The Civil Law Principles do not provide for a separate right of privacy or personal information, while the Supreme People’s Court merges the privacy right with the reputation right by interpreting the provisions of the Civil Law Principles. That means a victim can not sue to protect his/her privacy right unless his/her reputation has also been damaged.

Such rules was overturned when the Tort Liability Law (“Tort Law”) was enacted on December 26, 2009. Under Tort Law which entered into force on July 1, 2010, the privacy right became a unique type of right independent from other civil rights. A victim whose privacy and personal information has been infringed is entitled to sue to demand cessation of such infringement, reputation rehabilitation, elimination of adverse impact, issuance of apology and payment of damages. The most important provision under the Tort Law for the website operators is the Article 36, stipulating that a victim whose civil rights are infringed due to information disclosure via internet may ask relevant website operators or internet service providers to delete or block such information in order to avoid any further loss. If the website operators or internet service providers fail to take necessary actions on a timely basis, they may jointly and severally bear any additional losses caused to such victim.

Besides typical civil laws and regulations, other laws or rules also shed light on the privacy and personal information protection. Although the Consumer Rights and Benefits Protection Law (“Consumer Law”) issued by state-level lawmaker does not contain a provision relating to consumers’ privacy or personal information protection, local consumer protection regulations in China have extended protection over customers’ personal data. Certain provincial-level rules implementing the Consumer Law have impacted the collection and use of customers’ personal data, by prohibiting commercial enterprises from disclosing customers’personal information without their consent or collecting consumers’ personal information irrelevant to the goods or services they purchase. Additionally, it is reported that a draft amendment to the Consumer Law creates an explicit right to privacy of consumers.

Rules specifically applicable to internet industry

In addition to complying by the general criminal or civil laws, website operators or internet service providers need to pay attention to the privacy and personal information protection rules issued by regulators specifically for the internet industry. With respect to the online privacy protection, the Computer Information Network and Internet Security, Protection and Management Regulations (“Computer Regulations”), which was issued by the Ministry of Public Security and became effective in 1997, stipulated that the freedom and privacy of internet users is protected by law and can not be infringed by any entity or person. The Computer Regulations also urge entities connected to the internet to take solid measures to ensure the security of information.

Recently, the Ministry of Industry and Information Technology (“MIIT”) promulgated the Several Provisions on Regulating the Market Order of Internet Information Services (“Market Order Provisions”) which entered into force on March 15, 2012. Under the Market Order Provisions, the issue of users’ personal data protection is highlighted. Pursuant to the Market Order Provisions, website operators are prohibited from providing users’ personal information to third parties, unless otherwise specified in laws or regulations. Website operators are also prohibited from collecting users’ personal information without users’ consent. Website operators are requested to duly retain users’ personal information and take remedial measures immediately when users’ personal information has been leaked or may be undermined by the risk of leakage. Since other key rules keep silent on the internet privacy issue, the Market Order Provisions will have a pro-founding impact on China’s internet privacy protection practice.

Future

Given the rapidly changing landscape of the internet industry, it is difficult for lawmakers to devise rules which can always address upcoming issues timely and soundly. It is reported that China will issue the Guideline for Personal Information Protection as a noncompulsory industrial standard in late 2012. But, there is no sign showing a comprehensive personal data protection law will be adopted in the near future.

In order to contain potential risks associated with online privacy and personal information protection, website operators or other market players in the internet industry may develop a set of best practice, such as assessing the types of personal data collected, keeping the proper internet security measures in place, scrutinizing the purpose of use of personal data, obtaining necessary consent regarding data collection, and limiting scope of persons who have access to personal information database.