Is It Legal for Foreign Company to Transfer User Data out of China?

(By Wang Ting) Recently, China State broadcast CCTV, imposed Apple Inc. that its iPhone’s ability to track and time-stamp user’s frequent locations without user’s permission infringed user’s privacy. Even though the news impacts turned out to be small in western countries, large amounts of Medias in China reported the news (Note: the link is in Chinese). Within the quicker development of internet and mobile internet, personal data and information has become increasingly frequent cross region and even breaking national boundaries, thus making the transfer of personal data more smoothly. In today’s post, at the beginning of Apple’s device’s location tracking abilities, we will introduce regulations and legal risks concerning how enterprises transfer user data from China to third countries.

  1. Notes of collecting and using user’s personal data

At present, protection of user’s personal data are scattered among different laws and regulations in China. There are major applicable laws, for example, the Decision of the Standing Committee of the National People’s Congress on Strengthening Information Protection on Networks and the Law on the Protection of Consumer Rights and Interests. The Decision of the Standing Committee of the National People’s Congress on Strengthening Information Protection on Networks states that all organizations and individuals may not obtain electronic personal data of citizens by theft or any other illegal means and may not sell or illegally provide others with electronic personal data of citizens. The Law on the Protection of Consumer Rights and Interests also regulates that no organizations and individuals may violate the laws or administrative regulations in collecting or using the user’s personal data.

Other laws and regulations are scattered to protect personal data. For example, the Law on the Protection of Women’s Rights and Interests states that women’s right of reputation and personal dignity shall be protected by law. The Law on the Protection of Minors regulates that no organization or individual may disclose the personal secrets of minors. The Law on Resident Identity Cards also stipulates some civil or criminal liability for personal data disclosure. Therefore, enterprises shall be familiar with related laws, regulations and provisions in the collection and use of the personal data.

Pursuant to the Decision of the Standing Committee of the National People’s Congress on Strengthening Information Protection on Networks, enterprises may not collect or use personal data without consent of the user. This means that the collection and use of personal data should be under the consent of an individual who has been well-informed, including tacit consent and expressed consent. Pursuant to the Information security technology – Guideline for personal information protection within information system for public and commercial services, the collection of personal general data should be subject to the tacit consent of an individual, and no personal general data may be collected or used if an individual clearly opposes. Furthermore, the collection of personal sensitive data should be obtained expressed consent of an individual. Otherwise, once the collection and use of personal data comes to privacy, it would probably constitute the invasion of privacy and thus enterprises shall undertake legal responsibilities for invasion of privacy.

User’s time-stamping location records names of frequent locations, data containing pace times and the number of visits, thus the collection of these locations would likely do with personal sensitive data. However, the collection of personal sensitive data shall receive expressed consent from an individual. For example, the Article 4(b) of the iOS Software license Agreement entered by and between Apple Inc and the user agrees and consents to Apple Inc’s and its partners’ and licensees’ transmission, collection, maintenance, processing and use of user’s location data and queries. But when the user turns off the individual location settings on the iOS device, Apple Inc should not collect user’s location data in accordance with the Article 4(b), shall immediately cease to collect user’s location data and even mustn’t transfer the location data out of China.

If an enterprise continues to the collection, use, processing and transfer of personal data out of China without expressed consent of an individual, or disobeying the explicit laws and regulations, or without permission of competent authorities, it is likely to violate the protection of personal data and thus may constitute illegal providing personal data for others.

  1. Restrictions on the handling of personal data

At the collection stage, enterprises shall open the rules of collection and use but shall not use any secretive or indirect means to the collection and use of personal data, pursuant to the Law on the Protection of Consumer Rights and Interests.

Therefore, enterprises shall use a specific, clear and reasonable approach to inform the user of the purpose, the scope and methods of collection of use, the methods of enquiry and revision, and the measures to protect privacy etc. Such notification sets the boundary of permissible activities of enterprises. Without consent of an individual, enterprises shall not neither violate the notification, nor transfer personal data beyond the notification. Moreover, enterprises shall not take secretive or indirect approaches to the collection of personal data, nor transfer the personal data across China.

According to the law, at the collection stage, enterprises shall only collect necessary data relevant to their services, no more than necessary. Furthermore, enterprises shall not use personal data beyond the purpose of their services. In other words, the handling of personal data should be limited to no more than is enough to fulfill their services.

  1. Data security measures

At the stage of collection and use, enterprises shall adopt technological measures and other necessary measures to ensure data security and prevent user’s personal data collected during business activities from divulging, damaging or losing. With regard to the security standard, our suggestion is that enterprises shall adopt the same standard as the protection of trade secrets to protect the user’s personal data collected. The series of security standards include internal and external measures. Externally, the storage and transfer of personal data collected shall be taken encryption technology to prevent from being stealing. Internally, personal data shall be specified the query execution privilege with the approval of the senior leaders. When divulging, damage to or loss of personal data occurs or may occur, remedial measures shall be adopted immediately.

  1. Legal risks

When unauthorized to transfer the user’s personal data out of China, enterprises may undertake following responsibilities:

(1)   Administrative liability

Pursuant to the Decision of the Standing Committee of the National People’s Congress on Strengthening Information Protection on Networks, enterprises shall be subject to warnings, fines, confiscation of unlawful income, cancellation of permits or cancellation of fines, closure of websites, prohibition of relevant responsible personnel to engage in network service business and other punishments. Moreover, enterprises may be entered into social credit files and published. Where enterprises constitute violations of the public order management, public order management punishments are imposed according to the law.

(2)   Civil liability

According to the General Principles of Civil Law and the Tort Law, enterprises may be demanded that infringement be stopped, that the effects of the infringement be eliminated and an apology be made, that his reputation be restored and that losses be compensated. Even though the provision could be stipulated to protect the transfer of personal data, when divulging, damage to or loss of personal data occurs, the provision may be used as an indirect legal basis, and also be provided reference for the doctrine of liability fixation and the number of compensation.

(3)   Criminal liability

Where enterprises constitute a crime, criminal liability is prosecuted according to the law. Pursuant to the Criminal Law, they may be on the charge of crime, such as the crime of selling or illegal offering personal information, or the crime of illegal acquiring personal information or the offense of illegal and irruptive calculator information system.

Generally speaking, violation of individual user’s personal data does not constitute a crime as regulated in the Criminal Law. However, whereas one receives bigger benefits, sells or illegal offers large number of user’s personal data, repeatedly sells or illegal offers user’s personal data , or leads to great economic losses or severe damage normal life of the user after the user’s personal data was illegal offered or sold, or uses the user’s personal data in criminal activities or other serious conditions, the one is likely to undertake criminal liability.

Lawyer Contacts

You Yunting86-21-52134918

Disclaimer of Bridge IP Law Commentary

Leave a Reply

Your email address will not be published. Required fields are marked *