By Albert Chen
It has been a chronic social problem that personal information could be released with no license, and that has brought widely seen information harassment, also a threat to the security of personal asset. The Economic Investigation Squad of Shanghai Police Department published a case in recent, in which the crime of illegally selling personal information has been investigated, and there involved more than 200 million pieces of information and thousands of corporate information. In an era of information, the Internet companies have a wide command of personal data compared with normal companies. Therefore, through today’s post, we would like to express our opinions on the risk and risk prevention of the information leakage.
I. Laws and Regulations on User Data Leakage
Currently, the main clauses regulating the collection and disposal of personal information in criminal law is the Article 253, which provides the crime of selling and illegally providing personal information and the crime of illegally acquisition of personal information as detailed as follows:
“Article 253 When the staffs of state departments of institutes of finance, telecommunications, transportation, education, medicine, etc violate the state regulations, and sell or illegal provide the personal information acquired in during its performance of the duty or service providing, and that is the case of a gross violation, then it shall be sentenced a life imprisonment of no more than 3 years or detention, or accompanied or separately punished a penalty.
The stealing or acquiring the abovementioned information through other methods, and is of a case of gross violation, the punishment shall be sentenced by the last paragraph.”
As to the administrative regulations, it is provided in Article 4 of Regulations on Internet Security Protection Technological Measures,
“The ISP and network using unit shall establish an equivalent management system. And the registrations of the user shall not be opened or disclosed unless otherwise regulated by laws or regulations.”
Accordingly, the main websites in China would make a warranty to its user not to disclose the data with no licenses thereby granted, yet such no-disclosure shall have two exceptions:
1. Such as what regulates in Article 2.4 of Baidu User Agreement (2012.9.4): The website may publicized or provide the user information when it is demanded by the state laws and regulations, social interests, administrative departments, or even when it shall guarantee the interests of the website itself.
2. Such as what regulates in Article 7.2 of Sina User Agreement (2012.9.4): The website may disclose the user information to the third party partner when such a partner promises to undertake the same confidence obligation as the website.
II. The legal risks of the company
(1) Civil risks
The Tort Liability Law enforced from July of 2010 first amended the right of privacy into the legislature, and its Article 2 promulgates that all the violation against the civil rights shall be taken the tort liability by the law. And in addition to the lawsuit of tort or infringement, the user could also claim an agreement breach by the Internet companies with the reference to the user agreement signed with the website.
However, objectively, the current Chinese legislature could only provide an inadequate protection to the civil rights concerning the personal information, especially when claiming damage to the moral rights. In that case, the user shall take a high proof liability, especially in the dispute of tort, and the compensation payable to the user is also not adequate, either by agreement breach or tort. Moreover, with the regulations in Judicial Interpretation in Hearing Moral Damages by the Supreme People’s Court, a moral compensation could not be claimed for which is only limited to the violation against the right of life, health, body, name, likeness, reputation, honor, dignity and freedom.
(2) Criminal risks
In the above said crimes, the crime of selling and illegal providing personal information shall be only applicable to the state department or the institutes of finance, telecommunications, transportation, education or medicine or their staffs, yet most websites in China are not with that background. But on the other hand, once the Internet company would like to acquire the information from the above subjects for the purpose of operation or marketing, they could be incriminated the crime of illegal acquisition of personal information. And the punishments of the crimes are the same, including life imprisonment, detention and penalty.
(3) Administrative risks
According to Measures for Security Protection Administration of International Networking of Computer Information Networks:
The Internet company whoever commits unlicensed disclosure of the personal information shall be administered a warning by the public security organ; where there is illegal gains, the illegal gains shall be confiscated, a fine of less than RMB 5,000 Yuan may concurrently be imposed on an individual and a fine of less than RMB 15,000 Yuan may concurrently be imposed on a unit; where the circumstances are serious, the penalty of suspension of networking and computers for consolidation within 6 months may concurrently be imposed, and when necessary a proposal may be sent to the original licensing, examination and approval authority to revoke the business license or nullify the networking qualifications.
(4) Reputation damages risks
Basing on the above analysis, despite the low civil compensation to the information leakage, and the special demands for the application of criminal liabilities, the administrative relief seems to be the only dependable measures to protect the right. Yet to my understanding, the unlicensed disclosure of personal information could badly harms the social reputation of the Internet companies. Early in the beginning of the year, the known websites in China like Tianya, Dangdang (NYSE: DANG), and 360buy were reported the leakage of user information, and that inflict a social wide doubt to the websites’ commercial reputation.
III. Precautious measures for Internet companies
Despite the above analysis that there may be little risks for Internet companies’ leakage of use information, for it could neither constitute a criminal liability or a high civil compensation, we would like to suggest a information protection work in China, for any information leakage could jeopardize the user’s confidence in the websites or may even drive them to the opponents. Therefore, in our opinions, the following 3 measures shall be taken in the confidence works:
1. To strengthen the inner management and to improve the employees’ awareness of confidence and law. Also it is suggested to execute a confidence agreement in addition to the labor contract, and amended the regulation that any information leakage shall be deemed as the material violation against the rules of employers in the inner rules. By Chinese labor laws, once there’re no such regulations, the information leakage by the employee could not lead to the employment termination.
2. To set the power level and process of information inquiry, modification and approval, and to take all necessary technology measures to arrange a rigorous security setting on information communication and the supervision. As known to me, some companies would regulate that an inquiry into the user information shall be signed for approval by the vice president.
3. To strictly control the origin of the information, and to rules out the process of information acquisition and approval, thus to prevent and enrollment in the disputes of illegal acquisition of personal information.
Other recommended posts on our website:
1. The Actual Term of Trademark Registration in China
2. How to Apply for the Trademark Record in China Custom
3. How to improve the success rate of trademark registration in China?
4. Matters for Attention in Trademark Refusal Review in China
5. Introduction of China’s Legal System of Trademark Renewal
6. Introduction on the Regulations concerning the Capital Contribution in IPR or Domain Name in China
7. The Copyright Registration in China Could Be FREE?
8. China Copyright Protection Term Longer than EU’s?
9. Matters for Attention in the Patent Preliminary Injunction Application in China(I)
For further information, please contact the lawyer as listed above or through the methods in our CONTACTS.
Bridge IP Law Commentary’s posts, including the comments and opinions contained herein, shall not be construed as the legal advice on any issues related. The contents are for general information purposes only. Anyone willing to quote or refer the posts to any other publications or for any other purposes, no matter there’s benefits gained or not, shall first get the written consent from Bridge IP Law Commentary and used under the discretion of us. As to the application of the reprint permission for any of our posts, please email us to the above addresses. The publication of this post or transmission of it through mail, internet or other methods does not constitute an attorney-client relationship. The views set forth here are of due diligence, neutrality and impartiality, representing our own opinions only and are our original works.