China’s Proposed Personal Information Protection Act

From 2005-7 a group of experts led by Professor Zhou Hanhua, the director of the Institute of Law at the Chinese Academy of Social Sciences, were commissioned by the Peoples Republic of China government to draft a national data protection law to be considered by the Informatics Committee of the State Council. However, by 2008 the draft had still not progressed through any of the various Chinese legislative channels.This article analyses the main features of their draft Personal Information Protection Act, as the most reliable indication of the form a future Chinese data protection law might take, and indicate how it relates to information privacy laws in Europe and in other Asia-Pacific countries. The draft Act lays out ten ‘General Provisions’, called ‘Principles’ in Articles 2-8. This is similar to the sets of data protection principles usually found in international privacy agreements, European privacy laws or those in other Asia-Pacific countries. The General Provisions are stated to apply to both ‘Government Authorities’ (which includes government at all levels) and ‘Other Data Processors’ (broadly, the private sector), but they are then elaborated separately for each of these sectors. The privacy principles embodied in this legislation (both via the General Provisions in Part 1 and their elaborations in Parts 2 and 3 to government and non-government bodies), cover all key elements of information privacy laws that are usually found in international agreements and other national laws. The relative weakness of the principles in relation to collection and secondary uses are shared with both the OECD Guidelines and the APEC Privacy Framework. The finality principle is particularly weak in relation to the government sector. There are no deletion requirements (retention limits), but neither are there in the OECD or APEC principles. There are no special protections for ‘sensitive’ information, probably because they usually include information about a person’s political, religious or trade union affiliations, all of which are contentious in China.The draft Chinese Act provides an extensive array of enforcement mechanisms and remedies in relation to both public and private sectors. Although there is no national equivalent of a ‘Privacy Commissioner’, there are designated government agencies at each level of the Chinese government to handle privacy complaints. These agencies are able to order remedial actions to be taken by the data processor, and where appropriate to take more punitive actions against them. Complaints against public sector bodies must first go to the data processing agency. In both sectors, data subjects have the right to take a suit directly to the Courts, and this seems to be necessary in order for compensatory damages to be obtained. Although there is provision for co-regulation by industry associations, this seems to be an optional additional avenue of redress in the private sector. An innovative aspect of enforcement is the handling of complaints by independent Information Committees which may contain non-agency experts. This is similar to South Korea’s successful Personal Information Dispute Mediation Committees.[Postscript: From 2009-12 the draft Personal Information Protection Act, although it has not become legislation, is still referred to regularly by in academic articles, Chinese news media, reported comments by Prof Hanhua, and by Internet commentators, as a possible, and desirable, form of Chinese data privacy law. Its day may yet come.]