The Cybersecurity Law of the People’s Republic of China (“CSL”) has been promulgated as a basic law for the cyber security and the cyberspace management. It is also an important foundation for the current enforcement actions in cyber security in China. Considering the significance of the personal information protection requirements in the CSL to the cyber compliance, we have made a comprehensive analysis on the enforcement cases from June 2017 when the CSL came into effect in order to present a picture of the specific enforcement of the CSL in respect of personal information protection.
According to the CSL, the party responsible for the personal information protection shall be the operators of the network, including the owners of the network, the administrators of the network and the providers of the cyber products and services.
We studied 9 published cases regarding personal information protection, in which more than 30 enterprises, from various industries including website operation, software development, e-commerce, electronic payment, culture and media, travel service and decoration, are involved. Among them, those from the internet technology industry take a larger proportion, represented by the companies engaging in website operation, software development and electronic commerce.
Boundary of the Responsibility
The key issue of identifying the boundary of the responsibilities for personal information protection is how to define personal information. However, laws and regulations in different fields and at different levels vary in the definition of personal information. The CSL is the first law to define the personal information, ie any information electronically or otherwise recorded that is able to identify the personal identity of a natural person. Afterwards, a Judicial Interpretation includes the information reflecting the certain activities of a natural person into the scope of the personal information. On December 29, 2017, a national standard regarding Information Security Technology — Personal Information Security Specification (“GB/T 35273-2017”) was released, where the definition of the personal information is closely consistent with that in the Judicial Interpretation, but adding communication records and contents, credit reference information, health and physiological information, transaction information and other information as the examples of the personal information.
The inconsistency in the definition of personal information at the legislative level is not solved in the enforcement practice. Most cases have only mentioned that the personal information right was infringed by an enterprise, but not explained which type of personal information was infringed. For instance, in the case of “Wi-Fi Master Key”, Shanghai Communications Administration ruled that the Wi-Fi password of a user shall be deemed as a kind of personal information of the user, which was not mentioned in any relevant law. This makes the issue even more complicated.
Focus of Enforcement
In the cases of personal information protection, the enforcement authorities primarily pay their attention to the following three aspects: (1) collection and use of information, (2) storage and maintenance of information, and (3) deletion right of the information subject.
(1) Collection and Use of Information
The requirements on the collection and use of information are related to: (i) the collection method, (ii) the collection scope, and (iii) the use of information. We have also sorted out the typical cases according to the enforcement priorities.
The enforcement priorities regarding the collection method include:
A. Publicising the rules on collection and use:
– In December 2018, the Ministry of Industry and Information Technology (“MIIT”) investigated Tongcheng-Elong, because its WeChat mini-app failed to publicise the personal information collection rules, automatically applying an un-disclosed traveling membership agreement to the users and failed to perform part of its service promises. The MIIT ordered Tongcheng-Elong to make rectification immediately (“Tongcheng-Elong Case”).
B. Explicitly informing the information subject of the purposes, methods and scope of collection and use of information:
– In January 2018, the MIIT investigated Baidu, Alipay and ByteDance, because these enterprises failed to fully inform information subjects of the rules on collection and use of their personal information and the using purpose. The MIIT ordered these three enterprises to make rectification immediately.
– In April 2018, Zhejiang Communications Administration found that the app “Ge Shui Guan Jia” (Tax Manager) collected the users’ information without an explicit notice and failed to perform the security protection obligations. Zhejiang Communications Administration ordered the enterprise to make rectification immediately.
C. Getting consent of the information subject, where the infringement is more frequently and severely punished:
– In April 2018, a company in Henan collected and stored a large number of citizens’ personal information illegally, and without any approval from the users. The company also failed to take technical measures and other necessary measures to ensure the information security of the relevant citizens and failed to keep the relevant website log data for not less than 6 months according to the laws and regulations. The local police imposed a fine of RMB 50,000 on the company and a fine of RMB 10,000 on the directly liable person (“Henan Case”).
– In May 2018, Shanghai Communications Administration imposed a fine of RMB 250,000 on LinkSure, because the app “Wi-Fi Master Key” owned by it failed to take reliable measures to ensure that the user who shares the Wi-Fi password is the owner of the Wi-Fi or has obtained the approval from the owner.
– The above Tongcheng-Elong Case.
The legal requirements on the collection scope mainly lie in restricting the personal information only relevant to the services provided by the network operators. The requirements on the use include that the network operators shall not leak, falsify or destroy the personal information collected by them, nor shall they provide any personal information to a third party without approval from the information subject. However, no relevant enforcement case has been found so far.
Further, the CSL particularly prohibits the theft and sale of the personal information and specifies the relevant legal consequences, which are linked with the criminal offense of the citizens’ personal information under the Criminal Law. In the enforcement practice, the aforesaid activities might lead to severe penalty and serious consequence:
– A decoration company in Jiangsu illegally purchased the personal information of the real estate owners in a community and used the personal information to promote its decoration services via telephone or in other manners. The local police imposed a fine of RMB 100,000 on the company.
(2) Storage and Maintenance of Information
The requirements on the storage and maintenance of information include taking technical and other necessary measures to ensure the security of the collected personal information and making rectification and report in case of any infringement of personal information. Therefore, in case of an infringement of the personal information due to an attack from a hacker, the legal liabilities under the cyber operation security and under the cyber information security may be triggered concurrently. See the below typical case as an example:
– In September 2017, the identity information of more than 4,000 students stored by Huainan Vocational Technical College was leaked. Upon investigation, the police found that the college failed to implement the cyber security management system, failed to take cyber security protection measures, kept the weblog data for less than 6 months, failed to classify the data and take backup and encryption measures for important data, causing the high vulnerability of the system and this information leakage. The local police imposed an administrative warning on the college and ordered it to make rectification immediately.
(3) Deletion Right of the Information Subject
In the practice, the deletion right of the information subject is infringed particularly by non-cancelability of or difficulties in the cancelation of a cyber account. For example, in August 2018, Shanghai Communications Administration conducted a random inspection on the cancelability of the users’ accounts for Internet business operated in Shanghai. During the investigation, Shanghai Communications Administration found that the user accounts operated by 20 enterprises, including Carrefour (Shanghai) E-Commerce Co., Ltd., were not cancelable or difficult to be canceled. Besides, these 20 enterprises did not take practical measures to protect users’ information and had serious problems with the cancelation service of their cyber accounts. Shanghai Communications Administration interviewed and informed these enterprises and ordered them to make rectification immediately.
With the implementation of the CSL, as well as the formulation of a series new regulations, including the Provisions on Cyber Protection of Children’s Personal Information that came into effect on October 1, 2019, cyber security and the enforcement practice have drawn more and more attention and become a significant legal field. It becomes apparent from the case study here, that various requirements under the CSL have been practically implemented on a national scale. Compared to the early period when the CSL was just promulgated, the current legal enforcement measures reflect the supervision requirements under the CSL in a more specific and strict manner.