On November 1, China's Personal Information Protection Law (PIP Law) formally passed into law. This legislation marks China's first comprehensive legal attempt to define personal information (PI) and regulate the storing, transferring, and processing of personal information. PIP Law is the latest effort by Beijing to regulate companies — tech giants in particular — in possession of personal data. Click here for an unofficial English translation.
We talked to a lawyer in Shanghai about these new laws and their real-world implications.
SmSh: So these Personal Information Protection Laws force companies to respect your personal information. Do I as a private individual have to care about this?
JIN:As a private individual, these laws impact you in that they are regulating what can and what cannot be done with your own personal information by companies.
They outline your own legal protections in regards to your personal information as well as the punitive measures that will be undertaken should information be infringed upon. They define the steps the individual can take to seek recompense.
If you are a person who collects personal information — say you're are a blogger running a website, or just a WeChat account operator — you should be mindful of these new laws and what you can and cannot do with the information you receive as a result of the interaction you have with your users.
At the end of the day, everyone is interacting to a certain degree with companies, services, and enterprises online. These laws are created to protect you, a private individual, from serious stuff like identity theft and fraud, on down to minor hassles like spam and targeted advertising.
Also... generally speaking, knowing and caring about the law is also your responsibility as a member of this society!
SmSh: What data exactly is protected? What if someone shows a photo of someone else on their WeChat Moments? Are they already violating PIP Law?
JIN: What data is protected, okay. It's a bit of a mouthful. Article 4 of the PIP Law stipulates that personal information is "a variety of information related to identified or identifiable information of natural persons recorded electronically or by other means, excluding anonymized information."
In other words, all information that can be used to identify you is considered "personal information".
For example: name, age, gender, hometown, ID number, mobile phone number, email address, portrait picture, portrait video, home/work address, location, device fingerprint, IP address, health Information, income and consumption, family assets, family members, etc.
Anything that can be used to identify you is considered PI.
The law further goes on to delineate "personal sensitive information" — information that if it's leaked or shared could lead to the infringement of personal dignity or even personal safety.
Biometrics, religious beliefs, specific identities, medical and health information, financial accounts, as well as personal information of minors under the age of fourteen. All that is protected with these new laws.
So, your WeChat Moments. Yes, a portrait photo of someone else is under protection of PIP laws.
However, whether sharing a picture of a third party's face is illegal will largely depend on how the picture was collected, and the motive / reason it was shared on WeChat.
Even it is a violation, it may not lead to a punishment. The situation is minor. If there is a complaint, the uploader will usually be allowed to remedy it by deleting it.
SmSh: My company runs a website in China. Do we now add a cookie warning? What other specific actions would have to be taken?
JIN: You need to check with your web developer / IT director to make sure you are in compliance with the new laws. You need to make sure that every time you are collecting the personal information of users (account creating, payments, communication, etc.), you have the corresponding legal reminders, which include disclosure of the reasons and scope of said collection, as well as a statement of your commitment to being cautious in properly handling, preserving, and disposing of the information collected.
The law only states what you must have in regards to the transaction of information. It's up to you to develop the effective methods to achieve these directives.
SmSh: I bought a new phone, and a day later i start getting advertising calls, so I assume the phone company sold my personal data to advertisers. What are the practical next steps i can take?
JIN: First of all, there are many ways to disclose your personal information, many of which you would not even think of: for example, when you pay online, or when you pay at a restaurant.
Therefore, if you want to accuse the seller of the mobile phone, then you need to have some preliminary evidence, such as how your leaked information was obtained by the mobile phone seller, why you think it was the mobile phone seller and not the restaurant where you ate last night who leaked your information, whether other people have similar experiences, and so on.
It comes down to... well, what evidence do you have? And is it enough to take action with.
If you do have some preliminary evidence, or at least clues, at this time, depending on the severity of your injury, you can consider reporting to the local Consumer Protection Association, Market Supervision Administration, or a police station.
Of course, you can always call the City Service Hotline (021-12345) for advance consultation, if you do not yet want to hire a lawyer.
SmSh: My office building asks me to enter my name, phone number and passport number into a list before entering the building. Is this procedure legal?
JIN: It's still legal to collect your information. The new laws just specifically protect this information when it goes from you to a second party.
Your building needs to inform you of the reason and purpose of their request to fill in your personal information, and how this information will be properly managed and disposed of. Otherwise, you also have the right to use PIP Law to protect yourself.
If your information is being used improperly in some way — in a way that has not been stated during the transaction — then that's illegal and steps may be taken.
SmSh: We understand the new law prohibits businesses from illegally selling personal information to third parties, so ideally I should be getting less advertising calls from companies I've never used before. But can companies just put that in their Terms of Service, that customers usually accept without reading? What if the Didi popup says "I hereby agree that we can sell all your personal data to whoever we like" in the fine-print, am I protected from that?
JIN: PIP Law has strict restrictions on how personal information collectors dispose of the information they collect. They must have sufficient, legal, and reasonable reasons to disclose collected information to third parties. Such reasons are usually very serious and limited. National security purposes. Governmental or judicial purposes. Things like that.
The act of selling information for profit is not only an illegal act, but also a criminal act, and the seller will face imprisonment and huge fines regardless the users' agreement.
You cannot supersede the law with a "Terms of Service" clause, basically.
Even if you have one, it has no legal standing.
SmSh: We understand one of the points of the law is that companies can no longer show a customer a personalized selection of products. I run a wine business and send out a selection of wines based on my customers previous purchase history. Is that now illegal?
JIN: The "customized promoting behavior" regulated by PIP Law is more about information analysis and marketing behavior for an unspecified majority of people without their consent, rather than a specific, singular B-to-C interaction — a customized recommendation to a specific user.
The laws are more directed at larger tech giants and what they can and cannot do with your information. Online shopping platforms can still recommend products that you may be interested in based on your purchase history, they will not be allowed to ONLY push such products to you — there must also be other product choices pushed to you that are not related to your purchase history.
At the end of the day, as a person out there in the world, your life will be affected in a few ways: more pop-up warnings when you use apps — "Are you sure you want to submit this information?" — things like that.
You might receive less random phone calls from people trying to give you loans and sell you things. PIP Law clearly prohibits service providers from leaking personal information collected to unrelated third parties, no matter it is through sales or free cooperation.
if you are a business owner and your business collects, accepts, and disposes of your users' personal information, you should be aware of these new laws and look into how you can operate in compliance of them.