Privacy & Information Security Law Blog

In October 2014, the People’s Republic of China Supreme People’s Court issued interpretations regarding the infringement of privacy and personal information on the Internet. The interpretations are entitled Provisions of the Supreme People’s Court on Several Issues concerning the Application of the Rules regarding Cases of the Infringement of Personal Rights over Information Networks (the “Provisions”) and became effective on October 10, 2014.

China has not implemented a comprehensive data protection law. Rather, data protection and privacy are regulated through several sector-specific laws. Consistent with the sector-specific nature of the Chinese data protection framework and the Resolution on Strengthening the Protection of Information on the Internet, promulgated by the National People’s Congress in December 2012, the Provisions focus on the protection of personal information on the Internet.

In addition to providing rules on determining when Internet service providers were “aware” of an infringement, rules on determining fault arising from reprinting, unauthorized modification or deletion of personal information, and rules on relevant procedures for legal proceedings, the Provisions also attempt to describe the scope of information that is subject to its requirements, although they fall short of providing a definition of “personal information.” The contours of information covered by the Provisions likely will be further clarified as judges apply the Provisions to individual cases.

In general, the Provisions prohibit Internet users and Internet service providers from using the Internet (or other information networks) to disclose or publish personal information. The personal information protected by this prohibition includes, at a minimum, personal genetic information, medical records, health examination materials, criminal records, home addresses and information regarding private activities. Disclosure or publication on the Internet (or other information network) may be permissible, however, if:

• The relevant individual consented in writing;
• The disclosure or publication is in the public interest to a necessary extent;
• An educational or scientific entity makes the disclosure or publication for purposes in the public interest, academic research or statistical analysis, the relevant individuals have consented in writing to the publication or disclosure and the method of disclosure or publication will not result in the identification of any individual;
• The relevant personal information has already been published by the individual on the Internet, or has already become public via other means; or
• The personal information is obtained through legitimate methods.

If the disclosure or publication falls into one of the final two categories identified above, however, the individual or entity that makes the disclosure or publication may be liable civilly if the method of publication violates the public interest or social morality, or if the publication harms a material interest of the individual whose personal information is disclosed or published.