On November 27, 2013, the State Post Bureau of the People’s Republic of China (the “SPBC”) released five draft normative rules for solicitation of public comment. Three of these rules, respectively entitled Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users (the “Draft Provisions”), Provisions on the Reporting and Handling of Security Information in the Postal Sector (the “Reporting and Handling Provisions”), and Provisions on the Management of Undeliverable Express Mail Items (the “Management Provisions”) contain significant requirements regarding the protection of personal information. The deadline for submitting comments on the rules is December 27, 2013.
Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users
The Draft Provisions were formulated in accordance with the Postal Law of the People’s Republic of China, the Measures for the Supervision and Administration of Security of the Postal Industry, and other relevant laws and regulations. The purposes of the Draft Provisions are to (1) strengthen the management of the security of users’ personal information in postal and delivery services, (2) protect the legitimate rights and interests of postal and delivery service users, (3) maintain the safety of postal correspondence and information, and (4) promote the sound development of the postal industry. The Draft Provisions apply to the supervision, administration, operation and use of postal and delivery services in China which involve the security of users’ personal information.
The Draft Provisions first define “personal information of postal and delivery service users” (the “Users’ Information”) as information used in the course of postal and delivery services. These include the name, address, ID number, telephone number and company name of the sender (and of the recipient), and the order number, delivery time and item details.
Second, the Draft Provisions set forth a number of general requirements for the protection of Users’ Information. These include:
- Franchised express delivery enterprises must agree to clauses in the franchise agreement which establish safeguards for Users’ Information and specify security responsibilities of the franchisee and franchisor. When a franchisor incurs an information security incident, the franchisee must be required to undertake responsibilities of its own for the incident response;
- A postal or express delivery enterprise must sign a confidentiality agreement with its operational staff to clarify confidentiality obligations in relation to Users’ Information, and must provide continuing training and education to develop the knowledge and skills of its operational staff with respect to the security of Users’ Information;
- A postal or express delivery enterprise must establish a mechanism for handling complaints relating to the security of Users’ Information;
- Whenever a postal or express delivery enterprise is engaged by operators (such as e-commerce operators and TV shopping operators) to provide delivery services, the agreement between the parties must include security clauses for the protection of Users’ Information, which specify the scope of information use, security protection measures for information exchanges and allocation of responsibilities in the event of information security incidents;
- When entrusting a third party to input Users’ Information, a postal or express delivery enterprise must ensure that the third party is qualified to undertake information security safeguards, and must bear responsibility for information security incidents caused by the third party; and
- No postal or express delivery enterprise, or operational staff thereof, may transfer any Users’ Information to any third party without express authorization under law, or without the users’ written consent.
Third, in addition to the foregoing requirements above, postal or express delivery enterprises are required to strengthen the management of the security of physical and electronic information appearing on the waybill, for example:
- A postal or express delivery enterprise must strengthen the management of its business and processing locations and physically isolate the user service area from the mail (or express mail) processing and storage sites. To prevent the physical information from being stolen or leaked, non-staff must be strictly forbidden from entering such sites or reading over mail items (or express mails).
- To prevent malicious code from destroying information systems and networks, and to avoid disclosure or alteration of information, postal and express delivery enterprises must install necessary antivirus software and hardware, set up measures to encrypt the delivery of Users’ Information through public networks, and strengthen their management of system passwords and of the security of electronic Users’ Information storage.
Finally, violations of the Draft Provisions may result in penalties including administrative warnings, fines and (under certain circumstances) even criminal liability.
Provisions on the Reporting and Handling of Security Information in the Postal Sector
The Reporting and Handling Provisions define “security information which should be reported and handled” as emergency and operational information relating to the security of the daily processes of postal or express delivery enterprises. The Reporting and Handling Provisions apply to the reporting and handling of this security information by postal or express delivery enterprises, or by postal administration authorities.
Under the Reporting and Handling Provisions, when Users’ Information has been illegally disclosed, postal or express delivery enterprises are required to report security information without delay to their local postal administration authorities and public security departments. If more than 500 items of Users’ Information have been illegally disclosed, local authorities must report the incident to the provincial postal administration authorities within two hours after they receive the report.
Provisions on the Management of Undeliverable Express Mail Items
The Management Provisions are intended to promote the freedom and privacy of correspondence and to protect the legitimate rights and interests of express delivery clients and their correspondents. The Management Provisions emphasize that, at times when undeliverable express items are held in custody and are being processed, no express delivery information may be misappropriated or illegally provided to others.
Conclusion
The three draft rules contain specific provisions on the protection of personal information in the postal industry. Once promulgated, the rules will have nationwide effect. The promulgation of these rules will likely alleviate problems arising from the misappropriation of personal information that is used in postal and express delivery services. In light of the emergence of markets that trade in personal information in a variety of fields, however, imposing regulations on the handling of personal information solely in the postal sector is insufficient and regulation of other sectors where opportunities to sell personal information is needed. Until an integrated, national Personal Data Protection Act that governs the handling of data protection in all industry sectors is adopted, markets for trading in personal information in China are likely to persist.
Read our previous coverage on Chinese personal information protection issues.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code