Last month, the Standing Committee of the National People’s Congress of China published a full draft of the E-commerce Law (the “Draft”) and is giving the general public an opportunity to comment on the draft through January 26, 2017.
The Draft applies to (1) e-commerce activities within China or (2) e-commerce activities involving either domestic enterprises that operate an e-commerce business or customers located in China. In particular, the Draft provides specific protections for “personal information” of e-commerce users, defined as information which can be used, separately or in combination with other information, to identify a specific user. The Draft provides specific examples, including the user’s name, identity certificate number, address, contact information, location, bank card information, transaction records and payment records, as well as express logistics records.
The Draft reiterates that enterprises operating an e-commerce business (“e-commerce enterprises”), which include e-commerce third-party platforms and e-commerce operators, are required to (1) follow the principles of legitimacy, rightfulness and necessity, (2) publish their rules on the collection, processing and use of personal information in advance and (3) obtain the consent of their users to those rules. The Draft does not provide any guidance on the form or manner in which consent must be obtained. The Draft also prohibits e-commerce enterprises from forcing users to consent to their collection, processing and use of personal information by threatening to cease the provision of services.
The processing and use of personal information by e-commerce enterprises must comply with the enterprise’s published rules on processing as agreed upon with its users. In addition, when amending its rules on information processing, an e-commerce enterprise must again obtain the consent of the users. If the users disagree with the amendments, the enterprise is required to provide appropriate relief. In instances where the enterprise proposes changes to its rules directed at the purpose, method or scope of the processing previously agreed upon with its users, the enterprise is required to inform the user and obtain the user’s express consent.
Before they may exchange and share data and information related to e-commerce, e-commerce enterprises are first required to irreversibly de-personalize the data and information in such a way that it can no longer be used to identify a specific individual (or an associated computer terminal). Additionally, in instances where the processing or use of personal information by an e-commerce enterprise might infringe upon the legitimate rights and interests of a user, the user has the right to request that the e-commerce operating entity cease the infringement. Further, upon expiration of a statutory or agreed-upon retention period, an e-commerce enterprise is required to cease its processing and use of relevant personal information, or delete or destroy such information.
According to the Draft, users also have the right to access their personal information. After receiving an access request from a user, the enterprise must promptly provide the relevant information after verifying the user’s identity. Similarly, in cases where a user requests the correction of any incorrect information, the enterprise is required to make the changes in a timely manner.
The Draft also includes provisions governing data breaches. In the case of an occurrence or possibility of leakage, loss or damage of personal information, the e-commerce enterprise must immediately take remedial measures, promptly notify the users and submit a report to the relevant authorities.
The personal information protection requirements laid out in the Draft are generally consistent with those that appear in the new Chinese Cybersecurity Law, and in a number of prior regulations, including those governing internet information service providers. It is possible that this may be a pattern that is taking hold among rules governing the processing of personal information in China.