On February 9, 2020, amidst the ongoing coronavirus outbreak (“2019-nCoV”) in China, in order to protect personal information collected during the fight against coronavirus, such as the personal data of diagnosed patients, suspected patients and individuals who have been in close contact with diagnosed patients, the Cyberspace Administration of China released a Circular on Ensuring Effective Personal Information Protection and Utilization of Big Data to Support Joint Efforts for Epidemic Prevention and Control (the “Circular”) to emphasize the protection of relevant personal data.
Consent Requirement for Collection of Personal Information
Only relevant parties authorized by the health department of the State Council can collect personal information for the purposes of prevention and control of epidemics and disease without data subjects’ consent pursuant to Cybersecurity Law, Law of Prevention and Treatment of Infectious Diseases, and Regulation on Responses to Public Health Emergencies, unless provided otherwise. In other words, unauthorized parties cannot collect the personal information of data subjects without their consent for the purposes of prevention and control of epidemics and disease.
Scope of Collection of Personal Information
Collection of personal information must be compliant with the Personal Information Security Specification, a non-binding national standard, and be restricted to the minimum required. In addition, the subjects whose personal information is collected shall be limited to a key group including diagnosed patients, suspected patients, and individuals who have been in close contact with diagnosed patients, and shall not target the entire population in certain areas. This is to avoid discrimination against those in certain areas, e.g., people in the Hubei province.
Disclosure of Personal Information
Any party is prohibited from publicly disclosing personal information of the data subjects, including name, age, ID, telephone number and home address, unless the personal information has been masked. The personal information collected for prevention and control of epidemics and disease cannot be used for any other purpose.
Given that 99.1% of the population in China uses internet on their phone, the main telecommunication carriers hold a large volume of geographic location data and track records of the data subjects, which would assist the control and prevention of epidemics and disease through analyzing and predicting the flow of movement of the key group. The government encourages capable companies to utilize big data to support the control and prevention of epidemics and disease.
The Circular provides guidance on personal information protection in cases of epidemic outbreaks pursuant to Cybersecurity Law, Law of Prevention and Treatment of Infectious Diseases, and Regulation on Responses to Public Health Emergencies, by emphasizing the importance of protecting personal information, as well as addressing the new issues of collection of personal information amidst control and prevention efforts of 2019-nCoV.
Based on the above, there is no substantial new rule in this Circular, although it expressly emphasizes the legitimate protection of the personal data collected during the process of prevention and control of epidemics and disease outbreaks.