With regard to the requirement of a high-level act, it is unrealistic and improper to enact a data protection act which is just under the Constitution in China. It may be unrealistic and improper to fulfil this requirement of enacting such a comprehensive act just under the Constitution of China.
Even the General Principles of Civil Law as the legal basis for civil rights protection does not stipulate privacy as an independent right, how will it possible to enact a basic law, the same layer as the Civil Law, to regulate the process of personal information flow and data protection? In this sense, this article argues that regulations, interim measures, guidelines are more appropriate layer of legislation on data protection.
Referring to the requirement of a comprehensive date protection act, it is doubtless that regulations promulgated by the MIIT after 2011, protect individuals privacy with respect to date processing in a certain degree. The Provisions defines “User Personal Information”, requires Internet information providers (IIP) to provide stronger protection for the personal data, subjects them to notice and consent requirements, collection and user limitations, and prohibits them from collecting or providing to third parties a user’s personal information without the user’s consent. Furthermore, the 2013 Guideline applies to a much broader range of businesses, covers key issues (such as data exports, sensitive date, and subject access and correction rights), and provides some details not covered in the earlier instruments (Greenleaf & Tian, 2013). However, there are still some deficiencies.
The Provisions lack detailed drafting and explicit illustration (Carlson, Livingston & Stratford, 2012). For example, Article 11 requires the IIP to inform the user ways of collecting and processing information after obtaining the user’s consent, but the Provisions does not clarify why the aforementioned information disclosure of the IIP should occur after and not before obtaining users’ consent. Another example of undetailed drafting is Article 12. This article requires the IIP to “properly” keep users’ information and to report the violation to MIIT if the violation is “serious” without providing clear definitions of “properly” and “serious” disclosure violation.
Moreover, these regulations about data protection neglect a phenomenon of human-flesh searching (http://en.wikipedia.org/wiki/Human_flesh_search_engine). It is a community targeted discovery of a specific person under public scrutiny through the use of online forum to post people’s discoveries of the (wanted) person’s total information. A little while ago, a Chinese teenage who carved his name on an ancient Egypt wall came through a human-flesh searching. All searching started from a picture posted by another Chinese tourist on Internet, and ended with all aspects of the person disclosed through endless searching. Since the searched person is under 18 years old and protected by the Law on the Protection of Minors, all personal information on Internet was deleted after a few days. If the searched person were an adult and all posted personal information were the true, the Law on the Protection of Minors and the regulation about defamation under the Civil Law will not be applicable. In this case, there is still no solution to address the problem of Internet mob that may seriously infringe privacy (Xue, 2010). This issue could be solved by defining data protection in a clear and broad way.
The lack of detailed illustration and clear definition will require further interpretation for effective implementation of these regulations on data protection. Even if there is a comprehensive data protection act, the act is just a piece of paper without a feasible and effective enforcement mechanism. Conclusively, comprehensive and effective data protection regulations are still needed to provide a proper data protection level for the Chinese people.
Thomas Lum, Patricia Moloney Figliola and Matthew C. Weed “China, Internet Freedom, and U.S. Policy” Congressional Research Services (13 July 2012)
Rachel Vandenbrink “Net Freedoms Worsening in China, Vietnam” Radio Free Asia News and Information (3 October 2013)
Lingjie Kong “Enacting China’s Data Protection Act” 18:3 (2010) International Journal of Law and Information
Eric Carlson, Scott Livingston, and Tim Stratford “New Internet Competition Rules in China Include Personal Data Protection” 17 (2012) The Computer & Internet Lawyer
Hong Xue “Privacy and Personal Data Protection in China: An update for the year end 2009” 26 (2010) Computer Law & Security Review
Graham Greenleaf and George Yijun Tian “China Expands Data Protection through 2013 Guidelines: A ‘third line’ for personal information protection, with a translation of the Guidelines” 1:122 (2013) Privacy Laws & Business International Report.
Sources