New China cybersecurity law impacts use of 'personal information'

Tomorrow, the new Cybersecurity Law of the People's Republic of China (“Cybersecurity Law”) will come into effect. What sounds like a document targeting telecommunication or other technology companies could also have some important repercussions for advertisers.

Indeed, many provisions mention “networks” as the subjects of the new law, defining these as systems designed to collect, store, transmit, exchange and process information.

One could easily argue that the databases and platforms operated by most brands (CRM, electronic POS system, eCommerce sites, and more) fall into this category. As such the law also determines how to collect, use, protect personal information (“PI”), indicating relevant forbidden activities.

Furthermore, the Cybersecurity Law complements the Amendment (IX) to the Criminal Law of the People's Republic of China, which provides scenarios of illegal sale or provision of personal information. Corresponding penalties can be up to seven years imprisonment in addition to a fine. Caution is therefore advised.

This law goes far beyond previous rules in terms of data privacy. Prior to 2012, there was no law that systematically regulated the protection of personal information. Typically, the provisions regarding personal information were constituted of a few sentences in very specific laws.

Some articles in the Passport Law, for example, impose obligations on officers in charge of issuing passports, meant to maintain the confidentiality of Chinese citizens’ personal information. Similar articles can be found in the Lottery Administration Regulation, Social Insurance Law and others. Furthermore, the term “personal information” itself was not defined until late 2012, when a guideline dictating measures on the protection of personal information came into effect.

Likewise, it was only in July 2013 that a connection between personal information and network security was established. The Cybersecurity Law therefore represents the first attempt to reconcile both personal information protection and network security into a single document.

The following paragraphs describe a few provisions in further detail:

1) Article 41

To collect and use personal information, network operators shall follow the principles of legality, rightfulness and necessity, disclose the rules for collection and use, explicitly indicate the purposes, means and scope of collecting and using information, and obtain the consent of the persons whose information is collected.

Network operators shall not collect personal information irrelevant to the services provided by them, shall not collect or use personal information in violation of the provisions of any law or administrative regulation or the agreement of both parties, and shall dispose of personal information preserved by them in accordance with the provisions of laws and administrative regulations and agreements with users.

This provision is particularly relevant for advertisers and brands as it requires companies to obtain a so-called “opt-in” from consumers before their information can be collected and used for, let’s say, marketing purposes.

Here is an example: An agency interviews several consumers about their impressions concerning a certain type of smartphone. It also asks the interviewees to perform a number of tasks using their phones (search for information, take pictures, etc.). All the interactions are recorded on video for the agency’s and client’s reference.

In order to comply with Article 41 of the Cybersecurity Law, the agency needs to take the following aspects into consideration:

• The precepts of “legality” and “rightfulness” require the collection of personal information to be reasonable and relevant to the agency’s service (that it constitutes a part or the basis of the campaign the agency has been mandated to run);
• The principle of “necessity” calls for the minimisation of personal information collected. For instance, the interviewees’ images and voices (during the recording) and their contact numbers (for the client to verify their participation in the study) should be enough. There is no need to collect their true names, ID numbers or addresses;
• Furthermore, the agency shall deliver a letter to each interviewee, describing the purposes, means and scope of the collection and usage of their personal information, as well as the duration of storage of the collected information. The letter must also include a statement, to be signed by the interviewee, that he/she consents to all the above.

2) Article 42 (first paragraph)

Network operators shall not divulge, tamper with or damage the personal information collected by them, and shall not provide personal information to any other person without the consent of the persons whose information is collected, except that the information has been processed in a manner that it is impossible to distinguish a specific person and it cannot be retraced.

This article stipulates the obligation for network operators to keep personal information confidential. Consequently, personal information can only be divulged publicly or shared to other parties if:

• The person whose information is being disclosed agrees to such a transaction; or
• The personal information has been anonymised so that the person in question cannot be uniquely identified.

This means that without prior consent, companies are not allowed to share any personal information. Exceptions may apply if the personal information was processed in a way to be made anonymous and if the effects of such impersonalisation cannot be reversed.

In the example mentioned above, the agency may share (without interviewees’ consent) the recorded videos with other parties, as long as the agency has taken measures to blur the interviewees’ faces, to alter the tone of their voices to the extent that individual interviewees are unrecognisable, and if the modifications on face and voice cannot be undone.

3) Article 44

No individual or organization may acquire personal information by stealing or any other illegal means, or illegally sell or provide personal information to any other person.

This article states in a rather unmistakable fashion that companies are not allowed to buy or sell personal information without legal foundation (see also comments above in connection with Article 41).

Accordingly, do NOT succumb to the temptation to buy datasets or “leads” from companies offering these. It is legally safer to run joint campaigns and have consumers land or register on a page that you own and that includes a notice regarding personal information collection (in particular, indicating the purposes, means, and scope of collecting and using information) as well as the option for consumers to “reject” or to “agree to” their personal information being collected and, if applicable, provided to other parties.

Importantly, note that the use of algorithms to identify people individually is likely to be considered an acquisition of personal information by “other illegal means” according to Article 44.

Typically, the legislator uses the term “other means” to refer to all the undefined, unforeseeable, intangible or complex behaviours, making the law more flexible and adaptable to unanticipated situations. Thus, although the law does not enumerate all these “other illegal means”, it is safe to assume that an algorithmic recognition or identification of individuals is forbidden.

Frequently asked questions

What counts as a 'network' or 'network operator'?

Do advertising agencies, DMPs or DSPs fall into this category?

Article 76 of the Cybersecurity Law define both terms as follows:

(1) “Network” means the system that consists of computers or other information terminals and related equipment for collecting, storing, transmitting, exchanging, and processing information according to certain rules and procedures.

(3) “Network operator” means the owners and administrators of the network as well as network service providers.

Although the law does not provide any further details than the information indicated above, it can be assumed that DMPs, DSPs, or other ad-tech companies do fall into the “network” category. Accordingly, legislators are very likely to regard advertising agencies owning or running such networks as “network operators”.

What counts as 'personal information'?

This question is also answered in Article 76 of the Cybersecurity Law:

(5) “Personal information” means all kinds of information recorded in an electronic or other forms, which can be used, independently or in combination with other information, to identify a natural person's personal identity, including but not limited to the natural person's name, date of birth, identity certificate number, biology-identified personal information, address and telephone number.

Notice that a 'judicial interpretation' to Amendment (IX) was released on 8 May 2017 and will also become effective tomorrow. It adds “activity situations” to this definition of personal information, which may have implications for advertisers, for example in connection with the digital footprints left by individual netizens on websites or apps.

The judicial interpretation, however, does not apply to cookies. In fact, past litigation judgements have already established that cookies did not fall into the scope of personal information. Moreover, given that cookies alone do not allow to detect a natural person's identity, no change is expected in this regard. Nevertheless, it remains to be seen how the relevant technology will evolve.

Furthermore, it is also important to mark that the Cybersecurity Law does not require companies to announce or disclose their cookie collection rules or guidelines on their websites (as is the case, for example, in the European Union).

My company intends to use customers’ personal information to personalise email campaigns. Is this allowed?

Whether the usage, process, provision or exchange of PI is legal or not depends on the:

• Legitimacy and necessity of such an action: Data operators must have credible reasons or purposes to collect and use personal information, and the collected personal information must be relevant to the data operators’ services;
• Compliance of the procedure with the relevant laws: At the core of the legal procedure lies the “consent of the individual” whose information is to be collected. “Consent” can be obtained in various ways, for example, in written (on an agreement or letter) or digitally (by ticking the right box on an “opt-in” question).

Accordingly, if the customer has already been informed and has agreed on his/her personal information being used for personalised messages, then such email campaigns are allowed. Or else, they should be abstained from.

In addition, the customer shall be granted the possibility to opt-out, i.e., the right to refuse at any time receiving such emails, even if he/she previously consented to such a practice.

Notice that the same rules apply when the customer incurs a direct benefit from the transaction (for example, a birthday gift). In other words, generosity or good intention does not exempt advertisers from legal compliance.

What if my company is trying to sell customers’ personal information?

Where a company sells or provides any citizen's personal information in violation of laws,

• If the circumstances are serious, the company shall be sentenced to a fine, and its directly responsible person in charge and other directly liable persons shall be sentenced to imprisonment or criminal detention of up to three years; or
• If the circumstances are particularly serious, the company shall be sentenced to a fine, and its directly responsible person in charge and other directly liable persons shall be sentenced to imprisonment up to seven years.

In this connection, one should remember that “selling” personal information tends to leave an impression of illegal behaviour. Under certain circumstances, it is possible to transfer personal information, for example, when personal information is used to deliver specific services, such as data analysis, research, consulting or media planning.

However, such passing of personal information should be avoided if the single purpose of the transaction is the “provision” of personal information.

A corporate partner is proposing an 'exchange' of one another’s data that would allow both companies to get closer to a 360-degree view of the customer. Which aspects should we take into consideration?

Such an exchange shall remain unproblematic as long as the relevant customers have:

• Agreed to their personal information being shared;
• Been informed about the “exchange” between the two partners (network operators) and its purpose.

Disclaimer: This article is provided for general information purposes only and should not be construed as legal advice or opinion on any specific facts or circumstances and should not be relied upon in this respect. You are urged to seek advice from your own legal counsel regarding your specific situation and questions.

Donfil Huang is associate legal manager at Re:Sources China under Publicis Groupe, and Olivier Maugain is general manager of analytics for Greater China at Publicis Media.