Personal Information Protection in China

Report
Personal Information Protection in China Recent Development of the Chinese Civil and
Criminal Cases
Prepared for The Third Asian Privacy Scholars Network Conference, Faculty
of Law, UHK, 8-9 July, 2013
Dr George Tian
Senior Lecturer, Faculty of Law
University of Technology Sydney (UTS)
Email: George.Tian@uts.edu.au
Structure
 Part I: Overview of Personal Information Protection Laws in China
 Part II: Recent Cases on Personal Information Protection in China
 2.1. Recent Development of the Chinese Civil Cases
 2.2. Recent Development of the Chinese Criminal Cases
 Part III: Challenges & Recommendations
 3.1. Challenges of protecting personal information in China
 3.2. Suggestions for future Legal Reform
Part I: Overview of the Personal Information
Protection Regime in China
 1.1. General Feature
 1.2. Existing Laws and regulations
 1.3. Comments and Remarks
1.1. General Feature
 China is still in the process of establishing
 a comprehensive legal framework to regulate the use and
disclosure of personal data
 not currently have
 a national level law that delineates how a company can legally
collect, process and retain personal data.
 “The country’s information protection regime consists of a
patchwork of
 sector-specific laws and guidelines,
 stand-alone provisions in broader laws, and
 regional laws”.
 --- (Cave, 2013)
1.1. General Feature
 But … it seems that such a situation is changing
gradually….
 New Efforts of Harmonization
 Particularly in the recent two or three years, China made a
good progress in harmonizing its personal data protection
laws.
 E.g. making law, regulations and guidelines for protecting
personal information protection on the Internet
 E.g. MIIT Guideline 2013 (more details will be discussed later)
 Draft of Personal Information Protection Law (since 2005)
1.2. Existing Personal Data Protection Rules in China
1. Constitution Law
Articles
38 and 40
Rights that relate to privacy, e.g.
- right of dignity of the person,
- prohibitions against insult, defamation,
false accusation or false information
directed against Chinese citizens, and
- right of freedom and secrecy of
correspondence.
2. Civil Law
Article 120
the
General
Principles
of the Civil
Law
protect a citizen’s right of
- personal name,
- portrait,
- reputation or honor.
6
6
Existing Personal Data Protection Rules in China
3. Criminal Law
(7th Amendment)
Article
253
(1) make working personnel of state agencies, or of
organizations in particular industry sectors,
potentially subject to criminal liability,
- if they sell or illegally provide to other persons
individual information of citizens obtained
- during the course of such organization’s
performance of official duties or provision of
services.
(2) An organization and its responsible officers could
also be made subject to the same criminal liability,
- if it obtains information that had been
misappropriated in this way.
7
7
Existing Personal Data Protection Rules in China
4. Tort Liability Law 2009
(effective on July 1st,
2010)
5. Interpretation of the
Supreme People’s Court
on Issues regarding the
Ascertainment of Liability
for Compensation for
Psychological Damages in
Civil Torts
Articles 2,
6, 3, 15, 36,
61, 62
contains provisions which establish
a right of a private citizen to sue for
damages or other remedies in tort,
- in cases where medical records
are mishandled and
- in cases where the internet is
used to harm the interests of the
private citizen or, more generally,
- in cases where the private
citizen’s right of privacy, health,
name, reputation, honor or
portrait has been infringed upon
and damages have occurred
protect an individual’s rights of
personality, including an
individual’s privacy,
- by granting a right to claim for
psychological damages.
8
8
Existing Personal Data Protection Rules in China
6 The Guidelines for
Payment and Clearing
Organizations on Antimoney Laundering and
Anti-terrorist Financing
2009
(issued by the People’s
Bank of China)
7 Interim Measures for the
Administration of the
Basic Data of Individual
Credit Information 2005
(issued by the People’s
Bank of China)
require payment and clearing organizations and
their branches
- to establish internal control systems to prevent
money laundering and terrorist financing, and
- to establish systems for the ascertainment of
client identities, for the reporting of suspicious
transactions, and for the preservation of client
identity and transaction records..
prohibit governmental authorities and other
organizations, as well as their staff, from
disclosing personal information which they may
obtain in the course of their work.
Violators will be subject to administrative
punishment and civil compensation.
9
9
Existing Personal Data Protection Rules in China
8.
The Norms for Electronic
Medical Records of
Traditional Chinese
Medicine (for Trial
Implementation) 2010
(issued by the State
Administration of
Traditional Chinese
Medicine)
9.
The Basic Norms for
Electronic Medical Records
2010
(issued by the Ministry of
Health)
require medical organizations to
- set up information security schemes for
electronic medical records and
- establish corresponding powers for doctors,
nurses and other management staff in the
hospital to read, copy, and type electronic
medical records, and
require hospitals to establish usage records for the
electronic medical records.
prohibit any entity or individual from reading or
copying electronic medical records without due
authorization.
prohibit unauthorized review of patients’ medical
records
- by other institutions and persons besides the
medical personnel that perform the medical
activity and quality control personnel.
[Exemption]
permit the review of medical records, after
obtaining consent of the medical institution, for the
10
purpose10of scientific research and education.
Existing Personal Data Protection Rules in China
10. Social Insurance Law 2010
prohibit governmental authorities and other
organizations, as well as their staff, from disclosing
personal information which they may obtain in the
course of their work.
Violators will be subject to administrative
punishment and civil compensation.
11. The Provisions on the
Management of Social
Insurance Records (for Trial
Implementation) 2009
(issued by the Ministry
of Human Resources and
Social Insurance and State
Archives Administration)
require
- that social insurance records, including medical
insurance records, comply with applicable
requirements on storage, confidentiality, use,
transfer, validation, and destruction of archives,
- that they be stored properly, and
- that damage to or destruction, loss, and
disclosure of social insurance records be
prevented.
11
11
Existing Personal Data Protection Rules in China
10.
MIIT Regulation of December 2011 (effective 15 March
2012) - ‘Several Regulations on Standardizing Market Order
for Internet Information Services’
11. The Decision of the Standing Committee of the National
People’s Congress on Strengthening Information Protection
on Nation Network – December 28, 2012
12 MIIT Guidelines for Personal Information Protection within
Public and Commercial Services Information Systems (2013)
Sectorial and Provincial Laws..
Administrative Laws and regulations…
12
12
China’s internet Laws & Regulations
PKU Report 2011 – Existing Internet Laws in China
 Group 1: Laws on Internet: 2
 Decision of the Standing Committee of the National People’s
Congress on the Internet Security 2000
 Digital Signature Law 2004
 Group 2: Other laws related to Internet governance: 21
 E.g. Patent Law, Trade Mark Law, Copyright Law, et al
 Group 3: Administrative regulations & Ministerial Rules.
 Administrative regulations: 51
 Ministerial rules: 843.
China’s internet Laws & Regulations
PKU Report 2011 – Existing Internet Laws in China
 Group 4: Juridical interpretations
 E.g. digital copyright and ISP safe harbour provisions
 Group 5: Self-regulations: 46.
 After 2011….
 New Development in 2012:
 Laws on the Internet
 Decision of the Standing Committee of the National People’s
Congress on Strengthening Information Protection on Na
Network – December 28, 2012
3.2. Recent development of the personal data regulations
3.2.1. MIIT Guidelines 2013
 MIIT Guidelines for Personal Information Protection within
Public and Commercial Services Information Systems (2013)
 In theory, these voluntary guidelines are not as important as
the two regulatory instruments of 2011/12 covering part of the
same territory (primarily Internet IISPs),
 The Decision of the Standing Committee of the National People’s
Congress on Strengthening Information Protection on Nation
Network – December 28, 2012
 the MIIT Regulation of December 2011 (effective 15 March 2012) ‘Several Regulations on Standardizing Market Order for Internet
Information Services’.
3.2. Recent development of the personal data regulations
3.2.1. MIIT Guidelines 2013 - PI
 However, these 2013 Guidelines apply to a much broader
range of businesses, and
 they cover key issues (such as data exports, sensitive data, and
subject access and correction rights), and
 provide some details, not covered in the earlier instruments.
 Definition of Personal Information
1.3. Remarks: Existing Laws and regulations
 Remarks:
 The current features of the Chinese personal
information protection framework
 do affect the effective enforcement of PI protection
laws at both civil and criminal levels.
Part II: Recent Cases on Personal Information
Protection in China
 2.1. Recent Development of the Chinese Civil Cases
 2.1.1. Overviews
 2.1.2. Civil Case – Mr Guo vs Minsheng Bank
 2.2. Recent Development of the Chinese Criminal Cases
 2.2.1. Overview & Statistics
 2.2.2. Criminal Case against Individual - China vs. Xu [2013]
 2.2.3. Criminal Case against Company - China vs. Shanghai
XX IT Company [2013]
 2.2.4. Progress vs. Uncertainty
2.1. Recent Development of the Chinese Civil Cases
2.1.1. Overview
 “The country’s information protection regime consists of a
patchwork of
 sector-specific laws and guidelines,
 stand-alone provisions in broader laws, and
 regional laws”.
 --- (Cave, 2013)
 Challenges to the Courts
 Civil Law Code
 Laws/regulations/guideline at different levels
2.1. Recent Development of the Chinese Civil Cases
2.1.2. Guo vs. Minsheng Bank [2012]
 Case: Tort of Privacy Invasion by Bank
 Mr. Guo, a citizen in Nanjing (Capital city of Jiangshu Province) sued the
Minsheng Bank in the Nangjing Xuanwu District Court in 2012.
 The Court held that the bank’s conducts constitute the tort of privacy
invasion.
 Mr Guo was a former Credit Card users of the Minsheng Bank Nanjing
Branch.
 But, in May 2011, he surprisingly discovered that, although he got his
Minsheng credit card cancelled, without his authorization, the Minsheng
Bank, has twice investigated his personal credit information from the
Nanjing Branch of the People's Bank of China (his current bank) under the
names of credit card approval and loan approval in 2010 and in 2011
respectively.
2.1. Recent Development of the Chinese Civil Cases
2.1.2. Guo vs. Minsheng Bank [2012]
 Case: Tort of Privacy Invasion by Bank
 The explanation given by the Minsheng Bank Nanjing Branch was that the
bank is conducting “2nd Round customer development”.
 Mr. Guo did not accept this explanation, and filed a Complaint to the
Management Division of the People’s Bank Nanjing Branch.
 In December 2011, after investigation, the People’s Bank Nanjing Branch
found that Minsheng bank indeed inspected the credit record of Mr. Guo
without his authorization.
 According to the Interim Measures for the Administration of the Basic Data of
Individual Credit Information 2005 (issued by the People’s Bank of China),
 It imposed 20,000 CNY (3,278 USD) monetary penalty to Minsheng Bank.
2.1. Recent Development of the Chinese Civil Cases
2.1.2. Guo vs. Minsheng Bank [2012]
 Case: Tort of Privacy Invasion by Bank
 Mr. Guo believed that the conducts of the Minshen Bank infringed his
privacy right, and initiated a civil litigation against Minshen Bank in the
Nanjing Xuanwu District Court, and asked the bank to make a written
apology on Newspapers.
 In March 2012, the Xuanwu district court made a decision in favour of Mr.
Guo, and requested the Minsheng Bank Nanjing Branch to make a written
apology to Guo.
2.1. Recent Development of the Chinese Civil Cases
2.1.2. Guo vs. Minsheng Bank [2012]
 Hints from this Case: Tort of Privacy Invasion by Bank
 Enforcement Agencies
 The People’s Bank Nanjing Branch
 Nanjing Xuanwu District Court
 Relevant Laws and regulations:
 Civil Law
 Civil Tort of Liability Law
 Interim Measures for the Administration of the Basic Data of Individual Credit
Information 2005 (issued by the People’s Bank of China)
2.2. Recent Development of the Chinese Criminal Cases
2.2.1. Overview & Statistics
 Criminal Law (7th Amendment 2009)
 Crime of selling Personal Information of Citizens
 Crime of illegally providing Personal Information of Citizens
 Crime of illegally obtaining Personal Information of Citizens
 Based on the information provided by the Public Prosecutate of
Beijing Haidian District,
 In 2010, they handled 31 cases (41 people involved), which were
related to a breach of the Criminal Law for illegally obtaining to
Personal Information of Citizens.
 VII. An Article is inserted after Article 253 of the Criminal Law as Article
253 (A):
 “Where any staff member of a state organ or an entity in such a field as
finance, telecommunications, transportation, education or medical
treatment, in violation of the state provisions, sells or illegally provides
personal information on citizens, which is obtained during the organ’s
or entity’s performance of duties or provision of services, to others
shall, if the circumstances are serious, be sentenced to fixed-term
imprisonment not more than three years or criminal detention, and/or
be fined.
 Whoever illegally obtains the aforesaid information by stealing or any
other means shall, if the circumstances are serious, be punished under
the preceding paragraph.
 Where any entity commits either of the crimes as described in the
preceding two paragraphs, it shall be fined, and the direct liable person
in charge and other directly liable persons shall be punished under the
applicable paragraph.”
2.2. Recent Development of the Chinese Criminal Cases
2.2.1. Overview & Statistics
 Key Features of this type of criminal cases:
 1. Measures of Crime – Online trading
 20 of 31 cases happened on the Internet – 64.5% of the total cases




Step 1: Buyers search online via Baidu or Google to find Sellers
Step 2: Join in special QQ Group
Step 3: communicate via QQ or Emails
Step 4: Bank transfer and Data Transfer
 7 of 31 cases – face-to-to trading – 22.5%
2.2. Recent Development of the Chinese Criminal Cases
2.2.1. Overview & Statistics
Measures of Crime
Via the Internet
Face-to-Face
Others
2.2. Recent Development of the Chinese Criminal Cases
2.2.1. Overview & Statistics
 Key Features of this type of criminal cases:
 …
 2. Purpose of Crimes – Expand their market & sell for money
 26 of 41 people used the obtained personal information for
marketing purposes – 63.4%
 14 of 41 is for selling to others – 34.1%.
2.2. Recent Development of the Chinese Criminal Cases
2.2.1. Overview & Statistics
Purposes of Crime
Marketing
purposes
Re-selling
purpose
Others
2.2. Recent Development of the Chinese Criminal Cases
2.2.1. Overview & Statistics
 Key Features of this type of criminal cases:
 …
 3. Targeted Information




Car owner information – 15 of 31 cases – 48.3%
Bank customer information – 10 of 31 cases – 32.2%
Company CEO – 5 of 31 cases – 16.5%
Phone records/ID card information/shopping records – 3 * 3 - 9.6%
respectively
 Customer information of Carrier company & new-born information –
2*2 – 6.4% respectively, et al…
 In many cases, parties involved obtained multi-type information
2.2. Recent Development of the Chinese Criminal Cases
2.2.1. Overview & Statistics
Targeted Information
Car owner
information
Bank customer
information
2.2. Recent Development of the Chinese Criminal Cases
2.2.1. Overview & Statistics
 Key Features of this type of criminal cases:
 …
 4. High Risk Group – employees in marketing and insurance
sectors
 11 of 41 people - salesman – 26.8%
 5. New High Risk Group: Company leaders & private detectors
companies
 Company leaders – 10 of 31 cases (13 of 41 people) – 32.2%
 Mangers of private detectors companies – 4 of 31 cases (5/41) – 12.9%
2.2. Recent Development of the Chinese Criminal Cases
2.2.2. China vs. Xu [2013]
 Criminal Case against Individual
 Criminal Judgments by the People’s Court of Shanghai Pudong New District
 Case Number: (2013) Pu Criminal First 1087((2013)浦刑初字第1087号)
 Prosecutor: People's Procuratorate of Shanghai Pudong New District
 Defendant: Xu
 On April 1, 2013, the Prosecutor initiated a criminal litigation against the
Defendant on the ground that the Defendant breached the Criminal Law by
illegally obtaining personal information of citizens.

 On the same day, the Court filed the case and applied a summary procedure
(simplified) to this case. A single judge was appointed and the case was
concluded.
2.2. Recent Development of the Chinese Criminal Cases
2.2.2. China vs. Xu [2013]
 The Prosecutor claimed that:
 On April 25, 2012, the Defendant Xu spent 500 Yuan (around 80 USD),
and purchased more than one million pieces of Customer Order
Information of the “No.1 Store” site - personal information of citizens –
from Zhang (handled separately) via the Internet.
 On November 23, 2013, the Defendant Xu was arrested and confessed all
above facts.
 The Defendant Xu has indicated no objection to the facts that the
Prosecutor claimed above in the court proceeding.
2.2. Recent Development of the Chinese Criminal Cases
2.2.2. China vs. Xu [2013]
 The Court also took into account the evidences, such as:
 - Testimonies made by Witness Wang and Witness Zhang
 - QQ Screenshots,
 - Chat records
 - Alipay transaction records (Chinese PayPal)
 - the list of seized items,
 - and other evidences.
 ‘The Court found that the Defendant Xu illegally obtained personal
information of citizens, and the circumstances are serious. As such,
his conducts constituted a breach of the Criminal Law.’
2.2. Recent Development of the Chinese Criminal Cases
2.2.2. China vs. Xu [2013]
 ‘The Court upheld the claims made by the Prosecutor.
 By virtue of Article 253 (1)(2), Article 67(3), Article 72, Article
73(2)(3) and Article 53 of the Criminal Law, the Court made a
judgment as follows:
 Defendant Xu beached the provision of illegally obtaining to
personal information of citizens, and
 was sentenced to six months imprisonment, suspended for
one year (probation) and
 a monetary penalty of one thousand Yuan (around 163 USD)
applied.’
 上海市浦东新区人民法院 刑事判决 (2013)浦刑初字第1087号
被告人徐某,因本案于2012年11月23日被刑事拘留,同年12月21日被逮捕,2013年1月29日被上海市公安局浦东
分局取保候审,同年3月22日被上海市浦东新区人民检察院取保候审。
辩护人赵振华,上海市世通律师事务所
律师。
上海市浦东新区人民检察院以沪浦检刑诉〔2013〕969号起诉书指控被告人徐某犯非法获取公民个人信
息罪,于2013年4月1日向本院提起公诉。本院于同日立案并依法适用简易程序,实行独任审判,公开开庭审理了本
案。上海市浦东新区人民检察院指派代理检察员席娜出庭支持公诉,被告人徐某及其辩护人赵振华到庭参加诉讼。
现已审理终结。
上海市浦东新区人民检察院指控,2012年4月25日,被告人徐某在互联网上从张某某(另案处
理)处,以人民币500元的价格购得一号店网站100余万条(以收货人姓名为关键项去除重复处理后共计28万余条)
订单信息数据的公民个人信息。
2013年11月23日,被告人徐某被公安机关抓获,到案后如实供述了上述犯罪事
实。
上述事实,被告人徐某在开庭审理过程中亦无异议,并有经庭审质证属实的证人王某某、张某某的证
言,QQ截屏图片、聊天记录、支付宝交易记录,扣押物品清单,公安机关出具的案发经过及工作情况,被告人徐
某的户籍资料等证据证实,足以认定。
本院认为,被告人徐某非法获取公民个人信息,情节严重,其行为已
构成非法获取公民个人信息罪。公诉机关指控的事实及罪名成立,予以支持。被告人徐某到案后能如实供述并自愿
认罪,系坦白,依法从轻处罚。依照《中华人民共和国刑法》第二百五十三条之一第一、二款、第六十七条第三
款、第七十二条、第七十三条第二、三款、第五十三条之规定,判决如下:
被告人徐某犯非法获取公民个人
信息罪,判处有期徒刑六个月,缓刑一年,罚金人民币一千元。
(缓刑考验期限,自判决确定之日起计算;
罚金自判决生效后一个月内缴纳。)
被告人徐某回到社区后,应当遵守法律、法规,服从监督、管理,接受
教育,参加公益劳动,做一名有益于社会的公民。
如不服本判决,可在接到判决书的第二日起十日内,通过
本院或者直接向上海市第一中级人民法院提出上诉。书面上诉的,应当提交上诉状正本一份,副本二份。
代理审判员 师坤鹏

二〇一三年四月十八日

书记员
陆玮
2.2. Recent Development of the Chinese Criminal Cases
2.2.3. China vs. Shanghai XX Information Technology Company
[2013]
 Criminal Case against Company
 Criminal Judgments by the People’s Court of Shanghai Pudong New District
 Case Number: (2013) Pu Criminal First 864((2013)浦刑初字第864号)
 Prosecutor: People's Procuratorate of Shanghai XX District
 Defendants: Shanghai XX Information Technology Company (referred to XX
company); Legal Representative: Bai XX.
 On March 13, 2013, the Prosecutor initiated a criminal litigation against the
Defendant on the ground that the Defendant breached the Criminal Law by
illegally obtaining personal information of citizens.

 The Court filed the case and applied a (simplified) summary procedure to
this case. A single judge was appointed and the case was concluded.
2.2. Recent Development of the Chinese Criminal Cases
2.2.3. China vs. Shanghai XX IT Company [2013]
 The Prosecutor claimed that:
 In July 2012, in order to expand the Company’s market, the Defendant
Bai authorized Zuo (handled separately), the Manger of the Marketing
Division of the Company, to purchase more than one million pieces of
Customer Order Information - personal information of citizens – from Liu
(handled separately) at the price of 900 Yuan (around 146 USD) via the
Internet.
 On February 21, 2013, the Defendant Bai went to the Public Security
authority and make a voluntary confession.
 The Defendants, XX Company and Bai, have indicated no objection to the
facts that Prosecutor claimed above in the Court proceeding.

2.2. Recent Development of the Chinese Criminal Cases
2.2.3. China vs. Shanghai XX IT Company [2013]
 The Court has also taken into account the evidences, such as:
 - Alipay transaction screenshot (Chinese PayPal)
 - Relevant invoices
 - Testimony by Witness Cui
 - Testimonies by related parties Zuo and Liu
 the list of seized items,
 - and other evidences.
2.2. Recent Development of the Chinese Criminal Cases
2.2.3. China vs. Shanghai XX IT Company [2013]
 ‘The Court found that the Defendants, XX Company and Bai, illegally
obtained personal information of citizens, and the circumstances were
serious.
 The conducts of Bai, who was directly in charge of personnel of the
Company, has constituted a breach of the Criminal Law.
 Given that the XX Compand and Bai voluntarily confessed to the Public
Security Authority and pleaded guilty in the Court, by virtues of
relevant laws, the Court decided to apply a lighter punishment.’
2.2. Recent Development of the Chinese Criminal Cases
2.2.3. China vs. Shanghai XX IT Company [2013]
 By virtue of Article 253 (1), Article 67(1), Article 72(1)(3), Article
73(2)(3) and Article 53 of the Criminal Law, the Court made a
judgment as follows:
 1. Defendant XX Company beached the provision of illegally
obtaining to personal information of citizens, and needs to
pay a monetary penalty of 30,000 Yuan (around 5,000 USD).
 2. Defendant BAI beached the provision of illegally obtaining
personal information of citizens, and was sentenced to six
months imprisonment, suspended for one year and a
monetary penalty of 10,000 Yuan (around 1,630 USD).

 Judge Ling Hong
 March 21, 2013
 VII. An Article is inserted after Article 253 of the Criminal Law as Article
253 (A):
 “Where any staff member of a state organ or an entity in such a field as
finance, telecommunications, transportation, education or medical
treatment, in violation of the state provisions, sells or illegally provides
personal information on citizens, which is obtained during the organ’s
or entity’s performance of duties or provision of services, to others
shall, if the circumstances are serious, be sentenced to fixed-term
imprisonment not more than three years or criminal detention, and/or
be fined.
 Whoever illegally obtains the aforesaid information by stealing or any
other means shall, if the circumstances are serious, be punished under
the preceding paragraph.
 Where any entity commits either of the crimes as described in the
preceding two paragraphs, it shall be fined, and the direct liable person
in charge and other directly liable persons shall be punished under the
applicable paragraph.”
2.2. Recent Development of the Chinese Criminal Cases
2.2.4. Remarks: Progress vs. Uncertainty
 Progress:
 The new amendment started to be well enforced.
 Uncertainty:
 Lack of a clear definition of “personal information”
 The meaning of “state provisions”
 The meaning of “if the circumstances are serious”/ “severe
consequence”
 Next, BACK to the issues at the national level…
Part III: Challenges & Recommendations
 3.1. General Challenges of protecting personal data in China
 3.1.1. Hints from 2013 BSA Global Cloud Computing Scorecard
 Ranking improved
 Lack of laws and industrial rules
 3.1.2. Challenges from Legal Tradition
 3.2. Suggestions for future reform
 3.2.1. Three models: US, EU and Australia
 3.2.2. Enforcement Agencies
3.1. General Challenges
3.1.1. Hints from 2013 BSA Global Cloud Computing Scorecard
 The BSA survey examined the policy environment for
CC in several countries around the world.
 The BSA survey examined 24 countries, which
together account for 80 percent of the global ICT
market.
 The BSA Scorecard Measuring CC Readiness
2013 BSA Global Cloud Computing Scorecard
 The BSA Scorecard Measuring CC Readiness
 It examines major laws and regulations relevant to CC in
seven policy categories as well as each country’s ICTrelated infrastructure and broadband deployment.





1. Data Privacy
2. Security
3. Cybercrime
4. IPRs
5. Support for Industry-Led Standards & International
Harmonization of Rules
 6. Promoting Free Trade
 7. ICT Readiness, Broadband Deployment.
3.1. General Challenges
3.1.1. Hints form 2013 BSA Global CC Scorecard
 China’s Ranking
 +2 (in comparison with 2011)
 19th of 24
 Screen Shot 2013-07-05 at 1.08.10 PM
3.1. General Challenges
3.1.1. Hints form 2013 BSA Global CC Scorecard
 As mentioned above….
 Progress:
 Recent development – all about protecting personal
information on the Internet (rather than general protection
measures)
 Further improvements:
 Lack of the Personal Information Protection Law at the
national level
 Lack of unified privacy enforcement authority at the national
level
 Challenges for the quick growth of Innovation Industry
3.1. General Challenges
3.1.2. Challenges from Legal Tradition
 China’s overall regulatory approach may presents challenges to the
development of innovation industry, such as cloud computing.
 1. China’s preference for top-down mandatory regulation is often at
odds with the type of public-private collaboration and industry selfregulation so critical to growing new technologies.
 2. data protection and data sovereignty fears, as well as
cybersecurity concerns, are creating barriers for deployment of
leading global technologies.
 3. complicating the policy environment is China’s drive to promote
domestic industry, as well as preserve its existing market access
controls.
 (USITO, 2012)
3.2. Suggestions for future laws and policies reform
3.2.1. Three models: US, EU and Australia
 EU Model: Centralized
 US Model: Decentralized
 Australia Model: Centralized law and principles + detailed
industrial guidelines.
 Recommendation 1 – May consider drawing on lessons
from the experiences of Australian Model to harmonize
the existing laws on personal data protection
3.2. Suggestions for future laws and policies reform
3.2.2. Enforcement Agencies
 Recommendation 2:
 May consider leaving privacy cases to Intellectual Property
Courts (IP, Antitrust, Personal Information Protection)
 Recommendation 3:
 Courts may play a more active role in explaining how existing
data protection laws could be applied
 Chinese Supreme Court may issue a Guideline on this issue –
more judicial interpretations
Conclusion and Remarks
 “Based on the global opportunity that Cloud
Computing presents, each country’s policy changes
will alter not just that country’s environment but the
global market for CC as a whole.”
 (BSA, 2013)
 …. apply this idea broadly….
Conclusion and Remarks
 “Based on the global opportunity that Information
Economy presents, each country’s policy changes will
alter not just that country’s environment but the
global Information Economy as a whole.”
Acknowledgment
 Prof. Graham Greenleaf, Faculty of Law, UNSW
 Mr. Yun Xuan, Director of IP Policy and Enforcement
Division, Microsoft (China) Co., Ltd
 Ms. Sophia Wang, Director & Chief Representative, China,
BSA, The Software Alliance
Thank You !

similar documents