In the era of Big Data and the Internet of Everything (IoE), users are increasingly attentive to how their personal information is handled. Confidential personal information such as mobile numbers and personal ID are increasingly requested to activate numerous daily life functions, for instance, SMS authentication code for website or app registration or login. Additionally, companies request facial, voice, or other biometric features as authentication or verification such as facial recognition or voice print.
Thus, jurisdictions around the world have stepped up efforts to regulate the collection and use of personal information and address privacy issues. In
Often companies failing to protect users' personal information can face both trust and compliance crises. Namely, a lack of meticulous and thorough personal information security compliance can damage user confidence and impact companies' public image. Equally, increased legal and regulatory attention to personal information protection inevitably increases compliance obligations for companies to reduce risks and resolve incidents quickly.
In the below, we examine an administrative case in which the company failed to adopt the necessary personal information security measures.
The Case
Additionally,
- Failure to sign a confidentiality agreement with personnel handling the collected data;
- Failure to determine the responsibilities related to leaking secrets to personnel and third parties;
- Failure to formulate emergency response plans such as data breach disposal;
- Failure to establish security verification during the export of data including member ID, card number, card type, validity period, card status, card sales time, card terminal number, card store, name, gender, mobile phone number, card balance" and other data containing consumers' personal information;
- Failure to encrypt the exported documents;
- Failure to adopt technical measures and other necessary measures to ensure the security of personal information.
Control Mechanism
In the administrative case,
- The purpose and method of processing personal information;
- The type of personal information processed;
- The impact on personal rights and interests.
Personal information compliance measures shall include the following:
- Internal management system and operating procedures;
- Personal information classification;
- Appropriate technical security measures such as encryption and de-identification;
- Personnel authorisation to operate the processing of personal information;
- Regular security education and training for employees;
- Emergency plans for personal information security incidents.
Additionally, the Measures for the Supervision and
The Measures require companies who collect and use the personal information of online consumers to implement the following:
- Follow principles of legality, justification, and necessity in the collection;
- Expressly indicate the purposes, manners, and scope of the collection and use of personal information; and
- Obtain the consent of the consumers.
Examining third parties
Companies handling large data volumes, such as hospitality, logistics, consumer finance, and other industries may outsource the processing to a third party. In the administrative case,
The Assessment should ensure that information is processed in compliance, by evaluating the information protection capability, cybersecurity measures, and internal governance. If the third party is located outside of
Regulating bodies
Personal information is regulated through national and industry bodies. National laws and regulations are issued by the following national departments.
Cyberspace Administration of China ("CAC")-
Ministry of Public Security of
the People's Republic of China ("MPS") Ministry of Industry andInformation Technology of the People's Republic of China ("MIIT")State Administration for Market Regulation ("SAMR")
Industry-specific regulators
Specific industry or sectoral bodies regulate personal information according to their respective industries or sectors and include the following:
People's Bank of China China Banking andInsurance Regulatory Commission National Health Commission Ministry of Education -
China
Consumers Association
Labilities
Administrative liability
Personal information infringers are subject to administrative penalties set forth in the PIPL and Cybersecurity Law and include rectification orders, warnings, confiscation of illegal gains, suspension or termination of the relevant service, fines, shutdown of website, revocation of the relevant business permit, or revocation of business license, depending on the circumstances of each case.
Violations will be recorded on credit files and publicly disclosed, and any public security administration violations will be subject to penalties according to public security administration rules.
Criminal liability
Violations that constitute as a crime will face criminal liability. Under the Criminal Law, if an organisation commits a crime, any directly liable officers or other directly liable individuals of the organisation shall be convicted and punished in accordance with the applicable conviction.
Conclusion
PIPL requires enterprises to establish a comprehensive a control mechanism to manage the collection of personal information. Companies should continuously monitor relevant regulations and update such systems to align with the changing landscape. At Horizons, we have developed data compliance frameworks for large to medium-sized companies in
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
200021
Fax: 215356 3420
E-mail: hj.li@horizons-advisory.com
URL: horizons-advisory.com/
© Mondaq Ltd, 2022 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source