Ashwin Kaja and Eric Carlson write:
China’s State Administration of Industry and Commerce (“SAIC”) has released for public comment a draft regulation implementing recent amendments to a consumer protection law that would, among other things, supplement existing privacy obligations for businesses operating in China.
The Draft Implementing Regulations largely reiterate a number of data privacy and security requirements that apply to companies operating in China (referred to as “business operators”) found in the CRPL and the CRPL Penalty Measures:
- Business operators must inform and obtain consent from consumers regarding the purpose, method, and scope of collection or use of consumer personal information. Such information may be collected or used only if necessary.
- Business operators may not divulge consumer personal information without consent.
- Business operators must implement measures to ensure the security of consumer personal information and immediately take remedial action if information is leaked or lost.
The Draft Implementing Regulations further supplement the CRPL and CRPL Penalty Measures by adding certain new or modified requirements:
Read more on Covington & Burling Inside Privacy.