Personal information in peril

A law is urgently needed to crack down on abuse of personal information and to protect the interest of Internet users

The arrest of two foreign corporate investigators on suspicion of illegally obtaining personal information and selling them to clients for "high prices" has hit international headlines. British national Peter Humphrey and his wife Yu Yingzeng, an American citizen, co-founders of ChinaWhys, are said to have bought or used other methods to collect the personal information of Chinese citizens, including their addresses, family members' names, travel details, and property and car ownership records.

The lack of proper regulation in China makes it difficult to prevent the misuse or abuse of personal information, which is a violation of people's right to privacy and should be punishable by law.

The problem is average people cannot know that their personal information has been leaked or stolen until they receive calls from advertisers, spam e-mails and well-targeted pop-up ads. It is even harder for them to collect evidence to defend their legal rights by dragging those responsible for leaking their information to court.

Many companies possess the personal information of a large number of people. Finding ways to prevent such companies from abusing these information is a challenge for lawmakers and law enforcement agencies across the world, because "all parties are equal" when it comes to digital technology.

A skilled hacker could break through the most advanced firewall and protective software to enter a database and make money by leaking the personal information so obtained to a person or company at home or abroad. To a certain extent, international information technology giants, such as Google, Apple and Microsoft, are more adept at processing data than some countries' governments.

Since the 1990s, nearly 100 countries and regions have enacted laws to protect personal information, for which they have established special law enforcement organs. Although China has many industrial regulations, none of them are specifically dedicated to protecting personal information and punishing those guilty of misusing them.

In March 2012, employees working in the credit card center of China Merchants Bank illegally sold 2,318 customers' personal information, causing a total loss of about 30 million yuan ($4.6 million) to the victims. In February this year, China Life Insurance Company, one of the country's largest insurers, confirmed customers' charges that its information system had loopholes which allowed leak of personal information.

The absence of a specific law to protect personal information is incompatible with China's status as a country with more than 500 million Internet users, the largest in the world. Surveys show that 88 percent of these Internet users have suffered because their personal information has been leaked.

The government issued its first national guideline for protection of personal information on Feb 1, which could be regarded as a transitional regulation before the first specific law on the subject is passed. Since the guideline indicates what the future law could be, it deserves the attention of all people and companies eager to cash in on China's booming e-commerce market and IT industry.

Lawmakers should ensure that the law on protection of personal information is foolproof. First, the lawmakers have to ensure that organizations must seek the consent of people before collecting their personal information and keep them informed about how their data are being stored and used. Survey results show that more than 70 percent of China's Internet users do not read websites' or software providers' terms and conditions before registering online and thus compromise the security of their personal information.

Second, the lawmakers should stipulate stricter punishment for employees of database operators and organizations such as websites, banks and insurance companies who misuse or abuse people's personal information. According to the Criminal Law, the maximum sentence for people who leak, sell or abuse personal information is three years' imprisonment. The lawmakers have to make the sentence more severe to deter potential wrongdoers.

Third, the government must establish effective channels to help individual victims to collect evidence to drag the suspects to court to seek justice and make it mandatory for defendants to prove their innocence.

Last, according to international conventions, big IT companies and commercial database operators can entrust third parties to supervise the management of big data banks and source codes. And the entrusted party can hire specialists to appraise the security conditions of the data in a company's or operator's possession if and when necessary. China Information Technology Security Evaluation Center is the most authoritative organization in the country for this job, especially to ensure that the entire process and result of an appraisal are transparent.

The government could also combine the rule of law and third-party supervision. But before that it has to pass a specific law on the protection of personal information to improve the authority and status of CITSEC.

The author is professor of new media studies and deputy dean of graduate school with the Communication University of China in Beijing.