By Susan Ning, Yang Nan King & Wood Mallesons’ Commercial & Regulatory group.
A recent news article about the debut of “invisible waybills” by S.F. Express (a major delivery services company in China)  has attracted public attention. S.F. Express has introduced an “end-to-end entire process information security solution” which protects its customers’ personal information.
First, the customer’s name, phone number, address and other personal information is encrypted and hidden or encoded on waybills.
Second, the customer’s personal information is not disclosed throughout the process so the firm’s departments and employees, such as couriers and customer service staff, will no longer access such information.
Third, address encoding will gradually be adopted nationwide, and eventually the customer’s real address may be replaced completely with code.
S.F. Express is putting an “invisibility cloak” over the customer’s personal information, so it is not “naked” during the express service process, especially during internal processing and delivery. This move is supported by a whole set of innovative technology. It is reported that S.F. Express, as well as hiding or encrypting personal information, is also adopting integrated alternative technology, including identifying a customer by a virtual number, electronic receipt and address encoding. This technology will ensure that customers can be reached without exposing their personal information and will smooth the operation of its delivery services.
The new waybills have been applauded from both inside and outside the express industry. This demonstrates that the express industry and many other internet plus industries are under increasing pressure to protect personal information. Now faced with deep online/offline integration, not only the express industry, but also a growing number of traditional offline industries in education, healthcare, tourism and retail are moving towards or have already adopted electronic collection and use of personal information. Against this background, more enterprises are dealing with greater compliance risks and demand for personal information protection. S.F. Express has made a positive attempt in this regard. An enterprise’s legal obligations to protect personal information arising from and along with its adoption and development of new technology may be fulfilled by upgrading that technology and innovation.
“Depersonalized” Information— “Threshold” and “High Standard” of Protection
Coincidentally, shortly before the news about SF Express was published, the Supreme People’s Court and the Supreme People’s Procuratorate of China jointly issued the Interpretations on Several Issues Concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ Personal Information (the “Interpretations”) on May 8 of 2017.The definition “citizens’ personal information” in Article 1 of the Interpretations retains the core element of the “personal information” definition in the previous Cybersecurity Law, Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection, Provisions on Protecting the Personal Information of Telecommunications and Internet Users and other laws and regulations, i.e. it is information to identify a natural person. The second paragraph of Article 3 of the Interpretations explicitly stipulates that, the act of providing others with information that “has been processed and cannot be used to identify specific individuals” does not constitute the crime “infringement of a citizens’ personal information” under Article 253 of the Criminal Law.
Before the Interpretations was released Article 42 of the Cybersecurity Law ( effective from June 1, 2017) specified, that network operators must not disclose personal information without the consent of the person, except, “where such information has been processed and cannot be used to identify specific individuals”, the same wording as in the Interpretations.
This demonstrates that personal information is protected by law because it can be used to identify specific natural persons, and because it relates to material personal legal interests such as the right to privacy and the right to ownership of the name. Therefore, in the absence of consent from the subject of the information, whether the personally identifiable attributes have been protected or abused are set as the legal “threshold” for personal information protection and for determining whether there has been infringement of personal information protection, or the illegal provision of personal information to others. In other words, the dissemination and transfer of any personal information will not be prohibited or restricted by law as long as such information has been completely and irreversibly “depersonalized” and can no longer be used to identify an individual.
The law requires enterprises to adopt technical and other measures to ensure the security of personal information they hold and prevent that information from being disclosed, destroyed or lost, but the law does not specify what measures should be taken by a specific industry. Take S.F. Express and the express delivery industry as an example, S.F. Express is certainly legally obliged to ensure the security of customers’ personal information. It must have secure network facilities and information systems, good internal procedures and rules regarding protection of customers’ personal information, and strong management of couriers and other staff who have access to customers’ personal information. But, given the lack of specific legal requirements, and taking into account current technology and prevailing practices in the industry, S.F. Express will not be in breach of its duty to protect customers’ personal information even if it does not adopt the “invisible waybills” .
S.F. Express has adopted a groundbreaking measure for personal information protection not because of the law, but to establish a “high-standard” for protection of customers’ personal information in the express delivery industry by way of depersonalization. Customers may have consented to the use of their personal information, but S.F. Express has of its own accord “depersonalized” the information (although it may be restored since the address may be decoded to show real address information) in subsequent storage, use, sharing and other steps in order to provide better protection for personal information with technology and a higher service standard. Some industries are now seeing more illegal use of personal information by “insiders” “in the course of performing their duties or providing services”. S.F. Express is reducing the risk of this problem by making customer information unidentifiable to its couriers and customer service staff. It is following the trend in the development of the law (including the Interpretations) to protect personal information.
Legal Protection of Personal Information: Thoughts about an Industry-tailored Approach
The high-standard set by depersonalizing customer information in the express industry is just a voluntary attempt by S.F. Express and not a legal obligation or industry standard. It is thought-provoking. In a broad sense, as an entity directly responsible for personal information protection, does its experience in technology and operation hold lessons for improve legal supervision? Could the successful practices of enterprises in a specific industry or sector become a legal requirement or industry standard applicable to that industry or for all industries? For example, could “invisible waybills” and other measures rolled out by S.F. Express be incorporated someday in the revised National Standards for Express Service? From the perspective of an enterprise’s business growth and brand image, the market is definitely the perfect commander. Those firms with more effective measures to protect personal information will win more customers, and customers by their choice will help drive the industry’s upgrade.
The Interpretations and the Cybersecurity Law both took effect on the 1st of June. China is providing systematic legal protection of personal information. It is important for enterprises to find innovative ways to comply with the requirements for personal information protection. The new “invisible waybills” method is a meaningful attempt.
 See second paragraph of Article 42 of the Cybersecurity Law, second paragraph of Article 29 of the Consumer Protection Law, and Article IV of the Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection.
 See Articles IV and V of the Interpretations.