(“PROVISIONS”) (电信和互联网用户个人信息保护规定), ISSUED BY THE MINISTRY OF INDUSTRY AND INFORMATION TECHNOLOGY

The Provisions are enacted to follow the Decision on Strengthening the Protection of Online Information ("Decision"), to establish a comprehensive data protection legal environment in China.

The Provisions clarify that telecommunication service providers ("TSPs") and internet service providers ("ISPs") are subject to the requirements the Provisions establish.

The Provisions define "user personal data" as "information that can individually or together with other information identify the user," including names, birth dates, ID numbers, addresses, and any information relating to the service, such as user’s account, and time and place the service is provided.

The Provisions slightly change the principles the TSPs and ISPs must follow in comparison with the Draft Rules for the Protection of Personal Information of Telecommunication and Internet Users ("Draft"), referred to in our Newsletter of April 2013:

  • TSPs and ISPs must formulate rules for collecting and using personal information, and publish them at their business premises or on their websites.
  • TSPs and ISPs must not collect or use users’ personal information without their consent or without clearly notifying them of the purpose and scope of the information, how it is collected, for how long they will keep it, how users can access or correct it, and the consequence of refusing to provide it.
  • TSPs and ISPs are not allowed to collect users’ personal information that is not necessary for the services provided.
  • TSPs and ISPs are not allowed to collect users’ personal information in any way that is fraudulent or misleading, or that violates the applicable laws, regulations and the agreements between the service provider and the user.
  • TSPs and ISPs must keep users’ personal information confidential while providing the services, and must not distort, damage, sell or illegally disclose this information.
  • TSPs and ISPs must not collect or use users’ personal information after the telecommunications or internet service is terminated.
  • TSPs and ISPs must adopt comprehensive policies to safeguard users’ personal information.

The Provisions keep the same penalties as the Draft for non-compliance. TSPs and ISPs that violate Draft provisions may be given warnings or fines of between RMB 10,000 and RMB 30,000, and ordered to rectify the violation. If the violation is a crime, the TSP or ISP will be prosecuted for criminal liability.

Date of issue: July 16, 2013. Effective date: September 1, 2013.