On December 29, 2011, the Ministry of Industry and Information Technology ("MIIT") promulgated the "Certain Provisions on the Regulation of the Market for Internet Information Services" (the "Provisions"), which will come into effect on March 15, 2012.
Under the Provisions, Internet information service providers ("Providers") are prohibited from engaging in unfair competition activities such as maliciously interfering with the provision of the services provided by other Providers; changing its products or services with a malicious intent resulting in incompatibility with services or related products provided by other Providers; and deceiving, misleading or forcing users to use or stop using services or products of other Providers.
Providers are also prohibited from infringing on users' rights in certain ways, such as delaying, terminating or refusing to provide services to users without valid reason and restricting the users to use or not use designated services or products without valid reason; and failing to expressly warn users if their services or products are not compatible with those of other Providers’.
With respect to users' personal data, the Provisions stipulate that Providers must not, without users' consent, collect information relevant to the users that can be used alone or in combination with other information to identify the user's identity ("User Personal Information"). Neither could Providers provide User Personal Information to other third parties without users' prior consent. Providers may only collect User Personal Information necessary for the service and must expressly inform the users of the method, content and purpose of the collection and processing of such User Personal Information, and only use the User Personal Information for the stated purposes.
The Provisions represent China's first set of regulations to explicitly address the issues relating to competition among Providers and protection of personal information on a nationwide basis. They compare favorably in terms of data privacy protection with similar regulations issued in other jurisdictions. However, the Provisions do not provide additional data privacy protection to users against the government – Providers are still required under law to hand over information of a user which may reveal his/her identity, if and when government agencies make such demands.
Further, the Provisions use many technical terms which are not specifically defined. Terms such as "users", "method to uninstall" and "incompatibility" are not defined and are open to debate. Thus, it remains to be seen if MIIT will promulgate a more precise interpretation of the Provisions to enhance the enforceability of these regulations