On April 10, 2013, China’s internet regulator, the Ministry of Industry and Information Technology (“MIIT”), issued a draft regulation for public comment entitled Provisions on Protecting the Personal Information of Telecommunication and Internet Users (“Draft Provisions”). The Draft Provisions would impose additional requirements when telecommunication service providers (“TSPs”) and internet information service providers (“IISPs”)1 collect and use personal information (“PI”), and would direct these entities to implement a number of compliance measures to protect against disclosure, damage, or loss of PI. The Draft Provisions would also provide MIIT with significant authority to enter company premises and request documents for the purpose of assessing the PI protection efforts of any TSP or IISP. MIIT will accept comments on the Draft Provisions before May 15, 2013.
Release of the Draft Provisions follows the December 2012 promulgation of the Decision on Strengthening Online Information Protection (“Online Information Decision”) by the Standing Committee of the National People’s Congress. As discussed in a previous client alert (here), the Online Information Decision was written broadly and at a high level, suggesting that MIIT would promulgate implementing regulations at a later date. The Draft Provisions appear to be the implementing regulations for the components of the Online Information Decision that relate to the collection, use, and protection of “personal electronic information.”2
Definition of Personal Information Expanded
If enacted as presently drafted, the Draft Provisions would define “user’s personal information” as any information collected during the provision of telecommunication or internet information services “that would identify the user if used alone or with any other information.” While this core definition is identical to that found in the Several Provisions on Regulating the Market Order of Internet Information Services (“Market Order Provisions”), which currently governs IISPs’ collection and use of PI, the Draft Provisions expand on this basic definition by noting that PI:
includes identity information such as surname, birthday, identity card number, address, etc., as well as other recorded information about an individual’s use of [internet] services such as the user’s service numbers, account numbers, time, location, etc.
Notably, the drafters appear to have declined the opportunity to distinguish between “sensitive” and general PI, as was included in a voluntary national standard released earlier this year (see our client alert here).
Government Inspection Rights Strengthened
The determination of what constitutes PI is important as the Draft Provisions include broad inspection rights for government authorities to assess an organization’s compliance with PI protection requirements. These “supervisory inspections” may include requests for all “related materials” as well as permission to enter the facilities of any TSP or IISP to investigate compliance efforts. While current MIIT regulations permit supervisory inspections of TSPs3 and require IISPs to report the posting by users of prohibited content to MIIT,4 MIIT has generally lacked the right to enter IISPs’ premises to investigate.5
Under the Draft Provisions, companies are required to cooperate with inspections. Failure to permit MIIT inspections may result in a verbal warning, an order to permit inspection or turn over related materials within a given time, or imposition of a fine of between RMB 10,000 and 30,000 (USD 1,615 - 4,850).
The Draft Provisions do not provide further guidance on what activities may be carried out in furtherance of the supervisory inspection, what level of access should be permitted for government inspectors, or what type of information may be deemed “relevant.”
Expanded Rules for Collection and Use of PI
The Draft Provisions would also require TSPs or IISPs, when collecting and utilizing a user’s PI, to:
- Post the TSP’s or IISP’s PI collection and use policies at its place of business or online.
- Not collect or use a user’s PI without the user’s consent. (This requirement is also found in the Market Order Provisions.)
- Notify users regarding collection and use of PI, including the purpose, method, and scope of use, retention period, as well as avenues for the user to consult or amend the information, and the consequences if the user fails to provide the required information. (A requirement to notify users of the “method, content, and [scope of] use” is included in the Market Order Provisions.)
- Refrain from utilizing a user’s PI for any purpose outside the scope of services. (This requirement is also found in the Market Order Provisions.)
- Refrain from using deceptive, misleading, or coercive means, or violating PRC law, regulations, or the user contract, to collect and use PI. (This requirement is also found in the Online Information Decision.)
- Maintain “strict confidentiality” of users’ PI; not disclose, distort, or damage a user’s PI; and not sell or illegally provide PI to others. (This requirement is also found in the Online Information Decision. The PRC Criminal Law also includes a provision restricting the sale or illegal provision of PI.)
- Provide company contact information so that users may provide feedback, and to resolve any complaints lodged by customers within 15 days. (This requirement is also found in the Market Order Provisions.
Treatment of Third-Party Data Handlers
To date, PRC data privacy laws and regulations have not addressed circumstances where collected PI is transferred to a third party (for instance, when an online e-commerce website forwards PI to a third-party data handler for the purposes of identity or credit verification). If enacted, the Draft Provisions would provide that in circumstances in which a TSP or IISP entrusts a third party with PI for the purposes of providing services to the user, the TSP or IISP should “supervise and manage” the third party’s utilization of the user’s PI and not entrust PI to any third party that cannot satisfy all required PI protection requirements.
New Compliance Obligations for PI Storage and Handling
The Draft Provisions also require TSPs and IISPs to adopt eight specific measures to protect against the disclosure, damage, or loss of users’ PI. These measures primarily call for the implementation of company-wide privacy and security management systems. For example, under the Draft Provisions, companies are required to record such information as the person involved, time, location, and content, whenever an individual handles PI. If enacted in their present form, these requirements may increase the cost of privacy compliance for TSPs and IISPs.
Companies wishing to comment on the draft regulation have until May 15, 2013, to submit their comments to MIIT.