On April 10, 2013, the Ministry of Industry and Information Technology (MIIT) has issued the draft Rules for Protection of the Personal Information of Telecommunications and Internet Users (the “Draft Rules”) for public comments, which should be submitted before May 15, 2013.
The Draft Rules are formulated in accordance with the “Decision on Strengthening Protection of Network Information” (the “Decision”) issued by the Standing Committee of the National People’s Congress on December 2012, along with the PRC Telecommunications Regulations and the Internet Information Services Administrative Measures. The Draft Rules are intended to apply to activities involving the collection of personal data in the course of providing telecommunications and Internet information services.
Definition of Personal Information
A user’s personal information in the context of the Draft Rules refers to: any information collected by telecommunications operators and Internet information service providers (collectively, the “Operators”) in the course of providing services that can singly or in combination with other information be used to identify the user. This includes:
- Identification information, such as the user’s name, date of birth, ID number and address; and
- Login information collected during the user’s use of the services, including the user’s number, account number, time and location.
Standards for Collection and Use of Information
The Draft Rules obligates an Operator to adhere to the principles of lawfulness, appropriateness and necessity when collecting and using user personal information in the course of providing services. The Operator is obligated to:
- collect or use user personal information only with the user’s consent
- formulate and publish rules for collection and use of user personal information
- inform the user clearly of the following:
- the purpose, means and scope of collecting and using the user personal information;
- the retention period for the information;
- the channels for inquiring about and amending the information; and
- the consequences of refusing to provide the information.
- set up a mechanism for handling user complaints, publish contact information for receipt of user complaints and respond to complaints within 15 days of receipt.
The Operator is not permitted to collect user personal information beyond the scope of what is needed to provide the services; use user personal information for purposes outside the scope of the services provided; or collect or use user personal information by means of fraud, misrepresentation or coercion or in any manner that violates the law, administrative regulations or an agreement between the parties.
The Operators and their personnel are subject to strict confidentiality obligations with respect to the user personal information collected and used in the course of providing services, such information may not be disclosed, tampered with or destroyed, nor can the information be sold or provided illegally to another person.
An Operator is not permitted to entrust service-oriented tasks requiring direct interaction with users involving the collection and use of user personal information to any third party that cannot handle the protection of user personal information in relation thereto. The Operator is also expected to take responsibility for monitoring, supervising and managing the work of the agent with respect to the protection of user personal information.
Security Assurance Measures
The Draft Rules stipulate that an Operator is responsible for the security of user personal information that it collects and uses in the course of providing services. Specifically, the Operator is required to adopt measures to prevent user personal information from being disclosed, destroyed or lost, adopt remedial measures for any disclosure, destruction or loss that has happened or may happen; immediately make a report to the relevant telecommunications administrative authority of any serious consequences that have resulted or may result therefrom and cooperate in any investigations by the relevant authorities.
The Operators are also obligated to provide training to its personnel on knowledge, techniques and security responsibility that is relevant to protection of user personal information, and to conduct periodic self-inspections and keep records of its circumstances relating to user personal information protection and eliminate any information security issues uncovered in the course of such self-inspections in a timely manner.
Penalties for Non-Compliance
The Draft Rules call for issuance of orders to rectify within a certain time frame and warnings, along with the imposition of fines, which range from up to RMB10,000 for minor offenses and between RMB10,000 and RMB 30,000 for more serious offenses. If warranted, offenders may face criminal liability. Although the potential fines are relatively low, note that any breach of the Draft Rules would very likely be a breach of the Decision, which provides for other penalties including but not limited to confiscation of illegal profits, revocation of operation permits, cancellation of recordals, shutdown of websites, etc.
Conclusion and Recommendations
Although the Draft Rules in their present form appear to be directed at telecommunications operators and Internet information service providers, we believe it is intended to provide implementation guidance for the Decision, which makes reference not only to network service providers, but also other enterprises that collect and use personal information as part of their business activities. As such we cannot rule out the possibility that the scope of application of the Draft Rules will be broadened to incorporate other companies that collect and use personal business in the course of business, and therefore, we would advise companies that need to collect and/or use personal data in their business activities in China to review the Draft Rules carefully and consider taking this opportunity to provide comments and suggest changes to MIIT. Please let us know if we can be of any assistance in this regard.