On April 10, 2013, China’s internet regulator, the Ministry of Industry and Information Technology (“MIIT”), issued a draft regulation for public comment entitled Provisions on Protecting the Personal Information of Telecommunication and Internet Users (“Draft Provisions”). The Draft Provisions would impose additional requirements when telecommunication service providers (“TSPs”) and internet information service providers (“IISPs”) collect and use personal information (“PI”), and would direct these entities to implement a number of compliance measures to protect against disclosure, damage, or loss of PI. The Draft Provisions would also provide MIIT with significant authority to enter premises and request documents for purpose of assessing the PI protection efforts of any TSP or IISP.
The Draft Provisions are intended to implement the general requirements set forth in the Decision of the Standing Committee of the National People's Congress on Strengthening Online Information Protection ("Online Information Decision"), which was promulgated in December 2012. (See our client alert here.) The term “IISPs” includes all companies utilizing a PRC-based website (i.e., a website registered with, or licensed by, MIIT) to collect PI from their customers or site visitors.
Definition of Personal Information Expanded
If enacted as presently drafted, the Draft Provisions would define “user’s personal information” as any information collected during the provision of telecommunication or internet information services “that would identify the user if used alone or with any other information.” While this core definition is identical to that found in the Several Provisions on Regulating the Market Order of Internet Information Services (“Market Order Provisions”), which currently governs IISPs’ collection and use of PI, the Draft Provisions expand on this basic definition by noting that PI:
includes identity information such as surname, birthday, identity card number, address, etc., as well as other recorded information about an individual’s use of [internet] services such as the user’s service numbers, account numbers, time, location, etc.
Notably, the drafters appear to have declined the opportunity to distinguish between “sensitive” and general PI, as was included in a voluntary national standard released earlier this year (see our client alert here).
Government Inspection Rights Strengthened
The determination of what constitutes PI is important as the Draft Provisions include broad inspection rights for government authorities to assess an organization’s efforts to protect PI. These supervisory inspections may include requests for all “related materials” as well as permission to enter the facilities of any TSP or IISP to investigate compliance efforts. Companies are required to cooperate. Failure to permit MIIT inspections may result in a verbal warning, an order to permit inspection or turn over related materials within a given time, or imposition of a fine of between RMB 10,000 and 30,000 (USD 1,615 - 4,850).
Expanded Rules for Collection and Use of PI
The Draft Provisions would also require TSPs or IISPs, when collecting and utilizing a user’s PI, to:
- Post the TSP’s or IISP’s PI collection and use policies at its place of business or online.
- Not collect or use a user’s PI without the user’s consent. (This requirement is also found in the Market Order Provisions.)
- Notify users regarding collection and use of PI, including the purpose, method, and scope of use, retention period, as well as avenues for the user to consult or amend the information, and the consequences if the user fails to provide the required information. (A requirement to notify users of the “method, content, and [scope of] use” is included in the Market Order Provisions.)
- Refrain from utilizing a user’s PI for any purpose outside the scope of services. (This requirement is also found in the Market Order Provisions.)
- Refrain from using deceptive, misleading, or coercive means, or violating PRC law, regulations, or the user contract, to collect and use PI. (This requirement is also found in the Online Information Decision.)
- Maintain “strict confidentiality” of a user's PI; not disclose, distort, or damage a user’s PI; and not sell or illegally provide PI to others. (This requirement is also found in the Online Information Decision. The PRC Criminal Law also includes a provision restricting the sale or illegal provision of PI.)
- Provide company contact information so that users may provide feedback, and to resolve any complaints lodged by customers within 15 days. (This requirement is also found in the Market Order Provisions.)
New Compliance Obligations for PI Storage and Handling
The Draft Provisions also require TSPs and IISPs to adopt eight specific measures to protect against the disclosure, damage, or loss of users’ PI. These measures primarily call for the implementation of company-wide privacy and security management systems. For example, under the Draft Provisions, companies are required to record such information as the person involved, time, location, and content, whenever an individual handles PI. If enacted in their present form, these requirements may increase the cost of privacy compliance for TSPs and IISPs.