On April 10, 2013, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) enacted two draft rules (“Provisions on the Protection of Personal Information of Telecommunications and Internet Users” and “Provisions on the Registration of Real Identity Information of Telephone Users”) to solicit public comments. The comment period is open until May 15, 2013. Both Drafts include proposals for substantial provisions on the protection of personal information and were enacted according to the Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet (issued by the Standing Committee in December 2012) and some other telecommunications rules.
Provisions on the Protection of Personal Information of Telecommunications and Internet Users (the “Draft Provisions”)
The Draft Provisions apply to telecommunications services and Internet information services carried out within China’s jurisdiction. Already there are some rules in effect to regulate Internet information services with respect to the protection of personal information (for example, the Provisions on Regulating Market Orders of Internet Information Services (“Provisions on Internet Information Services”) issued by the MIIT on December 29, 2011). Once they are officially enacted, however, the Draft Provisions will be the first specific rules regarding the protection of personal information in the context of telecommunications services and they will include additional protection for users’ personal information as compared to earlier rules.
First, the Draft Provisions define “personal information,” as the information collected during the course of performing services which either (1) can independently identify a user, or (2) may be used to identify a user when combined with other information. This definition is substantially similar to the definition under the Provisions on Internet Information Services.
Second, the Draft Provisions set forth a number of requirements that are specific to the collection and use of personal information obtained in the process of providing telecommunications services and Internet information services, which are similar to those under the Provisions on Internet Information Services. For example, under the Draft Provisions, telecommunications service providers and Internet information service providers (“IISPs”) are:
- prohibited from collecting or using personal information without the user’s consent
- required, when collecting or using personal information after having obtained consent, to expressly inform the user of the method, extent and purpose for collecting and using the personal information
- prohibited from collecting information that is not necessary to provide their services, or using personal information for any purpose other than providing those services
- required to implement remedies in the case of any actual or suspected unauthorized disclosure, damage or loss of personal information
- required to report any severe breach incident or potentially severe breach incident immediately to the relevant telecommunications authority, and cooperate in any investigation by the authority
Third, in addition to the requirements above, the Draft Provisions include additional protections for user personal information. For example:
- Telecommunications service providers and IISPs are required to formulate rules on the collection and use of user personal information, and make such rules public.
- When collecting and using personal information, telecommunications service providers and IISPs are required to expressly inform users of (1) how long the personal information will be retained, (2) the means for requesting or correcting information, and (3) the consequences if the user refuses to provide the personal information.
- Telecommunications service providers and IISPs may only entrust third-party service providers who can meet the requirements for protection of user personal information to provide their users with direct services (such as marketing and technical services) and must supervise the third party’s protection of personal information.
- The protection of user personal information will be examined as part of the annual examination of a telecommunication service provider by the relevant oversight agency.
- Violations of the Draft Provisions by telecommunications service providers and IISPs will be recorded and made public.
Finally, violations of the Draft Provisions may result in penalties including administrative warnings, fines and even criminal liability in certain cases. That said, the Draft Provisions may actually impose lower fines than the Provisions on Internet Information Services.
Provisions on the Registration of Real Identity Information of Telephone Users (“Telephone User Registration Provisions”)
Real name registration is not new in China. It has been applied to both telephone users and Internet users, and has given rise to heated discussions. According to unofficial media reports, the MIIT issued internal rules in 2010 that would have required new mobile phone users to register their real identity information, but it appears that registration work has not yet been completed. The Telephone User Registration Provisions would establish a legal basis for requirements already in place and would be the first regulation to require wireless network interface card users to register real identity information.
Under the Telephone User Registration Provisions, telecommunications service providers are required to retain user identity information while the user is a customer and for two years following termination of the services. Telecommunications service providers and their staff are obligated to keep such personal information confidential – the Telephone User Registration Provisions include specific requirements regarding the protection of such real identity information. Further, once officially enacted, the Provisions on the Protection of Personal Information of Telecommunication and Internet Users also may apply.
These two Draft Rules are generally considered to have been drafted specifically pursuant to Article 6 of the Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet, which required that users register their real identity information when applying for access to the Internet, or for use of fixed phones and mobile phones.
Though the Draft Provisions include specific provisions on the protection of telecommunications and Internet users’ personal information, there has been heated debate and doubt in China regarding whether such provisions will be enforced effectively. For example, some are concerned that the Draft Provisions may lead to an increase in illegal disclosures of personal information. Another criticism is that the penalties for violations are widely considered insufficient to deter the violations.
In any case, so long as there is no uniform data protection law in China, one or two ministry-level rules of this nature will not dictate how personal information is collected and used in China. According to Chinese media reports, the MIIT may issue another series of rules after it enacts these two. In short, this is by no means the final chapter of the story. We will continue to observe for further developments, and will post again as they arise.