Recent provisions issued by China’s Ministry of Industry and Information Technology underscore the country’s increased emphasis on the protection of telecommunications and internet users’ personal information.

Overview

Recently, some telecommunication business operators (TBOs) and internet information service providers (IISPs) in China have been accused of not paying a sufficient amount of attention to the protection of their users and not taking effective measures to prevent the divulgence of their users’ personal information, including names, addresses and identification card numbers. As a result, customers have reported suffering from unsolicited commercial advertisements and even fraudulent inducements in the form of telephone calls, text messages and e-mails as part of a larger issue that has plagued China’s phone and internet users for years.  

TBOs and IISPs are unique concepts in China and these categories cover a broad range of companies. TBOs refer to those who provide (1) basic telecom services, including public network infrastructures, public data transmission and basic voice communications services, or (2) value-added telecom services, including telecom and information services through public network infrastructures. IISPs refer to companies that provide information to online users via the internet, which includes any company that owns and operates a website.  

On 16 July 2013, China’s Ministry of Industry and Information Technology ( MIIT) published “Provisions on the Protection of Personal Information of Telecommunications and Internet Users” (the Provisions), which will come into effect on 1 September 2013. The primary purposes of the Provisions are to improve the protection of the personal information of telecommunication and internet users, and to improve the enforcement of the Decision on Strengthening Protection of Online Information, which was adopted by China’s Standing Committee of the National People’s Congress on 28 December 2012.

Key Features

Scope of Protection

According to the Provisions, users’ personal information includes information that is collected over the course of providing services by TBOs and IISPs, and can be used alone or combined with other information to identify a user (Personal Information). For example, Personal Information includes a user’s name, date of birth, identification card number, address, telephone number, account name and password, as well as “meta information” about a user’s habits, including the time and location of the use of the services.  

Collection and Use

The Provisions require TBOs and IISPs to comply with the principles of legitimacy, justification and necessity, as well as to be responsible for the security of Personal Information. Under the Provisions, TBOs and IISPs are required to:

  • Create and publish their policies for the collection and use of Personal Information

  • Obtain users’ consent before collecting and using Personal Information

  • Explicitly state the purpose for the collection, use, methods and scope of the Personal Information

  • Limit the scope of collection to only that Personal Information that is necessary to provide services to users

  • Immediately cease the collection and use of Personal Information when users stop using the services and provide supported channels for users to cancel their accounts

  • Not divulge, falsify, damage, sell or illegally supply users’ Personal Information

Duty to Monitor Third-Party Agents

When commissioning agents to conduct sales, technological services or other services directly provided to users involving the collection and use of Personal Information, TBOs and IISPs must supervise and manage the agents’ work to ensure compliance with Personal Information protection.

The Security Guarantee System

The Provisions clearly explain measures that TBOs and IISPs must take to prevent users’ Personal Information from being divulged, damaged, falsified or lost. These measures include responsibilities, management systems, access supervision, storage media standards, information systems, operating records and other similar aspects. The Provisions also stipulate the systems of self-inspection for the protection of personal information and training for employees of TBOs and IISPs. 

The Supervision and Inspection System

The Provisions require the authorities that regulate the telecommunications industry to carry out supervision and inspection, and the TBOs and IISPs to cooperate with those actions. In addition, the Provisions entitle the authorities to examine the status of protection for users’ personal information when issuing a permit and carrying out annual inspection of TBOs. The Provisions also stipulate that authorities must record any violations into the social credit files and make the violations available to the public.  

Liabilities

Violations of the Provisions may result in penalties including administrative warnings, fines of up to RMB 30,000 and criminal liabilities. Some commentators believe that the amount of the fines is too low, and that there may not be adequate incentives to encourage compliance by the TBOs and IISPs. However, this level of fines is the maximum amount allowed for a ministry-level regulation such as the Provisions. 

Comments

As China places more emphasis on the protection of personal information, an increasing amount of specific laws and regulations will be enacted. It is expected that more high-level laws will be issued to provide wider protection for personal information, not only within the area of telecommunications and the internet, but reaching out to every corner of daily life in China.