Key Points

  • No material change to the finalized regulations after soliciting of public opinion.
  • Effectiveness of regulations on the personal information protection might be limited.

Background

After the process of soliciting public opinions this April, the Ministry of Industry and Information Technology of China (“MIIT”) issued the finalized Rules on the Personal Information Protection of Internet and Telecommunication Users (the “Protection Rules”) and Rules on the True Identity Registration of Telephone Users (the “Registration Rules”) on 16 July 2013, which will be effective as of 1 September 2013.

Comparison Between the Draft and Finalized Rules

Compared with the drafts rules issued in April, there is no material change the finalized version.

  1. According to the Draft Protection Rules, “personal information” refers to the identity information of a user which is collected by the telecommunication business operators and internet service providers (“ISPs”) during the process of providing that service. The data collected includes identity information such as the name of the user, date of birth, ID card number and address as well as information related to the use of the service, such as service account number, time and location of using the service. The finalized Protection Rules specified that telephone number, account number and password are also included in the personal information.
  2. Regarding the information collection, the finalized Protection Rules added a section in Article 9: “after users stop using telecommunication or Internet services, telecommunication service operators and Internet information service providers (ISPs) shall stop collecting and using personal information of users, and deactivate phone numbers or accounts of users.”
  3. Regarding the safety measure, both of the finalized Protections Rules and Registration Rules added an article to provide that telecommunication administrative authorities shall evaluate the impact of reported and discovered behaviors which may violate the Rules; if the impact is severe, the telecommunication administrative authority at the provincial level shall report the issue to the Ministry of Industry and Information Technology of China (“MIIT”). Before the telecommunication administrative authority making any decision according to the Protection Rules, the telecommunication administrative authority may request the relevant business operator to suspend its business.
  4. In the legal liability part of both finalized rules, “behaviors of violators will be announced to the public” is added as another penalty to violators.

Conclusion

In our previous discussion on the draft Rules, we mentioned that there are two main issues for the implementation of the Rules. These issues still remain: (a) the safety measures are not very detailed and (b) the penalty is too light for violators. It seems the legislators were also provided with similar comments, but the revisions on these two points nevertheless remain limited in the finalized Rules.