- The collection and use of the personal information of the users must be agreed by the users.
- Service providers must expressed inform the users the purpose, manner and scope of collecting and using personal information.
- The service providers must take active measures to safeguard the personal information of the users.
- Telephone and mobile users are required to provide true and valid identity information for the registration.
Legislation on personal information protection has been a widely discussed topic for years in China. Despite this, there is still an absence of any comprehensive law at the national level aimed at protecting personal information. Given the fact that violation of personal information is becoming increasingly serious, the relevant authorities have issued a series of administrative regulations and standards in the past couple of years and have also drafted several laws and regulations which are in currently in the process of discussion and receiving public comment.
Of these regulations, one of the most important documents is the Decision on Strengthening Information Protection on Networks (the “Decision”), issued by the Standing Committee of the National People’s Congress on 28 December 2012, which specifies the principles on the protection of electronic information by which individual citizens can be identified as well as the individual privacy of citizens. To implement the Decision, the Ministry of Industry and Information Technology of China (“MIIT”) issued two drafts rules for public opinions on 10 April 2013: (a) Rules on the Personal Information Protection of Internet and Telecommunication Users (the “Draft Protection Rules”) and (b) Rules on the True Identity Registration of Telephone Users (the “Draft Registration Rules”).
Highlights of the MIIT Draft Rules
The Draft Protection Rules
According to the Draft Protection Rules, “personal information” refers to the identity information of a user which is collected by the telecommunication business operators and internet service providers (“ISPs”) during the process of servicer providing. This data collected includes identity information such as the name of the user, date of birth, ID card number, address as well as information related to the use of the service, such as service account number, time and location of using the service. The Draft Protection Rules stipulate that, without the consent of users, the telecommunication service operators and Internet information service providers shall not collect or use the personal information of users. Unlike the Guideline on Protection of Personal Information in Information Security Technology – Public and Commercial Services Information Systems (the “Guideline”) issued at the end of 2012, personal information is not classified as general information and sensitive information, and the consent of users is not defined as tacit consent nor expressed consent.
The coverage of personal information in the Guideline is broader than that in the Draft Protection Rule. The former covers sensitive information such as ID card numbers, mobile phone numbers, race, political opinions, religion, gene, finger prints and so on, and the general information which refers to any personal information other than the sensitive information.
Further, as the Decision has specified, ISPs must expressly inform the users of the purpose, manner and scope of collecting and using personal information, the terms for keeping the information, the approach regarding enquiries and updating of information, and consequences of not providing the information. ISPs must take active measures to prevent the reveal, destroy or loss of personal information. Further, their staff members are also obliged to keep the personal information of users secret and must not divulge, distort, destroy, sell or illegally provide others with such information. Anyone violating the Rules will be subject to penalties such as the mandatory modification within a limited time, warning and a fine in an amount less than RMB30,000. If the violation constitutes a crime, the violator will also be subject to criminal penalties under PRC Criminal Law. Collectively, however, these penalties are much less severe than those provided in the Decision.
The Draft Registration Rules
In the Draft Registration Rules, telephone and mobile users are required to provide true and valid identity information for registration. Such requirement is applicable to the user who wants to fix a landline telephone, relocate the telephone, transfer the telephone, open an account for a mobile phone, transfer such account, and apply for additional service items for the landline telephone or mobile phone. For existing users, they are also required to provide the identity information upon the request of the telecommunication business operators to confirm the need of serviced provided.
Although the Draft Registration Rules also provide that the telecommunication business operators and their staff members are obliged to keep the users’ identity information confidential, not to sell or illegally provide such information to any third party, and not use such information for any purpose other than the services ordered by the users.
However, the Draft Registration Rules lack detailed provisions on the protection of the personal information and, as with the Draft Protection Rules, the penalties to the violators are very light. Given the cost of the violation is so low, it is will need to be monitored to see how such rules will be effectively enforced.
Given that the above two rules are drafted for the implementation of the Decision, they do not have any creative provision on personal information protection, and it is hoped that the finalized Rules will include more detailed and practicable provisions on personal information protection. From a long term perspective, we are still expecting a comprehensive law at the national level which covers personal information protection in more depth.