After issuance of real-name registration rules to users of instant-messaging services in August 2014 (the “2014 Rule”),  the Cyberspace Administration of China (“CAC”), the country’s top cyberspace gatekeeper (and a dual-hatted Party/government organ) established in 2011 by China’s State Council to streamline and strengthen internet regulation, took a substantial step to further realize the government’s goal of real-name registration in cyberspace. On February 4, 2015, CAC issued a new rule to require real-name registration for accounts registered with blogs, micro-blogs, instant-messaging services, online discussion forums, news comment sections and related services (an “Account”). The rule, entitled Administrative Regulation on Internet Users’ Account Name (the “Regulation”) and which comes into effect on March 1, 2015, will require internet service providers (the “ISP”) to ensure real-name registration when users open an Account on their websites and to ensure that the username of an  Account does not involve illegal or unhealthy content. To lower the public’s concerns of personal information leakage arising from the real-name registration, the Regulation requires that the ISP shall keep confidential users’ personal information, but the regulation does not specify which measures shall be taken by the ISP to ensure protection of this sensitive personal information

To implement real-name registration for online activities conducted through an Account, the regulation imposes the following major obligations on the ISP: (1) the ISP shall follow the principle of “mandatory real-name registration at the back-office end, and voluntary real name display at the front-office end” and register an Account after verification of the user’s true identity, which means the user is allowed to select his/her own username and avatar as long as they produce information to verify his/her true identity; (2)  the ISP shall have a sound agreement with the users and be responsible for reviewing and monitoring online names, taglines and headshots of users; (3) where the ISP finds the users used fake identity to obtain an Account or there is illegal use of the names, the ISP shall rectify, suspend or delete the account; (4) where a user registers an Account by using another entity or a celebrity’s name, the ISP shall delete the accounts and shall report the conduct to the cyberspace authority. The rule also imposes obligations on the users requiring the users (1) to enter into an agreement with the ISP containing the relevant undertakings (e.g., to not violate the laws, harm the public interest and social morality, etc.) when registering an Account; and (2) to not use the name in the way of harming national security, leaking state secrets, hurting national honor and interests, instigating racial hatred and discrimination, harming religious policy, disturbing social stability, spreading rumors, obscenities and violence, and defamation.

For violations committed by the ISP and users, the Regulation has no specific enforcement provisions, and only contains vague wording that “the relevant departments will handle according to the relevant laws.” CAC’s lack of adequate enforcement resources could explain the existence of such vague regulation, and CAC will coordinate with different ministries (such as the Ministry of Industry and Information Technology and the Ministry of Public Security) and rely on other ministries’ resources to take enforcement actions.

The Regulation requires the users to disclose to the ISP personal information that can be used to verify the users’ true identity, but it is unclear what kind of information shall be disclosed to the ISP when registering an Account. It is also unclear whether the information of the identity card or passport (“ID”)  is statutorily required. As China has implemented real-name registration for mobile users(i.e., the users need to present ID to obtain a mobile number), some instant-messaging ISPs (such as WeChat owned by Tencent) do not require the users to disclose ID information to open an Account, but instead use the verification code sent to the users mobile number to satisfy the regulatory needs required by CAC in the 2014 Rule. Nonetheless, the collection and use of sensitive personally identifiable information, either ID information or mobile number, will require businesses to have a sounder security system to avoid data breach or leakage.  In addition, the rules in the Regulation are essentially vague but will evolve in practice, the impacted businesses should continue to closely monitor developments to ensure that their practices comply with this rapidly evolving area of law.

Disclaimer: This article is provided by the author for educational and informational purposes only and is not intended and should not be construed as legal advice. This article only reflects the views of the author, and does not reflect the view of the firm the author is with.