The rapid development of the telecommunications and internet industries in China has brought with it numerous new technologies and applications, as well as increased risks and difficulties in respect of protection against leaking of personal information. The general perception is that telecommunications operators and internet information service providers (collectively, the “Operators”) do not attach sufficient importance to user personal information security, and have not put in place a robust management system or adequate precautionary measures to address personal information security issues.
In an effort to address these issues, the Ministry of Industry and Information Technology (“MIIT”) began working with relevant authorities, industry experts and other industry stakeholders on the task of drafting the Rules for Protection of the Personal Information of Telecommunications and Internet Users (the “Rules”). A draft of the Rules was circulated for public comment on 10 April 2013 with comments due on 15 May 2013, and the Rules were officially promulgated on 16 July 2013 with effect from 1 September 2013.
The Rules were formulated in accordance with the Decision on Strengthening Protection of Network Information issued by the Standing Committee of the National People’s Congress on December 2012 (the “Decision”), the PRC Telecommunications Regulations and the Internet Information Services Administrative Measures. The Rules shall apply to activities involving the collection of personal data in the course of providing telecommunications and internet information services and shall be implemented by the telecommunications regulatory authority (the “Authority”), composed of MIIT and its local counterparts.
They are intended to make clear the guidelines that Operators must comply with when collecting and using user personal information in the course of providing their services, as well as the information security measures that should be taken by the Operators in order to protect the users’ lawful interests. The Rules also provide clear guidelines with respect to the role of the Authority and the scope of its power over the Operators with respect to any investigation, supervision or monitoring, as well as the issuance of decisions and penalties.
These Rules represent the latest effort made by the PRC government over the years to impose data protection or other privacy-related obligations on Operators. Earlier efforts relate to criminal liability for illegal sales of personal data, tort liability for failure on the part of internet service providers to mitigate the harm caused by infringement and tort law, market regulation of internet information service providers, etc. Set out below is a summary of relevant issues addressed in the Rules.
Definition of Personal Information
The Rules define a user’s personal information as: any information collected by the Operators in the course of providing services that can singly or in combination with other information be used to identify the user such as the user’s name, date of birth, ID number, address, telephone number, account number and password; and information with respect to the user’s use of the services such as the time and location of use.
Standards for Collection and Use of Information
When collecting and using user personal information in the course of providing services, an Operator must adhere to the principles of lawfulness, appropriateness and necessity, and take responsibility for the safety of the user personal information collected and used.
Each Operator must formulate rules for collection and use of user personal information and publish such information at its operational or services premises or website, and also set up a mechanism for handling user complaints, publish contact information for receipt of user complaints and respond to complaints within 15 days of receipt.
Operators (and their personnel) are subject to strict confidentiality obligations with respect to the user personal information collected and used in the course of providing services, such information may not be disclosed, tampered with or destroyed, nor sold or provided illegally to another person.
Unless otherwise provided by law, each Operator must:
- collecting or using user personal information except with the user’s consent;
- collecting user personal information beyond the scope of what is needed to provide the services;
- using the information for purposes outside the scope of the services provided; or
- collecting or using the information in a fraudulent, misleading or coercive manner or in any way that violates any law, administrative regulation or agreement between the parties.
provide the user with clear information with respect to:
- the purpose, means and scope of collecting and using the user personal information;
- the channels for making enquiries concerning and amendments to the information; and
- the consequences of refusing to provide the information.
- stop collecting or using any individual user’s personal information once it stops providing services to the individual user, and provide users with number or account number cancellation services.
Management of Agents
The Rules make clear that all responsibility rests with the entrusting party that conducts the operations, and that Operators will continue to be liable for any tasks that it entrusts to its agents. Specifically, Operators that entrust service-oriented tasks requiring direct interaction with users such as marketing and sales, and technical services, etc. to third party agents are required, if the tasks involve collection and use of user personal information, to monitor, supervise and manage the work of such agents in respect of the protection of user personal information. Operators are not permitted to entrust to any third party that cannot comply with the requirements set out in the Rules with respect to the protection of user personal information.
Security Assurance Measures
The Rules stipulate that an Operator is responsible for all aspects relating to the security of user personal information that it collects and uses in the course of providing services, including but not limited to job responsibilities, management system, rights management, storage media, information system, operating records and safety protection. To prevent user personal information from being disclosed, destroyed, tampered with or lost, each Operator is required to adopt the following measures:
- determine the responsibilities of the various departments, posts and branches in respect of managing the protection of user personal information;
- establish a workflow and safety management system for collection and use of user personal information collection, use and other related activities;
- implement rights management with respect to on staff and agents, conducting review and inspection of batch exporting, copying, and destruction, and to take steps to prevent leaking of information;
- keep the paper media, optical media, magnetic media and other carriers containing the user personal information properly, and to take corresponding measures to ensure safe storage;
- conduct access review for information systems used for the storage of user personal information, and to take preventive measures against attacks or viruses;
- record information concerning the personnel, timing, location, and items relating to the handling of user personal information;
- carry out tasks relating to the communication network security protection in accordance with the Authority; and
- take any other necessary measures as stipulated by the Authority.
Each Operator is also required to:
- adopt remedial measures for any disclosure, destruction or loss that has happened or may happen;
- immediately make a report to the relevant telecommunications administrative authority of any serious consequences that have resulted or may result therefrom; and
- cooperate in any investigations by the relevant authorities.
The Authority shall conduct an assessment of any action that has been reported or that it has discovered as violating the Rules; and in cases having significant impact, the Authority of the relevant province, autonomous region or municipality shall make a report to MIIT. Prior to making any decision, the Authority may ask the Operator to suspend the relevant action, and the Operator shall comply with such request.
The Operators are also obligated to:
- provide training to its personnel on knowledge, techniques and security responsibility that is relevant to protection of user personal information; and
- conduct a self-inspection relating to user personal information protection at least once a year; keep records of the conditions of the self-inspection and eliminate any latent security risks uncovered in the course of such self-inspection in a timely manner.
Industry Supervision and Inspection
The Rules call for establishment of a system to supervise and monitor the Operators in respect of their protection of user personal information. This responsibility rests with the Authority, and in the course of fulfilling such responsibility, the Authority may require Operators to cooperate in providing relevant materials, and/or access to the premises to conduct an on-site investigation. The Authority is permitted to make records in the course of fulfilling its supervisory and monitoring responsibilities, but may not obstruct the Operators’ normal operations, or may not receive any fees from the Operators.
The Authority and its personnel are subject to strict confidentiality obligations with respect to the user personal information learned in the course of fulfilling their responsibilities, such information may not be disclosed, tampered with or destroyed, nor sold or provided illegally to another.
When conducting the annual inspection of the Operator’s telecommunications operations permit and operations certificate, the Authority shall examine the circumstances of an Operator with respect to protection of user personal information.
Violations of the Rules may be recorded by the Authority in the social credit file of the relevant Operator(s), and the Authority may also make an announcement to the general public.
The Rules also provide that telecommunications and internet industry organisations should be encouraged to formulate their own self-disciplinary rules, and to steer its members towards compliance with such rules and self-discipline in the area of user personal data protection, to elevate the standards of user personal data protection.
An Operator that violates the Rules may receive a warning and an order for rectification within a certain time frame, and may also be imposed a fine of up to RMB 10,000 for minor offenses (for example, failure to formulate or publish the rules for collection and use of user personal information, or failure to provide a mechanism or provide contact information for the handling of user complaints or to respond to complaints in a timely manner). For other more serious offenses, the fine will range between RMB 10,000 and RMB 30,000, and an announcement will be made to the general public. If warranted by the circumstances, offenders may face criminal liability.
The Rules also provide for penalties to be imposed on personnel of telecommunications administrative organs for dereliction of duty, abuse of power or corruption. Offenders may face criminal liability, if warranted by the circumstances.
There is concern that the potential fines are too low to discourage potential offenders. However, the threat of public censure should have a deterrent effect, and in any case, a breach of the Rules would very likely also be a violation the Decision, which may result in additional penalties including but not limited to confiscation of illegal profits, revocation of operation permits, cancellation of recordals, and shutdown of websites, and more.