In June, we reported on China’s draft Provisions on the Protection of the Personal Information of Telecommunications (the “Personal Information Provisions”), which will regulate the collection and use of personal information by providers of telecommunications, Internet and information services within China. The Personal Information Provisions will come into force on September 1, affecting a wide range of consumer-facing websites, including corporate sites, product information sites, and social media pages.
The Personal Information Provisions follow the same framework as China’s Decision by the Standing Committee of the National People’s Congress on the Strengthening of the Protection of Network Information (“Network Information Protection Decision”), which we reported on this past winter, but provide significantly more detail by addressing the collection and use of personal information of individual users (i.e., passwords, names, date of birth, addresses, account numbers and so forth, as well as metadata about a user’s habits, including the time and location of the use of the services) by the providers of telecommunications services and internet information services within China (“Service Providers”).
The MIIT passed the Personal Information Provisions amidst an intense “overdrive” of current regulatory and legislative developments within China in the personal data protection arena. Importantly, while the earlier Network Information Protection Decision contained significant compliance obligations for all enterprises that collect data, the Personal Information Provisions establish obligations only for enterprises characterized as “Service Providers,” a term which includes many commercial websites.
Specifically, the Personal Information Provisions requires the adoption of the following security measures by Service Providers to prevent disclosure, damage, and loss of personal information:
- Limiting the right to access users’ personal information to certain employees only;
- Ensuring safe storage;
- Maintaining records of staff who handle user information;
- Establishing internal policies on data collection and use; and
- Providing staff training on personal information protection.
Service Providers are also required to implement the following rules regarding the collection and use of personal information of users:
- Not collecting or using personal information without the consent of the user;
- Clearly informing users of the purpose for which the information is being collected or used;
- Only collecting/using information necessary to provide the services;
- When collecting/using personal information, not violating any laws or agreements with the user nor using it in a fraudulent, misleading or coercive manner;
- Keeping strictly confidential all personal information collected and used during the course of providing services and not divulging, altering, destroying, or selling such information, or unlawfully providing such information to third parties; and
- Monitoring and regulating the performance of third parties that are engaged to offer marketing, technical, and other agency services to users, which involve the collection and use of personal information.
The Personal Information Provisions provide for fines of up to RMB 10,000 (approximately US $1,633) for failure to formulate or display rules or failure to set up a mechanism in handling user complaints, and fines between RMB 10,000 and RMB 30,000 (approximately US $4,901) for all other breaches.
From a compliance perspective, the Personal Information Provisions have important business implications for those who are considered “Service Providers,” including many commercial websites. The method and scope of collection and usage must now be specified and consent from data subjects must now be obtained. Those compliance obligations, in and of themselves, are important changes brought about by the recent legislation and may require many foreign-invested businesses in China to adjust their current data collection model and practices.