The widespread use of the Internet has given people access to information on a level never experienced before, while also resulting in growing attention and concerns over information security issues. In order to protect personal information that may be used or disclosed inappropriately via the Internet by other individuals or entities, particularly Internet service providers, the 30th session of the Standing Committee of the 11th National People’s Congress released the decisions regarding Strengthening the Protection of Internet Information (the Decisions) on December 28th, 2012, which became effective the same day. Several months later, the Ministry of Industry and Information released the Telecommunications and Internet User Individual Information Protection Regulations (Draft for Comments) (the Draft Regulations) and Provisions on the Registration of True Identity Information of Phone Users (Draft for Comments) (the Draft Provisions) on April 10th, 2013. Though the Draft Regulations and the Draft Provisions have not become effective for the time being, there are still some highlights that are worth noting.
1. General Principle and Definition
Under the Decisions, it is explicitly stipulated that the government will protect personal electronic information (the Information) that identifies a citizen or that concerns their privacy, and any entities or individuals are prohibited from using illegal methods to obtain citizens’ information, or sell or disclose the above to any others. A definition of the Information is lacking in the Decisions. The Draft Regulations appear to provide some guidance, however. They provide that "personal information" means information telecommunication business operators and internet service providers collect that independently, or in combination with other information, distinguish the user. This includes such things as the user's name, date of birth, identity card number, address, and other identifying information, as well as the user's codes, account numbers, times, locations and other stored information in connection with their service use.
2. Obligations and Roles
The Decisions require Internet service providers, other entities and their working staff to:
- Obtain consent when they collect or use the Information;
- Collect or use the Information limited to necessary purposes and by fair and lawful means;
- Specify the purpose, method and scope of collection and use of the Information;
- Comply with laws, regulations and agreements with concerned citizens;
- Publicize its policies on collection and use of the Information;
- Keep strictly confidential the Information that they have collected during the operations and not disclose, alter, destroy, sell or provide such Information via other illegal methods to others; and
- Adopt technical and other necessary measures to ensure security of the Information and make remedies in a timely manner in case that disclosure, destroy or lose of the Information has occurred or may occur.
The above requirements are also specified in the Draft Regulations, under which the telecommunications business operators and Internet information service providers are subject to the same rules when collecting or using personal information. In addition, more detailed measurement shall be adopted, such as information review, safe storage, risk evaluation, etc.
According to the Decisions, Internet service providers shall strengthen the administration of the Information publicized by Internet users on the Internet, shall stop transmitting and delete any information prohibited by laws or regulations, and shall retain relevant records and report to competent authorities.
Moreover, during the process of providing network access services or information publication services, the Internet service providers shall request the users to provide their true identity information when signing service agreements or confirming provision of services with such users.
The true identity registration requirements are further clarified in the Draft Provisions. Once taking effect, phone users, including individuals and entities, shall provide true and effective identity certificates to telecommunication business operators when going through network access formalities.
4. Citizens’ Rights
The Decisions address the commercial use of electronic information. The information may not be delivered to any fixed phones, mobile phones or personal mailboxes, without first receiving the receiver's consent. In order to secure personal privacy, if citizens discover any infringement of their legitimate rights with respect to the Information, including disclosure of personal identity information or spreading of their personal information, they are entitled to require Internet service providers to delete related information or take other necessary actions to stop such encroachments, as well as bring lawsuits to the people’s court.
As the first national regulation specialized in personal information protection, the effective Decisions and may‐take‐effect Draft Regulations and Draft Provisions mark a great step by Chinese authorities to promote personal information security, and may form the foundation of a more comprehensive and legally binding data privacy legislation in the future.