The Standing Committee of the National People’s Congress (NPC) of the People’s Republic of China adopted a Decision Relating to Strengthening the Protection of Information on the Internet (the Decision) on December 28, 2012. The text is brief and general, covers only electronic personal information, and took effect immediately.

Since the rapid development of e-commerce and other online activities in China during recent years, the protection of personal information is a widely discussed topic and examples of breaches of confidential personal data are numerous. The Decision appears to be a double-edged sword that provides a clear legal framework to protect personal digital information but also increases the opportunity for the government to control the activities of Chinese netizens.

Among the many interesting points raised by the Decision, it is important to note that it was adopted by the Standing Committee of the NPC. The Standing Committee is empowered to pass laws that are national in scope that sit just below “basic laws” (basic laws have nationwide application and relate to tantamount aspects pertaining to the State and/or Chinese society). Being adopted by a top PRC institution gives much credibility to the Decision.

Addressing recent concerns shown by the Chinese society about more privacy, the Decision provides a broad definition for online “personal information”. It encompasses electronic information that can determine the identity of an individual and touches upon such individual private affairs.

Most of the burden is transferred to Internet Service Providers (ISPs) - The Decision also sets forth a series of obligations ISPs must follow in the course of collecting, using and keeping personal information. ISPs are required to obtain the consent of their users for collecting and using their personal information. Rules for personal information collection and use must be publicly disclosed to users. ISPs have an obligation to safeguard personal information and keep it strictly confidential. Any divulgation, alteration, destruction or sale of personal information is clearly made illegal.

However in a move that has been widely criticized by human rights groups – and thus generalizing measures implemented for about one year by leading micro-blogging services, including Tencent Weibo and Sina Weibo - users are now required to provide their real names when registering with ISPs or subscribing to their services.

The Internet Resolution also prohibits any organization or individual from sending business information (e.g. advertisements) via email or text message without the consent or request of a receiver, or expressly rejected by such receiver.

The Decision is built on previous legal texts dealing with data privacy, but is widely seen by industry experts and insiders as a significant and far-reaching turning point because it was passed by PRC’s top legislature and will be effective nationwide. Major ISPs (sohu.com and tencent.com) have shown their support and determination to fully comply with the Decision’s provisions. Despite a few uncertainties the Decision may very well prove to be a landmark text in the construction of a fully fledged data privacy legal regime in China.

Questions remain about how the Decision will be implemented. For example, the Decision does not specify which governmental department or agency will supervise or enforce the Decision. Moreover, even if the Decision specifies that violators may be given a warning, fined, have their illegal income confiscated, face cancellation of permits or other business privileges, or have their websites shut down, it does not provide specific fines or jail terms for criminal violations, or contain civil fine details.