McDermott Will & Emery has a strategic alliance with MWE China Law Offices, a separate law firm based in Shanghai. This China Law Alert was authored by MWE China Law Offices lawyers Samon Sun and Jared Nelson.
Recent provisions issued by China’s Ministry of Industry and Information Technology underscore the country’s increased emphasis on the protection of telecommunications and internet users’ personal information.
Recently, some telecommunication business operators (TBOs) and internet information service providers (IISPs) in China have been accused of not paying a sufficient amount of attention to the protection of their users and not taking effective measures to prevent the divulgence of their users’ personal information, including names, addresses and identification card numbers. As a result, customers have reported suffering from unsolicited commercial advertisements and even fraudulent inducements in the form of telephone calls, text messages and e-mails as part of a larger issue that has plagued China’s phone and internet users for years.
TBOs and IISPs are unique concepts in China and these categories cover a broad range of companies. TBOs refer to those who provide (1) basic telecom services, including public network infrastructures, public data transmission and basic voice communications services, or (2) value-added telecom services, including telecom and information services through public network infrastructures. IISPs refer to companies that provide information to online users via the internet, which includes any company that owns and operates a website.
On 16 July 2013, China’s Ministry of Industry and Information Technology ( MIIT) published “Provisions on the Protection of Personal Information of Telecommunications and Internet Users” (the Provisions), which will come into effect on 1 September 2013. The primary purposes of the Provisions are to improve the protection of the personal information of telecommunication and internet users, and to improve the enforcement of the Decision on Strengthening Protection of Online Information, which was adopted by China’s Standing Committee of the National People’s Congress on 28 December 2012.
Scope of Protection
According to the Provisions, users’ personal information includes information that is collected over the course of providing services by TBOs and IISPs, and can be used alone or combined with other information to identify a user (Personal Information). For example, Personal Information includes a user’s name, date of birth, identification card number, address, telephone number, account name and password, as well as “meta information” about a user’s habits, including the time and location of the use of the services.
Collection and Use
The Provisions require TBOs and IISPs to comply with the principles of legitimacy, justification and necessity, as well as to be responsible for the security of Personal Information. Under the Provisions, TBOs and IISPs are required to:
Create and publish their policies for the collection and use of Personal Information
Obtain users’ consent before collecting and using Personal Information
Explicitly state the purpose for the collection, use, methods and scope of the Personal Information
Limit the scope of collection to only that Personal Information that is necessary to provide services to users
Immediately cease the collection and use of Personal Information when users stop using the services and provide supported channels for users to cancel their accounts
Not divulge, falsify, damage, sell or illegally supply users’ Personal Information
Duty to Monitor Third-Party Agents
When commissioning agents to conduct sales, technological services or other services directly provided to users involving the collection and use of Personal Information, TBOs and IISPs must supervise and manage the agents’ work to ensure compliance with Personal Information protection.
The Security Guarantee System
The Provisions clearly explain measures that TBOs and IISPs must take to prevent users’ Personal Information from being divulged, damaged, falsified or lost. These measures include responsibilities, management systems, access supervision, storage media standards, information systems, operating records and other similar aspects. The Provisions also stipulate the systems of self-inspection for the protection of personal information and training for employees of TBOs and IISPs.
The Supervision and Inspection System
The Provisions require the authorities that regulate the telecommunications industry to carry out supervision and inspection, and the TBOs and IISPs to cooperate with those actions. In addition, the Provisions entitle the authorities to examine the status of protection for users’ personal information when issuing a permit and carrying out annual inspection of TBOs. The Provisions also stipulate that authorities must record any violations into the social credit files and make the violations available to the public.
Violations of the Provisions may result in penalties including administrative warnings, fines of up to RMB 30,000 and criminal liabilities. Some commentators believe that the amount of the fines is too low, and that there may not be adequate incentives to encourage compliance by the TBOs and IISPs. However, this level of fines is the maximum amount allowed for a ministry-level regulation such as the Provisions.
As China places more emphasis on the protection of personal information, an increasing amount of specific laws and regulations will be enacted. It is expected that more high-level laws will be issued to provide wider protection for personal information, not only within the area of telecommunications and the internet, but reaching out to every corner of daily life in China.