Jurisdiction - China
Reports and Analysis
China – MIIT Issues Draft Provisions Governing Protection Of Personal Information.

9 May, 2013

 

 

As we reported in a previous article on January 23, 2013 (please click here), the Standing Committee of the National People’s Congress issued a Decision on Reinforcing the Protection of Network Information on December 28, 2012. To implement this Decision, the Ministry of Industry and Information Technology (“MIIT”) published a draft version of the Provisions for Protection of Personal Information of Telecommunications and Internet Users (电信和互联网用户个人信息保护规定(征求意见稿)) (“Personal Information Protection Provisions”) and the Provisions for Registration of Authentic Identity Information of Telephone Subscribers (《电话用户真实身份信息登记规定(征求意见稿)》) (“Telephone Subscriber Registration Provisions”) on its official website on April 10, 2013 for public comment. The deadline for feedback and comments to the MIIT is May 15, 2013. 


PERSONAL INFORMATION PROTECTION PROVISIONS 

 

The Personal Information Protection Provisions apply to the collection and use of personal information, and require telecommunications business operators and internet information service providers to fulfill the obligations set out in the provisions when collecting and using personal information from users. 


Personal Information of Users 


Under the Personal Information Protection Provisions, the “Personal Information of Users” is defined as information collected by telecommunications business operators or internet information service providers in the provision of services, which can individually or in combination with other information distinguish a user. Personal information includes a user’s identification information such as name, date of birth, identification card number and address, as well as information such as login number, account, time and place. Unlike the Guidelines for Personal Information Protection Within Information Systems for Public and Commercial Services (the “Guidelines), implemented on February 1, 2013, which distinguish between “Sensitive Personal Information” and “General Personal Information,” (see prior repor here), the Personal Information Protection Provisions broadly define “Personal Information of Users” to include both sensitive and general (non-sensitive) personal information.

 

Obligations of Telecommunications Business Operators and Internet Information Service Providers


The draft provisions require that the collection and use of users’ information must be on the basis of informed consent. In addition to the purpose, method and scope of data collection, a user must be notified about how long the information will be retained, the means through which users may access and correct their information and the consequences for refusing to provide required information. Furthermore, telecommunications business operators and internet information service providers must keep the information collected strictly confidential and adopt necessary measures to safeguard that information from leaks, damage or loss. Telecommunications business operators or internet information service providers that hire third party agents to collect and process personal information on their behalf must supervise such agents. The draft provisions also require telecommunications business operators and internet information service providers to put in place personal data policies to govern the collection and use of personal information and the resolution of users’ complaints within 15 days of receipt of a complaint. 


Penalties on Violation


Telecommunications business operators and internet information service providers who violate relevant provisions set out in the draft provisions might be warned or fined (fines range from RMB10,000 to 30,000) and/or ordered to correct the information. If such action constitutes a crime, criminal liability will be prosecuted according to the law. 


TELEPHONE SUBSCRIBER REGISTRATION PROVISIONS


The Telephone Subscriber Registration Provisions require telecommunications business operators to ask for, and the telephone subscribers to provide, recognized identification documents when processing network access, agreement execution or service confirmation. Network access refers to the installment, move, and transfer of fixed phones, subscription or transfer of mobile phone numbers or applying for new types of service for fixed or mobile phones. 


Recognized Identification Documents

For an individual subscriber, the following documents shall be provided: 



identification card, temporary identification card, hukou book (for Chinese citizens), passport (for citizens of other countries), Mainland Travel Permit for Hong Kong and Macau Residents or Mainland Travel Permit for Taiwan Residents, etc.; for an entity subscriber, the following documents shall be provided: business license or organization code certificate, etc. An entrustment letter must also be submitted when using a third party to handle relevant procedures.


Consequences and Penalties


Telecommunications business operators may not provide network access service to subscribers who refuse to provide or provide false or counterfeit identification documents. Telecommunications business operators or subscribers who violate relevant provisions set out in the draft provisions might be warned, fined and/or ordered to correct the information. If such action constitutes a crime, criminal liability will be prosecuted according the law.

 

 

For further information, please contact:
 
Paul McKenzie, Partner, Morrison Foerster
pmckenzie@mofo.com
 
Gabriel Bloch, Morrison Foerster
gbloch@mofo.com
 
  

Comments are closed.