Jurisdiction - China
Reports and Analysis
China – New Developments In Legislation On Personal Electronic Information Protection (II).

26 April, 2013

 

 

MIIT Seeks Public Opinions on the Protection of Personal Information of Telecommunications Users and Internet Users as well as Registration of Telephone Users’ Real Identities

 

On April 10, 2013, the PRC Ministry of Industry and Information Technology ( “MIIT”) published the Provisions on the Protection of Personal Information of Telecommunications Users and Internet Users (Exposure Draft) (《电信和互联网用户个人信息保护规定(征求意见稿)》) (the “Provisions on Information Protection”) and the Provisions on the Registration of the Real Identities of Telephone Users (Exposure Draft) (《电话用户真实身份信息登记规定(征求意见稿)》) (the “Provisions on Telephone Identities”) for public comments.  The publication of the two exposure drafts, which follows the promulgation of the Resolution in Relation to Strengthening the Protection of Information on the Internet (《关于加强网络信息保护的决定》) (the “Resolution”) by the Standing Committee of the National People’s Congress on December 28, 2012 and the Information Security Technology – Guidelines on Personal Information Protection within Information Systems for Public and Commercial Services (《信息安全技术公共及商用服务信息系统个人信息保护指南(GB/Z 28828-2012)》) ( the “Guidelines”) on November 5, 2012, represents further development in the current legislative framework for personal information protection.

 

The Provisions on Information Protection and the Provisions on Telephone Identities set forth implementation measures for the various general principles provided in the Resolution.  Both Provisions will be classed as legally binding regulations upon their official promulgation in the future.

 

  1. Provisions on Information Protection
     
  1. Scope of Protection
     

A “user’s personal information” is specifically defined in the Provisions on Information Protection as the “information collected by telecommunication business operators and internet content providers during the course of service provision, which information can, either independently or when combined with other information, enable the identification of such user”.  Such personal information includes the user’s name, date of birth, ID number, address and other identity information as well as the number, user ID, time, address and other log information in relation to the user’s use of services.  The aforesaid definition clearly covers all the key words in the definitions of personal electronic information under the Resolution (i.e., “in the course of business”, “electronic information that enables the identification of an individual and electronic information that involves individual privacy”) and the Guidelines (e.g., “enable the identification of such individual either independently or when combined with other information”).

 

The scope of protection under the Resolution is limited to “personal electronic information”, while the scope of a “user’s personal information” under the Provisions on Information Protection seems broader because it does not make specific reference to the electronic information.  Nonetheless, we note that the Provisions on Information Protection quote the Regulations on Telecommunications (《电信条例》) and the Administrative Measures on Internet Information Services (《互联网信息服务管理办法》), both of which are higher-level regulations promulgated by the State Council in relation to, among others, the management of electronic information.  Further, given that the personal information of telecommunication users and internet users cannot be collected, used, saved or transmitted until such information is computerized, the seemingly broad scope of a “user’s personal information” under the Provisions on Information Protection is arguably limited to the electronic information.

 

  1. Application

       

The Provisions on Information Protection apply to “telecommunication business operators and internet content providers as well as the staff of such entities” (“Telecom Service Providers”).  In this sense, the application of the Provisions on Information Protection is in line with that of the Resolution, which applies to “network service providers, other enterprises, public institutions and their staff”.

 

  1. Collection, Use and Security of Information

      

The Provisions on Information Protection set forth detailed requirements in relation to the collection and use of personal information on the basis of the general principles provided in the Resolution, and to some extent borrows and develops the principles and specific requirements under the Guidelines regarding the processing of personal information.  For example, the Telecom Service Providers are required under the Provisions on Information Protection:

 

  • to formulate and publish their rules on the collection and use of personal information; not to collect or use any personal information without consent from the user; to inform the user of the purpose, method and scope of the collection and use of personal information, the storage period, the manner in which the user may enquire about or correct the information, and the consequences of refusing to provide information;
  • to supervise and control the agent’s activities when engaging an agent to directly provide services to the users and to collect and use the users’ personal information; not to authorize any agent which fails to meet the requirements for personal information protection to provide any related service;
  • to establish a mechanism to accept and deal with the users’ complaints; to publish effective contact information, accept any complaint in relation to the protection of users’ personal information and reply to the complainant within 15 days from the receipt of such complaint; and
  • to take measures to prevent any disclosure, damage or loss of any user’s personal information, such as “setting different permissions for different staff to access the information, reviewing the export, copying and destroying of information in batches and so on”.
     
  1. Legal Liability

     

The Provisions on Information Protection specifically authorize the telecommunication authorities to exercise their supervisory powers in relation to the protection of personal information.  In accordance with the Provisions on Information Protection, the telecommunication authorities can require the Telecom Service Providers to submit related materials and access their premises to conduct inspections.  Such authorities can also examine the protection of users’ personal information by the Telecom Service Providers during the annual inspection of their relevant permits, note any violation on the records of the provider in question and make such notes public.

 

Only three kinds of penalties, i.e., making corrections within a time limit, warnings and monetary penalties of no more than RMB 30,000, have been listed in the current exposure draft.  It appears that the penalties provided in the exposure draft are not sufficiently severe for possible cases where serious violations occur e.g., where the user IDs of millions of users are released.  In addition, pursuant to the PRC Administrative Penalty Law (《行政处罚法》), the Provisions on Information Protection are in the position but fail to detail the application and implementation of the administrative penalties provided in the Resolution (including, warnings, monetary penalties, confiscation of illegitimate gains obtained from such violation, revocation of permits or cancellation of registrations, suspension of websites, and prohibiting the responsible person from engaging in internet service provision).  Given the specific descriptions, thresholds and seriousness of violations that may give rise to harsh penalties such as the “revocation of permits” or the “suspension of websites” are not provided for in this exposure draft, Telecom Service Providers may raise concerns about the discretion that the related governmental authorities may have.

 

  1. Provisions on Telephone Identities

     

There is already system in place for identifying users when landline telephones are registered.  Since September 1, 2010, registration with real identities has also been required for mobile phone services, although the implementation has been patchy.  The Provisions on Telephone Identities have now added wireless internet cards to landline/mobile phones as items the registration of which will require disclosure of the real identities of the users.  Further, in accordance with the Circular regarding the Implementation of Task Assignment under the Plan of Institution Reform and Function Transform of the State Council (《国务院办公厅关于实施<国务院机构改革和职能转变方案>任务分工的通知》), newly promulgated by the General Office of the State Council, the system for registration of real identities for information networks, as one of the missions of the government, is expected to be completed before the end of June, 2014.

 

The abovementioned measures will undoubtedly help Telecom Service Providers and the relevant governmental authorities track the identities of users who “unlawfully” use or abuse telecom services.  However, on the other hand, the users, who are required to provide real individual identities, are bound to raise concerns regarding the security of their private information provided pursuant to the mandates.  By seeking opinions on the Provisions on Telephone Identities together with the Provisions on Information Protection, it appears that the relevant governmental authorities have been fully aware of this necessity to balance.

 

In response to the demand for information security, nearly half of the Provisions on Telephone Identities focuses on the protection of private information of users.  At the stage of information collection, each Telecom Service Provider is required to make a copy of the proof of identity of the user and to note on the copy the name of the Telecom Service Provider, the purpose of making such copy and the date on which the copy was made. This is the application of the principle of “public notification” as set forth in the Resolution, Guidelines, and Provisions on Information Protection.  At the stage of information processing, the Provisions on Telephone Identities take pains to emphasize the requirements in the Resolution, Guidelines, and Provisions on Information Protection.  For instance, the Telecom Service Providers should establish a security management mechanism; their staff should keep secret information in relation to the real identities of the users obtained in the course of service provision and may not disclose, change or destroy such information, or sell or illegally provide such information to any third party, or use such information beyond its original purpose; the Telecom Service Providers should promptly remedy, report to the telecommunication authorities and cooperate with any inspection of any disclosure, damage or loss of personal information; the Telecom Service Providers should also supervise the activities of the agent providing internet access services for the telephone and may not engage any agent which fails to meet the requirements for registration and maintaining the security of information relating to real identities of users.

 

  1. Overview

     

The exposure drafts of both the Provisions on Information Protection and the Provisions on Telephone Identities basically reflect the general principles under the Resolution and involve many of the technical details provided in the Guidelines.  The issuance of such exposure drafts increases the pressure on the Telecom Service Providers to upgrade relevant technology, optimize service processes and enhance internal controls.  In addition, considering that the application of requirements for the registration of real identities covers not only the telephone and access to the internet but also the provision of all contents on the internet, it is foreseeable that the protection of personal electronic information will draw much more public attention in the future.

 

The deadline for submission of comments on the exposure drafts is May 15, 2013. We welcome any questions, concerns, comments and suggestions from our clients, and would be more than happy to compile and submit all such opinions to MIIT.

 

Jun He 5

 

For further information, please contact:

 

Feng Rui, Partner, Jun He
fengr@junhe.com

 

Zhuo Hui, Jun He
zhuoh@junhe.com

 

Min Nana, Jun He
minnn@junhe.com

 

 
  
  

Comments are closed.