Jurisdiction - China
Reports and Analysis
China – New Developments In Legislation On Personal Electronic Information Protection (III).

29 April, 2013

 

 

Legal Study on Personal Information Protection (III)


Promulgation of Three Implementation Circulars on Personal Information Protection in relation to Mobile Networks


The Information Security Technology – Guidelines on Personal Information Protection within Information Systems for Public and Commercial Services (《信息安全技术 公共及商用 服务信息系统个人信息保护指南》) (the “Guidelines”) and the Resolution in Relation to Strengthening the Protection of Information on the Internet (《关于加强网络信息保护的决定》) (the “Resolution”) were promulgated at the end of 2012. On April 10, 2013, the PRC Ministry of Industry and Information Technology (the “MIIT”) published the exposure drafts of the Provisions on the Protection of Personal Information of Telecommunications Users and Internet Users (《电信和互联网 用户个人信息保护规定》) and the Provisions on the Registration of the Real Identities of Telephone Users (《电话用 户真实身份信息登记规定》) (collectively, the “Two Exposure Drafts”). Apart from the above, with respect to mobile networks, MIIT issued the following three notices and opinions focusing on personal information protection.


Opinions on Further Regulating the Business Activities of Basic Telecommunications Operators in Campus Telecommunications (《关于进一步规范基础电信运 营企业校园电信业务市场经营行为的意见》) (the “Opinions”)


The Opinions were promulgated by MIIT on April 3, 2013, and took effect on the same day. The Opinions only apply to basic telecommunications operators in China, i.e., China Telecom Corporation Limited, China Mobile Limited and China Unicom Limited. In accordance with the Opinions, the aforesaid operators may not illegally obtain the personal information (e.g., the name, gender, age, home address and telephone number) of any student, teacher or parent of such student (each a “Campus User”) in the course of their telecommunications business on campus. In addition, such operators may not send, or send by cooperating with any other entity, any subscriber identity modules (i.e., SIM cards) or business promotional materials to any Campus User without consent from such Campus User. Under the Opinions, the three basic telecommunications operators are required to formulate internal rules on their activities in the market for campus telecommunications, and the communications authorities are granted the power to conduct investigations where necessary and impose administrative penalties accordingly.


Notice of Carrying out the Special Action of Strengthening the Regulation of Mobile Phone Spam (《关 于开展深入治理垃圾短信息专项行动的通知》) (the “Notice”) 

 

On April 7, 2013, MIIT published the Notice and the Work Program for the Special Action of Strengthening the Regulation of Mobile Phone Spam (《深入治理垃圾短信息专项行动工作方 案》) (the “Work Program”), and announced its decision to carry out such “special action” from April, 2013 to December, 2013. This “special action” stands for the practical implementation of the provisions on regulating commercial electronic messages under the Resolution. The Notice and Work Program apply to all the basic and value-added telecommunications operators which provide mobile phone information services. In accordance with the Work Program, a telecommunications operator may not send any commercial message to any user, where such operator has not obtained the consent or request of such user, or where the user has expressly refused to receive such message. In addition, if the sending of commercial messages causes harassment to the user and the user gives express notice to the operator of such harassment, the operator must promptly take measures to stop sending such messages. 

 

Notice of Strengthening the Regulation of Network Access for Mobile Intelligent Terminals (《关于加强移动智能 终端进网管理的通知》) (the “Second Notice”)


The Second Notice was published by MIIT on April 11, 2013 and will take effect on November 1, 2013. In accordance with the Second Notice, a manufacturer of mobile intelligent terminals (e.g., smart phones and tablet PCs with intelligent operating systems) (each a “Terminal”) may not preset Terminals with any application software which can (i) collect or revise the personal information of a user without giving notice to and obtaining consent from such user; (ii) activate functions on the Terminal, thereby causing disclosure of information or other adverse effects, without giving notice to and obtaining consent from such user; or (iii) otherwise endanger the personal information security and infringe the legitimate rights and interests of the user. In addition, where newly-added
application software needs to be preset in the Terminal with a license for network access, or where the operating system needs to be upgraded in relation to basic security requirements of the Terminal, the manufacturer should make a filing with MIIT. In this sense, it is advisable that the manufacturers of Terminals should, in accordance with the relevant regulations within the transitional period before the effective date of such Second Notice, gradually improve the security standards for their products in relation to the protection of personal information.


There is no doubt that the abovementioned Opinions and two Notices can be deemed as implementation measures for the principles relating to personal information protection which are set forth in the Resolution and the Two Exposure Drafts.


With respect to the current legal framework regarding personal information protection in the field of telecommunications, the Resolution focuses on the principles rather than specific implementation measures. On the contrary, the Guidelines put emphasis on the technical details but have no legally binding effect. Further, considering that the severe requirements provided in the Two Exposure Drafts may rouse heated debate among telecommunications operators, it may take a long time for MIIT to finalize and promulgate such provisions.


Under the abovementioned circumstances, the importance of the Provisions on Regulating the Activities in the Market of Internet Information Services (《规范互联网信息服务市场秩序 若干规定》) (“Rule No. 20”), which provide many detailed requirements for personal information protection, becomes evident. Rule No.20 was promulgated by MIIT on December 29, 2011 and came into effect on March 15, 2012. Although Rule No. 20 applies only to the “activities of providing internet information services and activities in relation to internet information services within China”, Rule No. 20 can be deemed as a framework document before the promulgation of any further specific regulations on personal information protection in the field of telecommunications.


Under Rule No. 20, “User Personal Information” is defined as “any information associated with the user which, either independently or when combined with other information, enable the identification of such user”. Rule No. 20 applies to all internet information providers regardless of whether they are profit-generating or not. This scope of application is obviously not as broad as that of the Resolution, which applies to the internet service providers, other enterprises and public institutions as well as their respective staff. Rule No. 20 provides detailed requirements for internet information service providers in relation to the collection, use, storage, and security of user personal information, as well as acceptance of complaints. All those requirements are in line with the principles under the Resolution. In this sense, the provisions in relation to personal information protection under Rule No. 20 can be applicable together with the Resolution in relation to personal information protection. In the same Rule No. 20, the telecommunications authorities have been granted with supervisory powers for personal information protection in the field of telecommunications. As for legal liabilities, Rule No. 20 sets forth various penalties, such as correcting breaches, warnings and monetary penalties with an amount between RMB 10,000 and RMB 30,000. All these penalties have been included in the Provisions on the Protection of Personal Information of Telecommunications Users and Internet Users (Exposure Draft).

 

 

Jun He 5

 

For further information, please contact:

 

Feng Rui, Partner, Jun He

fengr@junhe.com

 

Zhuo Hui, Jun He

zhuoh@junhe.com

 

Li Duo, Jun He

lid@junhe.com

 

 

 

Comments are closed.