Jurisdiction - China
Reports and Analysis
China – Draft Provisions On Personal Data Protection.

7 May, 2013


New draft regulations circulated by China's Ministry of Industry and Information Technology ("MIIT") indicate that telecommunications and internet service providers may soon need extra caution when collecting and handling personal data. The standards set out in the new draft regulations may also form the foundation of future personal data protection law.

New Draft Provisions


On 10 April 2013, the MIIT issued the Draft Provisions on the Protection of Personal Data of Telecommunications and Internet Users ("Draft Provisions") for public comments. Comment must be submitted to MIIT by 15 May 2013.


The Draft Provisions, which specify the requirements on the collection and use of personal data in the context of telecom and internet services, follow the Decision on Strengthening the Protection of Internet Data ("Decision") which was issued by the Standing Committee of the National People’s Congress at the end of 2012.

Unlike the non-compulsory "Information security technology – Guideline for personal information protection within information system for public and commercial services" which has no force of law, the Draft Provisions would impose various obligations on telecommunications service providers ("TSPs") and internet service providers ("ISPs") regarding the collection and use of personal data. Non-compliance would give rise to administrative penalties.


Definition of Personal Data


The Draft Provisions define "Personal Data" as information, collected by TSPs and ISPs during the provision of services, which can identify the user on its own or together with other information. Under the Draft Provisions, personal data includes the user's identification information, such as the name, date of birth, identity card number, address and other recorded information, such as the number, account, time and place of the services provided to the user.


Requirements on Collection and Use of Personal Data


The Draft Provisions restate that personal data cannot be collected or used by TSPs and ISPs without the user's prior consent. In addition, TSPs and ISPs must also:


  • formulate and publish rules, at their business premises or on their website, on the collection and use of the users' personal data;
  • expressly notify the user of the purpose, method and scope of personal data collection and use, the retention period of personal data, channel for the user to inquire or correct the collected or used personal data, and the consequence of refusal to provide the required personal data;
  • refrain from collecting or using the user's personal data beyond the scope of its services, or by ways of deception, misrepresentation or coercion, or in violation of the provisions of the laws and regulations or the agreement with the user;
  • keep the personal data collected or used strictly confidential;
  • oversee the works of any third-party agent if such agent assists with the collection and processing of the personal data, and ensure that the agent can fulfil the personal data protection requirements; and
  • set up a mechanism for dealing with users' complaints with respect to personal data protection and respond to the users within 15 days of complaints being made.


Security of Personal Data


As with the requirements under the Decision, the Draft Provisions require TSPs and ISPs to take technical and other measures to maintain the security of personal data. The Draft Provisions, however, also set out eight specific measures that TSPs and ISPs are obliged to adopt in order to protect the collected or used personal data from being disclosed, damaged or lost. These measures include a requirement for TSPs and ISPs to formulate and implement company-wide work processes and security policies for the collection, use and processing of personal data.


Under the Draft Provisions, in cases of disclosure, damage or loss of personal data, TSPs and ISPs must take immediate remedial measures. If the disclosure, damage or loss has led or could possibly lead to serious consequences, the TSP or ISP must also report the incident to the competent telecommunication authorities, and cooperate with any investigation.


Legal Consequences for Non-Compliance


TSPs and ISPs that violate the Draft Provisions may be warned and ordered to rectify their violations within a specified time frame. The violating TSPs and ISPs may also be subject to a fine of between RMB10,000 and RMB30,000 (in the case of serious offenses, e.g., collection or use of personal data without the user's consent) or up to RMB10,000 (in the case of minor offenses). If such violation constitutes a criminal offense, then the TSPs and ISPs may be prosecuted. Under the PRC criminal law, in serious circumstances, the collection of personal data by theft or other illegal means may result in a prison sentence of up to 3 years.


Although similar sanctions on ISPs can be found in existing MIIT rules, there are currently no rules setting out specific penalties for the unauthorized collection and use of personal data by TSPs. Upon the formal enactment of the Draft Provisions, TSPs (such as calling centres or mobile wireless communication companies) should give due regard to the relevant requirements when collecting and handling personal data.



For further information, please contact:
Betty Tam, Partner, Herbert Smith, Freehills
Karen Ip, Partner, Herbert Smith, Freehills





Comments are closed.