Jurisdiction - China
China – Rules For The Protection Of The Personal Information Of Telecommunications And Internet Users – Draft For Comment.

23 June, 2013



On 10 April 2013 the Ministry of Industry and Information Technology (MIIT) issued the draft Rules for Protection of the Personal Information of Telecommunications and Internet Users (the “Draft Rules”) for public comment, which should be submitted by 15 May 2013. 


The Draft Rules were formulated in accordance with the Decision on Strengthening Protection of Network Information (the “Decision”) issued by the Standing Committee of the National People’s Congress on December 2012, along with the PRC Telecommunications Regulations and the Internet Information Services Administrative Measures. The Draft Rules are intended to apply to activities involving the collection of personal data in the course of providing telecommunications and Internet information services. 


Definition of Personal Information


A user’s 'personal information' in the context of the Draft Rules refers to any information collected by telecommunications operators and Internet information service providers (collectively “Operators”) in the course of providing services that can singularly or in combination with other information be used to identify the user. This includes:


  • Identification information, such as the user’s name, date of birth, ID number and address; and
  • Login information collected during the user’s use of the services, including the user’s number, account number, time and location.


Standards for Collection and Use of Information


The Draft Rules oblige an Operator to adhere to the principles of lawfulness, appropriateness and necessity when collecting and using user data in the course of providing services. The Operator is obliged to:


  • collect or use user personal information only with the user’s consent;
  • formulate and publish rules for the collection and use of user data;
  • clearly inform the user of:


    • the purpose, means and scope of collecting and using the personal information;
    • the applicable retention period(s) for the information;
    • the channels that may be used by individuals to inquire about and amend their information; and
    • the consequences of refusing to provide the information; and
  • set up a mechanism for handling user complaints, publish contact information for receipt of user complaints and respond to complaints within 15 days of receipt.


The Operator is not permitted to collect user personal information beyond the scope of what is needed to provide the services; use user data for purposes outside the scope of the services provided; or collect or use user data by means of fraud, misrepresentation or coercion or in any manner that violates the law, administrative regulations or an agreement between the parties.


The Operators and their personnel are subject to strict confidentiality obligations with respect to the user data collected and used in the course of providing services. This information may not be disclosed, tampered with or destroyed, nor can the information be sold or provided illegally to another person. 


An Operator is not permitted to entrust service-oriented tasks requiring direct interaction with users and involving the collection and use of user data to any third party that cannot protect the user data concerned. The Operator is also expected to take responsibility for monitoring, supervising and managing the work of its service providers with respect to the protection of user data. 


Security Assurance Measures


The Draft Rules stipulate that an Operator is responsible for the security of the user data that it collects and uses in the course of providing services. Specifically, the Operator is required to adopt measures to prevent user data from being disclosed, destroyed or lost, to adopt remedial measures for any disclosure, destruction or loss that occurs; immediately report any serious breaches to the relevant telecommunications administrative authority and cooperate in any investigations by the relevant authorities. 


The Operators are also obliged to provide training to its personnel on the technical and security responsibilities that are relevant to protection of user data, to conduct periodic inspections, to keep records of its handling of user data and to eliminate any information security issues uncovered in the course of such audits in a timely manner. 


Penalties for Non-Compliance 


The Draft Rules call for rectification of any breach within a certain time frame and warnings and fines, which range from up to RMB10,000 (€1,250) for minor offences and between RMB10,000 and RMB 30,000 (€1,250 – €3,750) for more serious offences. If warranted, offenders may face criminal liability. 


Although the potential fines are relatively low, any breach of the Draft Rules would very likely be a breach of the Decision, which provides for other penalties (including but not limited to confiscation of illegal profits, revocation of operation permits and shutdown of websites).


Conclusion and Recommendations


Although the Draft Rules in their present form appear to be directed at telecommunications operators and Internet information service providers, it is anticipated that the Draft Rules are intended to provide implementation guidance for the Decision, which makes reference not only to network service providers, but also other enterprises that collect and use personal information as part of their business activities. As such it is possible that the scope of application of the Draft Rules will be broadened to incorporate other companies that collect and use personal information in the course of business. Companies that need to collect and/or use personal data in their business activities in China should review the Draft Rules carefully and consider taking this opportunity to provide comments and suggest changes to MIIT. 



For further information, please contact:


Grace Chen, Partner, Bird & Bird


Marcus Vass, Partner, Bird & Bird

[email protected]  



Comments are closed.