New measures to regulate malpractices adopted by ICPs in China and their use of personal data

The PRC Ministry of Industry and Information Technology recently published a set of measures entitled "Several measures on regulating the internet information service market" to regulate certain misbehaviours of internet information service providers in China and their use of personal data. These measures will take effect on 15 March 2012.  Michelle Chan, Karen Ip and  Clarice Yue provide an overview and analysis.

It is not uncommon for visitors to PRC websites to see numerous pop-up advertisement windows which could not be closed, or to have programmes, cookies or software applications automatically downloaded to their computers without the visitors becoming aware of such downloads. In recent years, there were also numerous incidents whereby internet information/content providers ("ICPs") allegedly included in their own downloadable applications functionalities which would enable them to monitor the use by the visitors of their computers and/or block the visitors from using programmes or applications of the ICPs' competitors. In response to such malpractices, the Ministry of Industry and Information Technology ("MIIT") published the measures setting forth the "dos" and "don'ts". Notably, the measures also contain certain data protection measures.

ICPs which are in breach of the measures may be subject to a warning from the relevant telecoms administrative bureau and/or a fine of up to RMB30,000. Public announcement may also be made by the authority disclosing the breach to the general public. The telecoms administrative bureau is required to report serious breaches to the MIIT, and may order the ICP to cease its activities which are not compliant with the measures.

The "dos" and "don'ts"

The measures govern generally the ways in which ICPs operate, such as the prohibition of any action that violates the rights of other ICPs and any action that violates the legal rights of internet users. There are also provisions regulating reviews and assessments conducted and published by ICPs online, installation and operation of software bundles on users' terminals and the use of pop-up advertisement windows. The specific activities which are regulated include:

1. Malicious attempts that violate the legal rights of other ICPs are not allowed, for example:

• An internet user should be able to freely use other ICPs' services, or download, install, operate or upgrade software provided by other ICPs.
• ICPs should not make defamatory statements to discredit or tamper with the services or products of other ICPs.
• Services or products should be compatible with those offered by other ICPs, and the internet users should be notified in advance if this is not the case.

2. Activities that violate the legal rights of internet users, for example:

• ICPs should not deny, delay or suspend their services or products or force internet users to use or remove a service or product without a legitimate reason.
• Services or products should be consistent with the descriptions on advertisements.
• ICPs should not unilaterally amend the business terms to the detriment of internet users, or the browser or other computer settings of the internet users.

3. Any performance reviews/assessments or test performed on products or services of other ICPs should be objective and fair. The results should be true and accurate and the method of assessments, the identity of the reviewer and the data source should be fully disclosed. No subjective comment should be made on the result if the reviewer offers similar services or products. If the product or service provider decides to conduct his/her own test again, the reviewer is obliged to provide him/her with assistance.
    
4. Internet users should be fully notified before downloading, installing, running, upgrading or removing any software. The procedures for software removal and installation should be comparable in terms of complexity. No execution codes should remain on an internet user's computer once the software is removed.
    
5. Internet users should have a chance to choose whether to install or run the software bundles, and have an accessible and independent way to remove or close the software bundles.
    
6. Internet users should be able to close pop-up advertisement windows easily.
    
7. Information uploaded by internet users should not be subject to use, amendment, transfer or deletion by ICPs, and should not be disclosed to third parties without the internet users' consent unless such disclosure is required by laws or regulations.

ICPs are also encouraged to report malpractices of other ICPs to the relevant telecoms administrative bureau.

Personal data protection

The measures contain some specific requirements on ICPs in relation to the collection, use, storage and security of personal data.

"Personal data" is defined as:

1. data that can individually identify a user; or
2. data that can identify a user when combined with other data.

ICPs must not collect or transfer personal data to a third party without the consent of the data subject, unless such transfer is required by law or any other administrative regulation. To obtain a consent from the data subject, ICPs must expressly notify the data subject of the method, content and purpose of collecting the data. They are also prohibited from collecting any data that is not necessary for the stated purpose or falls outside the ICP's scope of services.

In addition, ICPs are also required to ensure the proper security of the personal data, and take immediate remedial measures if personal data is suspected to have been disclosed. If the consequences of disclosure are expected to be serious, ICPs must immediately report the incident to the telecoms regulatory authority and cooperate with the authorities in their investigations.

Whilst China currently does not have a formal legislation on data protection, these measures do provide certain limitations on what ICPs could do with personal data collected through their operations.