Another leap forward - new personal data protection regulations in China

On 16 July 2013, the Ministry of Industry and Information Technology (MIIT) published a new set of regulations entitled "Regulations on the Protection of Personal Information of Telecom and Internet Users" (电信和互联网用户个人信息保护规定). The regulations will come into effect on 1 September 2013. In the following, Michelle Chan, Karen Ip and Clarice Yue provide details of the key features of the regulations.

Background

Protection of personal information and personal data has been a hot topic in the telecom and internet sectors in recent years in China, with users regularly complaining to service providers and the regulator on various forms of malpractices. In the absence of a general data protection law, and as discussed in our previous publications (last year and earlier this year), the concern has resulted in the Chinese Government promulgating regulations and standards which are intended to tighten control over and regulate the use of such information and data by the internet and telecom service providers. The new regulations therefore represent a further step by the Chinese Government in such regard.

Key features of the regulations

1. Who have to comply with the regulations?

The regulations are sector specific. As such, only telecom and internet service providers will be subject to the various requirements.

2. User personal information

The regulations defines "user personal information" as "information which on its own or jointly with other information can identify an individual". Examples of "user personal information" referred to in the definition include:

• name of the user
• date of birth
• ID number
• address
• telephone number
• account number
• password or passcode

The "place and time of use of services" has also been identified as "user personal information".

3. Key obligations

The regulations set forth, broadly, two key legal obligations covering:

• the collection and use of user personal information; and
• the security measures to be put in place for such information.

For collection and use of user personal information, internet and telecom service providers are required to publish a collection and use policy either at their place of business or on their websites. More importantly, consent must be obtained from the user before any user personal information can be collected or used. There is also a prohibition against the sale of such information or illegal disclosure.

For security measures, a key requirement is that internet and telecom service providers must advise the telecom regulator (i.e. the MIIT or its local branch) of any security breaches which will or is likely to bring serious consequences. The telecom regulator will also audit the security measures implemented by the internet and telecom service providers as part of the annual inspection which the service providers must pass to maintain their telecom licences.

4. Penalties

In the event that the internet and telecom service providers are found to be in breach of relevant provisions of the regulations, the telecom regulator has the authority to impose administrative fines, ranging from RMB10,000 to RMB30,000, upon them. The service providers in question may also be subject to criminal prosecution.