Company News
China Steps Up Efforts to Protect Personal Information
Apr. 17 – In recent years, the leaking of private information to third-parties has aroused nationwide concern in China. It has been reported that organizations such as Internet companies and telecommunications operators have been selling their clients’ personal information for profit, contributing to the plethora of junk mails and spam messages that frustrate users on a daily basis.
As a result, there have been growing calls in the county for a comprehensive national personal data protection law. However, even though China has a huge number of Internet and cellphone users, its protection of private information is very limited, and the country currently only has a basic framework for personal data protection.
The Decision
In December 2012, the Standing Committee of the National People’s Congress released the “Decision on Strengthening Online Information Protection (hereinafter referred to as the ‘Decision’),” which states no organization or individual may obtain personal digital information of citizens by stealing or other illegal means, nor sell or illegally provide such information to others.
Moreover, for citizens who have discovered that their individual identity has been divulged or individual private information has been disseminated, they may compel the relevant Internet service providers to delete the information or take other necessary measures to stop such activities.
However, as the Decision only has 12 articles and is broadly worded, it is difficult to enforce and lacks the teeth to threaten enterprises.
The Guideline
On February 1, 2013, China’s first national standard on personal information protection, namely the “Guideline on Information Security Technologies for the Protection of Personal Information in Public and Commercial Service Information Systems,” came into effect. The guideline divides personal information into “general personal information” and “sensitive personal information,” and clearly states that sensitive personal information can only be collected upon the express consent of the individual concerned.
However, as the guideline lacks the force of law, its effectiveness in personal data protection depends on further rules and regulations. Therefore, it has been of vital for the country to establish a law to protect personal information, or the invasion of privacy on the Internet will get worse.
On April 10, 2013, China’s Ministry of Industry and Information Technology took a concrete step towards combating this mounting problem by releasing the “Draft Rules on the Protection of Personal Information of Telecommunication and Internet Users (hereinafter referred to as ‘Protection Rules’)” and the “Draft Rules on Identity Information Registration of Telephone Users (hereinafter referred to as ‘Registration Rule’).” Detailed information can be found below.
Main Contents of the Protection Rules
The Protection Rules apply to the collection and use of users’ personal information during the provision of telecommunication services and Internet services in China. The rules also specify how institutions that leak and sell personal information will be punished.
Definition of Personal Information
According to the Protection Rules, a user’s personal information refers to any information collected by telecommunication business operators and Internet service providers that can be used to identify the user during the course of service provision, including:
1. User’s identification information
- Name
- Date of birth
- ID number
- Address
2. User’s login information
- Account number
- Login time
- Login location
Standards for Collection and Use of Information
The Protection Rules provides that, without the user’s consent, the telecommunication business operators and Internet service providers are not permitted to collect and use the user’s personal information. Besides, when collecting and using users’ personal information, the telecommunication business operators and the Internet service providers shall clearly inform the users of the following:
- The purpose, methods and scope of collecting and using the information
- The retention period for the information
- The channels for accessing and modifying the information
- The consequences of refusing to provide the information
The Protection Rules also demand telecommunication business operators and Internet service providers to publish their contact information for the purpose of collecting clients’ feedback, and the complaints lodged by consumers shall be resolved within 15 days.
Moreover, the telecommunication business operators, Internet service providers, and their staff shall not disclose or sell their users’ information to third parties.
Security Measures
The Protection Rules stipulate that telecommunication business operators and Internet service providers are responsible for the security of users’ personal information they collect and use during the course of service provision; and are also obligated to provide training to their staff regarding the protection of users’ personal information.
Penalties for Non-Compliance
Any telecommunication service operator or Internet information service provider who reveals, tampers with, destroys, or sells the personal information of its users may face a fine as high as RMB30,000 and criminal charges under several circumstances.
Main Contents of the Registration Rules
According to the Registration Rules, applicants for landline numbers, cell phone numbers and wireless Internet services are subject to the “real name system,” where they have to hand over their personal identity cards to service providers to sign up for the services.
The draft rules are currently seeking public opinions and comments, and such feedback can be submitted via the methods below through May 15, 2013.
- E-mail: law@miit.gov.cn
- Telephone: 010-66012374
- Address: Policy and Regulation Division, Ministry of Industry and Information Technology, No.27, Wanshou Rd, Haidian District, Beijing. Postcode 100846.