On April 10, 2013, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) enacted two draft rules (“Provisions on the Protection of Personal Information of Telecommunications and Internet Users” and “Provisions on the Registration of Real Identity Information of Telephone Users”) to solicit public comments. The comment period is open until May 15, 2013. Both Drafts include proposals for substantial provisions on the protection of personal information and were enacted according to the Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet (issued by the Standing Committee in December 2012) and some other telecommunications rules.
Provisions on the Protection of Personal Information of Telecommunications and Internet Users (the “Draft Provisions”)
The Draft Provisions apply to telecommunications services and Internet information services carried out within China’s jurisdiction. Already there are some rules in effect to regulate Internet information services with respect to the protection of personal information (for example, the Provisions on Regulating Market Orders of Internet Information Services (“Provisions on Internet Information Services”) issued by the MIIT on December 29, 2011). Once they are officially enacted, however, the Draft Provisions will be the first specific rules regarding the protection of personal information in the context of telecommunications services and they will include additional protection for users’ personal information as compared to earlier rules.
First, the Draft Provisions define “personal information,” as the information collected during the course of performing services which either (1) can independently identify a user, or (2) may be used to identify a user when combined with other information. This definition is substantially similar to the definition under the Provisions on Internet Information Services.
Second, the Draft Provisions set forth a number of requirements that are specific to the collection and use of personal information obtained in the process of providing telecommunications services and Internet information services, which are similar to those under the Provisions on Internet Information Services. For example, under the Draft Provisions, telecommunications service providers and Internet information service providers (“IISPs”) are:
- prohibited from collecting or using personal information without the user’s consent
- required, when collecting or using personal information after having obtained consent, to expressly inform the user of the method, extent and purpose for collecting and using the personal information
- prohibited from collecting information that is not necessary to provide their services, or using personal information for any purpose other than providing those services
- required to implement remedies in the case of any actual or suspected unauthorized disclosure, damage or loss of personal information
- required to report any severe breach incident or potentially severe breach incident immediately to the relevant telecommunications authority, and cooperate in any investigation by the authority
Third, in addition to the requirements above, the Draft Provisions include additional protections for user personal information. For example:
- Telecommunications service providers and IISPs are required to formulate rules on the collection and use of user personal information, and make such rules public.
- When collecting and using personal information, telecommunications service providers and IISPs are required to expressly inform users of (1) how long the personal information will be retained, (2) the means for requesting or correcting information, and (3) the consequences if the user refuses to provide the personal information.
- Telecommunications service providers and IISPs may only entrust third-party service providers who can meet the requirements for protection of user personal information to provide their users with direct services (such as marketing and technical services) and must supervise the third party’s protection of personal information.
- The protection of user personal information will be examined as part of the annual examination of a telecommunication service provider by the relevant oversight agency.
- Violations of the Draft Provisions by telecommunications service providers and IISPs will be recorded and made public.
Finally, violations of the Draft Provisions may result in penalties including administrative warnings, fines and even criminal liability in certain cases. That said, the Draft Provisions may actually impose lower fines than the Provisions on Internet Information Services.
Provisions on the Registration of Real Identity Information of Telephone Users (“Telephone User Registration Provisions”)
Real name registration is not new in China. It has been applied to both telephone users and Internet users, and has given rise to heated discussions. According to unofficial media reports, the MIIT issued internal rules in 2010 that would have required new mobile phone users to register their real identity information, but it appears that registration work has not yet been completed. The Telephone User Registration Provisions would establish a legal basis for requirements already in place and would be the first regulation to require wireless network interface card users to register real identity information.
Under the Telephone User Registration Provisions, telecommunications service providers are required to retain user identity information while the user is a customer and for two years following termination of the services. Telecommunications service providers and their staff are obligated to keep such personal information confidential – the Telephone User Registration Provisions include specific requirements regarding the protection of such real identity information. Further, once officially enacted, the Provisions on the Protection of Personal Information of Telecommunication and Internet Users also may apply.
Conclusion
These two Draft Rules are generally considered to have been drafted specifically pursuant to Article 6 of the Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet, which required that users register their real identity information when applying for access to the Internet, or for use of fixed phones and mobile phones.
Though the Draft Provisions include specific provisions on the protection of telecommunications and Internet users’ personal information, there has been heated debate and doubt in China regarding whether such provisions will be enforced effectively. For example, some are concerned that the Draft Provisions may lead to an increase in illegal disclosures of personal information. Another criticism is that the penalties for violations are widely considered insufficient to deter the violations.
In any case, so long as there is no uniform data protection law in China, one or two ministry-level rules of this nature will not dictate how personal information is collected and used in China. According to Chinese media reports, the MIIT may issue another series of rules after it enacts these two. In short, this is by no means the final chapter of the story. We will continue to observe for further developments, and will post again as they arise.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code