Chinese Ministry of Industry and Information Technology Issues New Data Protection Regulations
Time 2 Minute Read

The Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) recently issued a regulation entitled “Several Provisions on Regulating Market Orders of Internet Information Services” (the “New Regulations”). The New Regulations, which will take effect on March 15, 2012, include significant new data protection requirements applicable to Internet information service providers (“IISPs”). Consistent with data protection regimes currently in place elsewhere in the world, IISPs will be required to provide much stronger protection for the personal data they collect from users in China, and will be subject to notice and consent requirements, collection limitations and use limitations.

Specifically, IISPs will be prohibited from collecting user personal information or providing user personal information to third parties without the user’s consent. When collecting user personal information after having obtained consent, IISPs will be required to expressly inform the user of the method, content, and purpose for collecting and processing the personal information. Further, IISPs will be prohibited from collecting information that is not necessary to provide their services, or using user personal information for any purpose other than providing those services.

The New Regulations also impose custody, remedy and breach notification obligations. IISPs will be required to keep user personal information in proper custody and take steps to mitigate possible harm resulting from any actual or suspected unauthorized disclosure of personal information. In the event an IISP suffers a severe breach incident or anticipates the potential for a severe breach, the IISP must immediately report the event to the relevant telecommunication authority and cooperate in any investigation by the authority.

The definition of user personal information in the New Regulations includes both (1) information that independently identifies a user, and (2) information that may be used to identify a user when combined with other information.

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page