March 15 marks the effective date of new privacy regulations issued on December 29, 2011, by the Ministry of Industry and Information Technology of the People’s Republic of China titled Several Provisions on Regulation of the Order of Internet Information Service Market. The new regulation defines the personal information protection requirements applicable to Internet Information Service Providers (“IISPs”).
Under the new regulation, however, there is no clearly definition of “IISPs”. Article 2 of the Measures for the Administration of Internet Information Services (effective since September 25, 2000) defines the term “Internet information services (IIS)” as service activities of providing information through the Internet to the user, which include commercial and non-commercial services. Commercial IIS refers to providing Internet users with information via the Internet in exchange for compensation, or providing Web page creation services. Non-commercial IIS refers to providing Internet users with open-source and shared-information services via the Internet on a non-compensatory basis. Under the above definition, all entities in China providing information services through the Internet to web users could be considered as IISPs (that is, both commercial IISPs and non-commercial IISPs), and therefore are subject to this new regulation.
The new regulation is the first national level of regulation that provides a definition of “user personal information” and that contains specific obligations and liabilities of IISPs to protect user personal information. Specifically:
- Definition of “User Personal Information”: Under the new regulation, “user personal information” is defined as the information relevant to the users that can ascertain the identity of the users independently or in combination with other information.
- Obligations and Liabilities of IISPs: IISPs are prohibited from (a) collecting user personal information or providing user personal information to third parties without the user’s consent; and (b) collecting information that is not necessary to provide their services, or using user personal information for any purpose other than providing those services.
- Additional Obligations: The new regulation requires IISPs to expressly inform the user of the method, content and purpose for collecting and processing personal information after consent for collection has been provided by the user. In addition, IISPs are required to properly safeguard personal information of users and take remedial measures to mitigate any harm resulting from actual or potential disclosure of the person information kept by IISPs. In the event of disclosure with potentially serious repercussions, IISPs must immediately report the event to the competent telecommunication authority and cooperate in any investigation conducted by the authority.
- Penalties for Non-Compliance: The new regulation sets out penalties against non-compliance, including an official warning and possible concurrent fine of more than RMB 10,000 but less than RMB 30,000, and providing an announcement to the public.
The exponential increase in the ability of technology to collect and analyse personal data has seen a corresponding global response in the development of privacy and personal information protection laws and regulations. This new regulation is the most recent attempt by Chinese authorities to provide stronger protection for personal data collection for users in China, and will certainly come into play with the rapid growth in everything from targeted consumer advertising to cloud computing.
This blog entry is provided by Jun Wei and Roy Zou from the Hogan Lovells Beijing Office.