Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy, International/EU Privacy

Making Sense of China’s New Privacy Laws and Draft Internet Privacy Regulations

Although China does not have an omnibus privacy statute or framework, the Chinese government recently has released a number of new privacy guidelines and regulations. In an article entitled “Making Sense of China’s New Privacy Laws” for the International Association for Privacy Professional’s Privacy Tracker, we reported that the development of privacy related legislation and regulation is an apparent effort to encourage consumer engagement in the e-commerce market, which is targeted to hit RMB 18 trillion (approximately US $2.93 trillion)  by 2015.

In April 2013, China witnessed continuing progress to personal data protection through the issuance of two draft rules by the Ministry of Industry and Information Technology of the PRC (“MIIT”) in addition to substantial draft amendments to the 1993 Law of Consumer Rights proposed by China’s top legislature.

The two draft rules, Provisions on the Protection of the Personal Information of Telecommunications (“Provisions for Telecommunications and Internet Users”) and Internet Users and the Provisions on Registration of the True Identity Information of Phone Users (“Provisions on Phone Users”), presented by the MIIT on April 10, show China’s commitment to protecting telecommunications and internet users’ personal information.

First, the Provisions for Telecommunications and Internet Users were formulated in accordance with the Standing Committee of the National People’s Congress’ Decision on Strengthening Network Information Protection on  December 28, 2012 (the “Decision”) and would influence activities involving the collection of personal data by telecommunications services and Internet information services operating within China in four main ways:

  1. Broadening the scope of the types of data that would be subject to privacy regulations by including log information in its definition of personal information and defining the MIIT as the “Telecommunications Authority” under the central government;
  2. Outlining the standards specific to the collection and use of personal information obtained by service providers in the process of providing telecommunications and Internet services;
  3. Establishing specific security protection requirements for personal data collected by service providers and requiring service providers to establish user complaint handling mechanisms and are expected to resolve users’ complaints within 15 days of receipt of a complaint; and
  4. Establishing financial penalties of RMB 10,000 (approximately US $1,626) for minor violations of the regulations and up to RMB 30,000 (Approximately US $4,880) and/or criminal liability for more serious violations of the regulations.

Second, the Provisions on Phone Users when enacted would regulate the registration of the true identity information of phone users on fixed and mobile (including wireless network cards) phone lines, thereby providing much needed direction and force in protecting telecommunications and Internet users’ personal information.

The Provisions on Phone Users would protect telecommunications users from fraud and provide greater protection to users’ personal information by business operators and the government by requiring telecommunications business operators to procure specific “true identity” documents from each personal or corporate user:

From a personal user, the following documents would be required:

  • resident identity card, temporary resident identity card or household register;
  • identity document of servicemen of the Chinese People’s Liberation Army, or the identity document of the Chinese People’s Armed Police;
  • mainland travel permit for Hong Kong and Macao residents;
  • mainland travel permit for Taiwan residents, or other valid travel documents;
  • passport, applicable if the personal user is a foreign national; or
  • other valid identity documents prescribed by laws, administrative regulations or State provisions.

From a corporate user, the following documents would be required:

  • the valid identity document of the handling officer and the power of attorney issued by the entity
  • the company’s organizational code certificate;
  • the company’s business license;
  • the company’s legal person certificate of public institutions or legal person registration certificate of social organizations; or
  • other valid identity documents or supporting documents prescribed by laws, administrative regulations or State provisions, and in addition.

The Provisions on Phone Users also would uphold many standards found in the Provisions on Telecommunications and Internet Users, and would establish the following additional standards:

  • retain users’ personal information during the period of service and two years after termination;
  • adhere to the provisions, if any, prescribed by the Telecommunications Regulations of the PRC; and
  • require existing users who have not provided true identity information to do so.

Although the Provisions for Telecommunications and Internet Users as well as the Provisions on Phone Users appear to be directed at telecommunications operators and IISPs, it is widely considered that they would apply to all other companies that collect and use personal information as part of their business activities and are intended to provide implementation guidance to the 2012 Decision on Strengthening Network Information Protection,  a relatively short 12-clause Decision that aimed to provide a codified protection to online personal information and public interests, that in reality is broad and lacks detailed interpretation for compliance.

The MIIT solicited public comments for the Provisions for Telecommunications and Internet Users and Provision for Phone Users until May 15, 2013 and is expected to issue its final determinations in the near future.