On December 28, 2012, China’s national legislature enacted a new law to further regulate the collection and use of online personal information and to require certain network service providers to implement real name registration for all users.
As described below, the new law may affect all businesses handling an individual’s “personal electronic information” in China, even if that information is not necessarily processed over the internet. For many companies operating websites hosted in China, the new law will require only slight modifications to existing data handling practices, as many of the new law’s provisions reflect or only slightly modify other provisions found in existing law. However, websites providing “internet publication services” such as blogs, microblogs, or online forum providers, will be required to implement a real name registration system for their users. The specifics of the real name registration system have not been announced and will likely come from China’s principal internet regulator, the Ministry of Industry and Information Technology (“MIIT”), which is drafting regulations in furtherance of the new law.
New Requirements on Privacy Notices
The new law, entitled the Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection (全国人大常委会关于加强网络信息保护的决定) (the “Online Information Decision”), requires “network service providers” (网络服务提供者) and other “enterprises or public institutions” (其他企业事业单位) to clearly indicate the “use, method, and scope” of their collection of an individual’s “personal electronic information,” and not to collect or use this information without the individual’s consent. It is not clear at this time how a user may evidence consent.
“Personal electronic information” is described as information “by which the individual identity of citizens can be distinguished as well as that which involves a citizen’s privacy,” but no formal definition or further interpretive guidance is provided.
The application of the notification requirement to “other enterprises and public institutions” (also undefined) would presumably require all institutions to notify users of the collection and use of their “personal electronic information,” even for information that is not collected online (such as information collected at the point-of-sale), so long as that information is transmitted or stored electronically. Further interpetative guidance and implementation will likely provide a clearer understanding.
Real Name Registration Requirements for Certain Providers
The Online Information Decision requires network service providers “providing internet publication services” or “website access services” to require their users to supply verified identify information when registering on the provider’s website or for online access. (This is often referred to as “real name registration.”) Although “network service providers” is undefined in the regulation, the delineation of “internet publication” and “website access” indicates the term may encompass, at the least, both content providers such as websites as well as network access providers such as China Unicom or China Mobile. (We have spoken with officials at MIIT who indicated that their personal understanding is that “network service providers” includes websites and that further implementing legislation for the Online Information Decision is now being drafted.)
Other Significant Requirements
In addition to the requirement of real name registration, the Online Information Decision also contains the following significant provisions, some of which mirror or expand upon existing law or regulations:
- Network service providers, other enterprises or public institutions, or their employees may not obtain an individual’s “personal electronic information” via theft or other means, nor sell or “illegally provide” an individual’s “personal electronic information” to others.
- Network service providers, other enterprises or public institutions, or their employees must “strictly maintain the confidentiality” of personal electronic information collected during their provision of services and may not “divulge, distort, or damage” that information, though these terms remain undefined.
- Network service providers must ensure that any information disseminated by users on their networks does not violate PRC law. If such information is published, the network service provider must report such publication to the appropriate authorities (although undefined in the regulation, this is likely to be MIIT), cease its further dissemination, and preserve the records for later investigation.
- Network service providers and other enterprises or public institutions must adopt technological and other measures necessary to ensure information security and to protect against “disclosure, damage, or loss of an individual’s personal electronic information.”
- Without the consent or request of an email recipient, or following a user’s clear refusal, no organization or individual may send “commercial electronic information” (e.g., spam or other commercial solicitation) to a recipient’s email box, fixed-line telephone, or mobile phone.
Violation of the Online Information Decision may lead to warnings, fines, confiscation of illegal income, cancellation of operating permits, website closure, or the prohibition of involved individuals from engaging in other network services business.
China’s state-affiliated news media has in recent weeks run a number of stories regarding stricter regulation of the internet, and the Online Information Decision may foreshadow a number of new regulations in 2013. At a press conference announcing the passage of the Online Information Decision, a representative of MIIT noted that it is currently in the process of drafting regulations in response to the Online Information Decision that may cover the protection of users’ electronic information, commercial solicitations, and the collection and handling of personal information over mobile networks.