On July 16, 2013, China’s Ministry of Industry and Information Technology (“MIIT”) promulgated the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (“Internet Provisions”). The Internet Provisions, which take effect September 1, 2013, provide specific implementation rules for telecommunication and internet information service provider’s (“TSPs” and “IISPs,” respectively) collection and use of “user’s personal information,” based on a more generally addressed national law protecting “personal electronic information” issued in December 2012 and entitled Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection (see our previous client alert here).
“IISPs” is a broad category that includes all companies utilizing a mainland-based website (i.e. a website registered with or licensed by MIIT) to collect personal information (“PI”) from their customers or site visitors. “TSPs” are those entities providing access to telecommunications services, such as China Mobile.
PI Collection and Use Rules
In its final form, the Internet Provisions reiterate most of the specific provisions relating to the collection and use of a user’s PI found in the draft for public comment (see our previous client alert on the draft here). Now binding, these provisions require TSPs and IISPs to:
- Post PI collection and use policies at their place of business or online;
- Not collect or use a user’s PI without the user’s consent;
- Notify users regarding collection and use of PI, including the purpose, method, and scope of use, as well as avenues for the user to consult or amend the information, and the consequences if a user fails to provide the required information. (Notably, the final version of the Internet Provisions states that its rules regarding user notice and consent will supersede any other law or regulation on this point, which would appear to include the December 2011 promulgated Several Provisions on Regulating the Market Order of Internet Information Systems.)
- Maintain strict confidentiality of a user’s PI; not disclose, distort, or damage a user’s PI; and not sell or illegally provide PI to others; and to
- Provide company contact information so that users may provide feedback, and to resolve any complaints lodged by customers within 15 days.
The Internet Provisions also provide that in circumstances in which a TSP or IISP entrusts a third party with PI for the purposes of providing “direct services” to the user, the TSP or IISP should “supervise and manage” the third party’s utilization of the PI and not entrust PI to any third party unable to meet the PI protection requirements set out in the Internet Provisions.
PI Storage and Handling Security Requirements
Significantly, the Internet Provisions mandate the adoption of eight internal security measures in order to avoid disclosure, loss, damage or distortion of a user’s PI, including requirements to:
- Establish an internal safety management system and associated workflows for the collection and use of a user’s PI and other related activities, and to confirm the related responsibilities for protecting PI within each department, branch, and position in an organization;
- Limit access by employees and agents to data, and carry out supervisory activities over bulk export, reproduction, or deletion of PI, and to adopt necessary measures to protect against unauthorized disclosure;
- Guarantee appropriate storage and security measures for the protection of storage devices containing PI;
- Conduct access checks for systems containing users’ PI, and adopt anti-virus and anti-intrusion measures;
- Record the details for any individual’s handling of a user’s PI, including such information as the time and place of system access; and
- Implement telecom security precautions in accordance with relevant MIIT regulations regarding network security.
The Internet Provisions also strengthen government inspection rights by permitting government authorities to conduct “supervisory inspections” that may include requests for all “related materials” as well as permission to enter the facilities of any TSP or IISP to investigate compliance efforts.
Potential Next Steps for TSPs and IISPs
With the release of the Internet Provisions, TSPs and IISPs now have significantly more instruction from MIIT to guide their PI collection and use activities and related business processes. Accordingly, these companies will need to re-evaluate their current privacy program and PI handling procedures to ensure they comply with the new requirements found in the Internet Provisions — in addition to other preexisting requirements in other laws and regulations — before September 1, 2013.