On March 15, 2012, new provisions governing the online collection, use, and storage of personal information went into effect in China. Promulgated by China’s Ministry of Industry and Information Technology (“MIIT”), the Several Provisions on Regulating the Market Order of Internet Information Services (“Provisions”) govern the competition-related activities of Internet Information Services Providers (“IISP”) in China and also include key provisions relating to the collection, use, and storage of “Users’ Personal Information.” While certain sector-specific regulations have included protections for online personal information in the past, the Provisions represent the first time a broad definition for online personal information has appeared in PRC law. “Personal Information” is defined as information “that would identify the user if used alone or together with other information.”
Under the Provisions, an IISP must inform users of the ways the IISP collects and processes information, what kind of information is collected, and the purposes for the collection. IISPs may not collect any information unnecessary for the provision of services or use Users’ Personal Information for any purpose outside the scope of the services. The Provisions also require IISPs to “properly” maintain their Users’ Personal Information. Where Users’ Personal Information is or may be divulged, the IISP must take remedial action. If the violation is “serious,” then the IISP shall report the violation to MIIT and jointly cooperate in taking further remedial measures.
The Provisions do not define “properly” or explain what would constitute a “serious” disclosure violation. It is also unclear whether, as part of taking “remedial action,” an IISP would be expected to notify a user for all breaches of user data or merely for “serious” ones.
National Data Privacy Standard Soon to Be Released
Also on March 15, 2012, Ouyang Wu, Deputy Director of the Information Coordination Division of MIIT, announced at a national data privacy conference that a national standard titled Information Security Technology — Guideline for Personal Information Protection Within Public and Commercial Services Information Systems, (“Guidelines”) had been completed and submitted for final approval. The Guidelines, a public draft of which was issued in February 2011, are expected to be a voluntary standard, lacking the force of law, but including significant data privacy provisions for companies who use information systems to process personal information. According to news reports, the Guidelines delineate personal information handling into four steps: collection, processing, transfer, and deletion, and define the rights and responsibilities of personal information subjects and administrators. The Guidelines also are expected to include a provision calling for a third-party testing and evaluation agency to evaluate individual compliance efforts and develop an industry code of conduct.
The Guidelines are expected to be approved shortly.