Internet Information Services Providers

On April 10, 2013, China’s internet regulator, the Ministry of Industry and Information Technology (“MIIT”), issued a draft regulation for public comment entitled Provisions on Protecting the Personal Information of Telecommunication and Internet Users  (“Draft Provisions”).  The Draft Provisions would impose additional requirements when telecommunication service providers (“TSPs”) and internet information service providers (“IISPs”) collect and use personal information (“PI”), and would direct these entities to implement a number of compliance measures to protect against disclosure, damage, or loss of PI.  The Draft Provisions would also provide MIIT with significant authority to enter premises and request documents for purpose of assessing the PI protection efforts of any TSP or IISP. 

The Draft Provisions are intended to implement the general requirements set forth in the Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection (“Online Information Decision”), which was promulgated in December 2012.  (See our client alert here.)  The term “IISPs” includes all companies utilizing a PRC-based website (i.e., a website registered with, or licensed by, MIIT) to collect PI from their customers or site visitors.

Continue Reading China Releases Draft Regulation for Online Collection and Use of Personal Information

On March 15, 2012, new provisions governing the online collection, use, and storage of personal information went into effect in China.  Promulgated by China’s Ministry of Industry and Information Technology (“MIIT”), the Several Provisions on Regulating the Market Order of Internet Information Services (“Provisions”) govern the competition-related activities of Internet Information Services Providers (“IISP”) in China and also include key provisions relating to the collection, use, and storage of “Users’ Personal Information.”   While certain sector-specific regulations have included protections for online personal information in the past, the Provisions represent the first time a broad definition for online personal information has appeared in PRC law.  “Personal Information” is defined as information “that would identify the user if used alone or together with other information.” 

Under the Provisions, an IISP must inform users of the ways the IISP collects and processes information, what kind of information is collected, and the purposes for the collection.  IISPs may not collect any information unnecessary for the provision of services or use Users’ Personal Information for any purpose outside the scope of the services.  The Provisions also require IISPs to “properly” maintain their Users’ Personal Information. Where Users’ Personal Information is or may be divulged, the IISP must take remedial action. If the violation is “serious,” then the IISP shall report the violation to MIIT and jointly cooperate in taking further remedial measures.

The Provisions do not define “properly” or explain what would constitute a “serious” disclosure violation. It is also unclear whether, as part of taking “remedial action,” an IISP would be expected to notify a user for all breaches of user data or merely for “serious” ones.

Continue Reading Data Privacy Regulation for Websites in China Takes Effect, National Standards for Commercial Industries Forthcoming