On March 15, 2012, new provisions governing the online collection, use, and storage of personal information went into effect in China. Promulgated by China’s Ministry of Industry and Information Technology (“MIIT”), the Several Provisions on Regulating the Market Order of Internet Information Services (“Provisions”) govern the competition-related activities of Internet Information Services Providers (“IISP”) in China and also include key provisions relating to the collection, use, and storage of “Users’ Personal Information.” While certain sector-specific regulations have included protections for online personal information in the past, the Provisions represent the first time a broad definition for online personal information has appeared in PRC law. “Personal Information” is defined as information “that would identify the user if used alone or together with other information.”
Under the Provisions, an IISP must inform users of the ways the IISP collects and processes information, what kind of information is collected, and the purposes for the collection. IISPs may not collect any information unnecessary for the provision of services or use Users’ Personal Information for any purpose outside the scope of the services. The Provisions also require IISPs to “properly” maintain their Users’ Personal Information. Where Users’ Personal Information is or may be divulged, the IISP must take remedial action. If the violation is “serious,” then the IISP shall report the violation to MIIT and jointly cooperate in taking further remedial measures.
The Provisions do not define “properly” or explain what would constitute a “serious” disclosure violation. It is also unclear whether, as part of taking “remedial action,” an IISP would be expected to notify a user for all breaches of user data or merely for “serious” ones.