Chinese English
China Strengthens Personal Information Protection


Posted on September 13, 2013 by China Briefing

Sept. 13 - In recent years, the leaking of private information to third-parties has aroused nationwide concern in China, and with the wider application of information technology services and a growing number of Internet users across the country, the problem has become more and more prevalent.

On July 16, 2013, China's Ministry of Industry and Information Technology took a concrete step towards combating this mounting problem by releasing the "Rules on Protecting Personal Information of Telecommunication and Internet Users (hereinafter referred to as 'Rules')." The Rules came into effect on September 1, and have greatly strengthened the protection towards telecommunication and Internet users in the country.

The Rules apply to the collection and use of users' personal information during the provision of telecommunication services and Internet services in China, and contain 25 provisions regulating the following four areas:

Detailed information can be found below.

Applicable Scope
According to the Rules, a user's personal information refers to any information collected by telecommunication business operators and Internet service providers that can be used to identify the user during the course of service provision, including:

1. User's identification information

2. User's login information

Collection and Use of Information
The Rules provide that the collection and use of personal information of telecommunication and Internet users must be done on a legal, justified and necessary basis. Moreover, without the user's consent, the telecommunication business operators and Internet service providers are not permitted to collect and use the user's personal information.

When collecting and using users' personal information, telecommunication business operators and Internet service providers shall clearly inform users of the following:

The Rules explicitly state that telecommunication business operators and Internet service providers shall not:
Moreover, if the user terminates the telecommunication services or Internet information service, the telecommunication business operator and Internet service provider shall stop collecting and using users' personal information, and deregister relevant phone numbers or accounts at the same time.

The Rules also demand telecommunication business operators and Internet service providers to publish their contact information for the purpose of collecting clients' feedback, and the complaints lodged by consumers shall be resolved within 15 days.

Security Measures
The Rules stipulate that telecommunication business operators and Internet service providers are responsible for the security of the personal information they collect and use during the course of service provision. Such operators and providers are also obligated to provide training to their staff regarding the protection of users' personal information.

Moreover, where the users' personal information obtained by telecommunication business operators or Internet service providers has been, or is likely to be, divulged, damaged or lost, the telecommunication business operators or Internet information service providers shall take immediate remedial measures and report such situations to the relevant authorities immediately if serious consequences have been, or may be, caused.

Supervision and Inspection
According to the Rules, the telecommunication authorities and their staff shall keep users’ personal information that comes to their knowledge during the performance of duties strictly confidential, and shall not divulge, tamper with, damage or sell such information or illegally provide others with such information. Moreover, telecommunication authorities shall record the violations by telecommunication business operators and Internet service providers into their social credit files and announce such to the public.

Legal Liabilities
Violations of the Rules by telecommunication business operators and Internet service providers may result in penalties including administrative warnings, a fine of up to RMB30,000, and criminal liabilities.

Staff of telecommunication authorities may be held liable if they neglect their duty or abuse power during the supervision and administration over the protection of users’ personal information.

Dezan Shira & Associates is a specialist foreign direct investment practice, providing corporate establishment, business advisory, tax advisory and compliance, accounting, payroll, due diligence and financial review services to multinationals investing in emerging Asia.

Created on 16-Dec, 2013 by HKCCMA.

Last Edited on 16-Dec, 2013 by HKCCMA.