MIIT Issues Comprehensive Regulation on Collection and Use of Personal Information by Internet and Telecommunication Service Providers
Q: When the Provision will take effect?
A: China’s Ministry of Industry and Information Technology (“MIIT”) promulgated the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (“Internet Provisions”) on July 16, 2013 and it will take effect on September 1, 2013.
Q: What’s the purpose of the Internet Provisions?
A: The Internet Provisions aims to provide specific implementation rules for telecommunication service provider’s and internet information service provider’s (“TSPs” and “IISPs,” respectively) collection and use of user’s personal information (“PI”).
Q: The definition of User’s Personal Information.
A: “User’s Personal Information” is defined as “a user’s name, dates of birth, identity card number, address, telephone number, account number, password, and other information by which the identity of the user can be distinguished independently or in combination with other information, as well as the time, and place of the user using the service and other information, collected by telecommunications business operators and Internet information service providers in the process of providing services.”
Q: The comprehensive requirements on TSPs and IISPs.
A: Now, the TSPs and IISPs are required to:
Ř Post PI collection and use policies at their place of business or online;
Ř Not collect or use a user’s PI without the user’s consent;
Ř Notify users regarding collection and use of PI, including the purpose, method, and scope of use, as well as avenues for the user to consult or amend the information, and the consequences if a user fails to provide the required information.
Ř Maintain strict confidentiality of a user’s PI; not disclose, distort, or damage a user’s PI; and not sell or illegally provide PI to others; and to
Ř Provide company contact information so that users may provide feedback, and to resolve any complaints lodged by customers within 15 days.
Q: PI Storage and Handling Security Requirements
A: The Internet Provisions mandate the adoption of various internal security measures in order to avoid disclosure, loss, damage or distortion of a user’s PI, including requirements to:
Ř Establish an internal safety management system and associated workflows for the collection and use of a user’s PI and other related activities, and to confirm the related responsibilities for protecting PI within each department, branch, and position in an organization;
Ř Limit access by employees and agents to data, and carry out supervisory activities over bulk export, reproduction, or deletion of PI, and to adopt necessary measures to protect against unauthorized disclosure;
Ř Guarantee appropriate storage and security measures for the protection of storage devices containing PI;
Ř Conduct access checks for systems containing users’ PI, and adopt anti-virus and anti-intrusion measures;
Ř Record the details for any individual’s handling of a user’s PI, including such information as the time and place of system access; and
Ř Implement telecom security precautions in accordance with relevant MIIT regulations regarding network security.