Telecommunications and Internet User Individual Information Protection Regulations (Opinion-seeking Draft)

Posted on Updated on

Chapter I: General principles

Article 1: In order to protect the lawful rights and interests of telecommunications and Internet users, safeguard network information security, on the basis of the “National People’s Congress Standing Committee Decision concerning Strengthening Network Information Protection”, the “Telecommunications Regulations of the People’s Republic of China”, the “Internet Information Service Management Rules” and other laws and administrative regulations, these Regulations are formulated.

Article 2: These Regulations shall be observed in the collection and use of individual user information in the process of providing telecommunications services and Internet information services within the borders of the People’s Republic of China.

Article 3: The Ministry of Industry and Information Technology and all provincial, autonomous region and municipal telecommunications management bureaus (hereafter jointly named “telecommunications management organs”) implement supervision and management over telecommunications and Internet users’ individual information protection work according to the law.

Article 4: Individual user information as named in these regulations, refers to information collected by telecommunications business operators and Internet information service providers in the process of providing services, that is able individually or in combination with other information to distinguish the user, it includes users’ names, date of birth, identity card number, address and other identity information as well as the codes, account numbers, times, locations and other recorded information about users’ use of services.

Article 5: Telecommunications business operators and Internet information service providers that collect and use individual user information in the process of providing services, shall abide by the principles of legality, propriety and necessity.

Article 6: Telecommunications business operators and Internet information service providers are responsible for the security of individual user information collected and used in the process of providing services.

Article 7: The State encourages the telecommunications and internet sector to launch individual user information protection self-discipline work.

Chapter II: The scope of information collection and use

Article 8: Telecommunications business operators and Internet information service providers shall formulate individual user information collection and use rules, and publish these in their business or service premises, websites, etc.,

Article 9: Without user permission, telecommunications business operators and Internet information service providers may not collect or use individual user information.

Where telecommunications business operators and Internet information service providers collect and use individual user information, they shall clearly notify users about the objective, method and scope of information collection and use, the period of information preservation, the channels to consult and correct information, as well as the consequences for refusing to provide information and other matters.

Telecommunications business operators and Internet information service providers may not collect individual user information other than that necessary for the provision of service or use information for purposes other than the provision of service, they may not collect and use information through fraud, misleading, coercion or other methods or in violation of laws, administrative regulations and the contract of both sides.

Where laws and administrative regulations provide otherwise in regard to the provisions of Paragraphs 1 until 3 of this Article, those provisions are to be followed.

Article 10: Telecommunications business operators and Internet information service providers, and their work personnel, shall strictly preserve the secrecy of individual user information collected in the process of service provision, they may not divulge, distort or damage this, and may not sell or illegally provide this to other persons.

Article 11: Where telecommunications business operators and Internet information service providers entrust other persons to act as agent in market sales, technological services and other service-type work directly aimed at users, which involves the collection or use of individual user information, they shall implement supervision and management over the individual user information protection work of the agent, they may not entrust agents who cannot satisfy individual user information protection requirements to act as agent in handling related services.

Article 12: Telecommunications business operators and Internet information service providers shall establish user complaint handling mechanisms, publish effective contact methods, accept complaints related to the protection of individual user information, and answer to complaints within 15 days of receiving a complaint.

Chapter III: Security protection measures

Article 13: Telecommunications business operators and Internet information service providers shall adopt the following measures to prevent leaks of, damage to or loss of individual user information:

(1) defining the individual user information security management duties of departments, positions and branch organs;

(2) establishing workflow and security management systems for individual user information collection, use and related activities;

(3) implementing jurisdictional management over work personnel, conducting inspections of the channelling, reproduction and destruction of information, and adopting anti-leak measures;

(4) appropriately taking care of the paper, laser, electromagnetic and other carriers that record individual user information, adopting corresponding security preservation measures;

(5) implementing access inspection of the information systems storing individual user information, and regularly conducting security risk assessments;

(6) adopting telecommunications network security prevention measures according to the provisions of telecommunications management organs;

(7) recording information such as the persons, time, location, individual items, etc., of manipulation of individual user information;

(8) other necessary measures provided by telecommunications management organs.

Article 14: Where leaks, damage or loss of individual user information under the care of telecommunications business operators or Internet information service providers occurs or may occur, they shall immediately adopt remedial measures; where grave consequences are created or may be created, they shall immediately report this to telecommunications management organ that issued permission or filing, and cooperate with corresponding departments’ conducting investigation and handling.

Article 15: Telecommunications business operators and Internet information service providers shall conduct training towards their work personnel on  knowledge, skills and security duties related to individual user information protection.

Article 16: Telecommunications business operators and Internet information service providers shall conduct regular self-inspection of the individual user information protection situation, record the self-inspection results and timely eliminate information security issues discovered through self-inspection.

Chapter IV: Supervision and inspection

Article 17: Telecommunications management organs shall implement supervision and inspection of the situation of telecommunications business operators and Internet information service providers protecting individual user information.

When telecommunications management organs implement supervision and management, they may require telecommunications business operators and Internet information service providers to provide relevant material, and enter into their production or business venues to investigate the situation, telecommunications business operators and Internet information service providers shall cooperate with this.

Telecommunications management organs implementing supervision and management, shall record the supervision and inspection situation. Implementation of supervision and inspection may not hamper the regular business or service activities of telecommunications business operators or Internet information service providers, and no fees of any sort may be collected.

Article 18: Telecommunications management organs and their work personnel shall preserve the secrecy of individual user information they come to learn during the implementation of their duties, they may not divulge, distort or damage it, and may not sell or illegally provide it to other person.

Article 19: When telecommunications management organs implement telecommunications business permit or business license inspection, they shall inspect the individual user information protection situation.

Article 20: Telecommunications management organs shall log telecommunications business operators and Internet information service providers violating these Regulations into the social credit dossier and publish it.

Article 21: Telecommunications and Internet sector associations are encouraged to formulate self-discipline-type management structures for individual user information protection according to the law, guide their members into strengthening self-discipline and management, and raise the level of individual user information protection.

Chapter V: Legal liability

Article 22: Where telecommunications business operators and Internet information service providers violate the provisions of Article 8 or Article 12 of these Regulations, the telecommunications management organ orders rectification within a limited time or issues a warning according to its duties, and may also impose a fine of 10.000 Yuan or less.

Article 23: Where telecommunications business operators and Internet information service providers violate the provisions of Article 9, Article 10, Article 11, Article 13, Article 14, Article 15, Article 16 or Article 17, Paragraph 2 of these Regulations, the telecommunications management organ orders rectification within a limited time or issues a warning according to its duties, and may also impose a fine of 10.000 Yuan or more but less than 30.000 Yuan; where it constitutes a crime, criminal liability is prosecuted according to the law.

Article 24: Where telecommunications management organ work personnel neglects their duty, abuses their power or engages in irregular favouritism in the process of implementing supervision and management over protection work of individual user information, they are punished according to the law; where it constitutes a crime, criminal liability is prosecuted according to the law.

Chapter VI: Supplementary provisions

Article 25: These Regulations take effect on (day, month, year).
电信和互联网用户个人信息保护规定
(征求意见稿)
第一章 总则
第一条 为了保护电信和互联网用户的合法权益,维护网络信息安全,根据《全国人民代表大会常务委员会关于加强网络信息保护的决定》、《中华人民共和国电信条例》、《互联网信息服务管理办法》等法律、行政法规,制定本规定。
第二条 在中华人民共和国境内提供电信服务和互联网信息服务过程中收集、使用用户个人信息的活动,应当遵守本规定。
第三条 工业和信息化部和各省、自治区、直辖市通信管理局(以下统称“电信管理机构”)依法对电信和互联网用户个人信息保护工作实施监督管理。
第四条 本规定所称用户个人信息,是指电信业务经营者和互联网信息服务提供者在提供服务的过程中收集的能够单独或者与其他信息结合识别用户的信息,包括用户姓名、出生日期、身份证件号码、住址等身份信息以及用户使用服务的号码、账号、时间、地点等日志信息。
第五条 电信业务经营者、互联网信息服务提供者在提供服务的过程中收集、使用用户个人信息,应当遵循合法、正当、必要的原则。
第六条 电信业务经营者、互联网信息服务提供者对其在提供服务过程中收集、使用的用户个人信息的安全负责。
第七条 国家鼓励电信和互联网行业开展用户个人信息保护自律工作。
第二章 信息收集和使用规范
第八条 电信业务经营者、互联网信息服务提供者应当制定用户个人信息收集、使用规则,并在其经营或者服务场所、网站等予以公布。
第九条 未经用户同意,电信业务经营者、互联网信息服务提供者不得收集、使用用户个人信息。
电信业务经营者、互联网信息服务提供者收集、使用用户个人信息的,应当明确告知用户收集、使用信息的目的、方式和范围,留存信息的期限,查询、更正信息的渠道以及拒绝提供信息的后果等事项。
电信业务经营者、互联网信息服务提供者不得收集其提供服务所必需以外的用户个人信息或者将信息使用于其提供服务之外的目的,不得以欺骗、误导或者强迫等方式或者违反法律、行政法规以及双方的约定收集、使用信息。
法律、行政法规对本条第一款至第三款规定的情形另有规定的,从其规定。
第十条 电信业务经营者、互联网信息服务提供者及其工作人员对在提供服务过程中收集、使用的用户个人信息应当严格保密,不得泄露、篡改或者毁损,不得出售或者非法向他人提供。
第十一条 电信业务经营者、互联网信息服务提供者委托他人代理市场销售和技术服务等直接面向用户的服务性工作,涉及收集、使用用户个人信息的,应当对代理人的用户个人信息保护工作进行监督和管理,不得委托不能满足用户个人信息保护要求的代理人代办相关服务。
第十二条 电信业务经营者、互联网信息服务提供者应当建立用户投诉处理机制,公布有效的联系方式,接受与用户个人信息保护有关的投诉,并自接到投诉之日起十五日内答复投诉人。
第三章 安全保障措施
第十三条 电信业务经营者、互联网信息服务提供者应当采取以下防止用户个人信息泄露、毁损或者丢失的措施:
(一)确定各部门、岗位和分支机构的用户个人信息安全管理责任;
(二)建立用户个人信息收集、使用及其相关活动的工作流程和安全管理制度;
(三)对工作人员实行权限管理,对批量导出、复制、销毁信息实行审查,并采取防泄密措施;
(四)妥善保管记录用户个人信息的纸介质、光介质、电磁介质等载体,采取相应的安全储存措施;
(五)对储存用户个人信息的信息系统实行接入审查,定期进行安全风险评估;
(六)按照电信管理机构的规定采取通信网络安全防护措施;
(七)记录对用户个人信息进行操作的人员、时间、地点、事项等信息;
(八)电信管理机构规定的其他必要措施。
第十四条 电信业务经营者、互联网信息服务提供者保管的用户个人信息发生或者可能发生泄露、毁损、丢失的,应当立即采取补救措施;造成或者可能造成严重后果的,应当立即向准予其许可或者备案的电信管理机构报告,配合相关部门进行的调查处理。
第十五条 电信业务经营者、互联网信息服务提供者应当对其工作人员进行用户个人信息保护相关知识、技能及安全责任培训。
第十六条 电信业务经营者、互联网信息服务提供者应当对用户个人信息保护情况进行定期自查,记录自查情况,及时消除自查中发现的信息安全问题。
第四章 监督检查
第十七条 电信管理机构应当对电信业务经营者、互联网信息服务提供者保护用户个人信息的情况实施监督检查。
电信管理机构实施监督检查时,可以要求电信业务经营者、互联网信息服务提供者提供相关材料,进入其生产经营场所调查情况,电信业务经营者、互联网信息服务提供者应当予以配合。
电信管理机构实施监督检查,应当记录监督检查的情况。实施监督检查不得妨碍电信业务经营者、互联网信息服务提供者正常的经营或者服务活动,不得收取任何费用。
第十八条 电信管理机构及其工作人员对在履行职责中知悉的用户个人信息应当予以保密,不得泄露、篡改或者毁损,不得出售或者非法向他人提供。
第十九条 电信管理机构实施电信业务经营许可及经营许可证年检时,应当对用户个人信息保护情况进行审查。
第二十条 电信管理机构应当将有违反本规定行为的电信业务经营者、互联网信息服务提供者记入其社会信用档案并予以公布。
第二十一条 鼓励电信和互联网行业协会依法制定有关用户个人信息保护的自律性管理制度,引导会员加强自律管理,提高用户个人信息保护水平。
第五章 法律责任
第二十二条 电信业务经营者、互联网信息服务提供者违反本规定第八条、第十二条规定的,由电信管理机构依据职权责令限期改正,予以警告,可以并处一万元以下的罚款。
第二十三条 电信业务经营者、互联网信息服务提供者违反本规定第九条、第十条、第十一条、第十三条、第十四条、第十五条、第十六条、第十七条第二款规定的,由电信管理机构依据职权责令限期改正,予以警告,可以并处一万元以上三万元以下的罚款;构成犯罪的,依法追究刑事责任。
第二十四条 电信管理机构工作人员在对用户个人信息保护工作实施监督管理的过程中玩忽职守、滥用职权、徇私舞弊的,依法给予处理;构成犯罪的,依法追究刑事责任。
第六章 附则
第二十五条 本规定自 年 月 日起施行。

2 thoughts on “Telecommunications and Internet User Individual Information Protection Regulations (Opinion-seeking Draft)

    […] translation tracks the changes between the earlier opinion-seeking draft and this final version. Underlined sections are reformulations or additions, sections that are […]

    […] Regulations. These measures had been made available for public consultation in April (see: telecommunications, […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s