On 16 July 2013, the Ministry of Industry and Information Technology promulgated the “Telecommunication and Internet User Personal Data Protection Regulations” (People’s Republic of China, Ministry of Industry and Information Technology Decree No. 24). A journalist interviewed Ministry of Industry and Information Technology Politico-Legal Department Inspector Li Guobin, asking him to explain the “Regulations”.
Q: Today, the Ministry of Industry and Information Technology published the “Telecommunication and Internet User Personal Data Protection Regulations”, could I ask what the significance of publishing the “Regulations” is?
Li Guobin: In recent years, our country’s telecommunications and Internet sector have developed rapidly, new technologies and new applications emerge one after another, which as had a positive effect on economic and social development. At the same time, the risk of users’ personal data leaks and the difficulty of protection have incessantly increased, legislation to strengthen users’ personal data protection has become an issue that society broadly pays close attention to.
Publishing the “Regulations” can further perfect the protection of users’ personal data in the telecommunications and Internet sectors. At present, a number of telecommunications business operators and Internet information service providers pay insufficient attention to users’ personal data security, security protections are imperfect, management systems are incomplete, data security responsibility is not satisfactorily implemented, there is a need to further perfect the legal system on users’ personal data protection and standardize activities of collection and use of users’ personal data in the process of telecommunications services and Internet information services.
Publishing the “Regulations” also implements the requirements of the NPC Standing Committee “Decision concerning Strengthening Network Information Protection” (hereafter simply named “Decision”). Implementing the “Decision” well relates to the rules on the collection and use of personal data, and corresponding supplementary regulations needed to be rolled out. Formulating the “Regulations” further clarifies the rules for the collection and use of users’ personal data by telecommunications business operators and Internet information service providers, data security protection measures, etc., it is a structure and a measure that implements the NPC Standing Committee “Decision” and the requirement of realistically protecting users’ lawful rights and interests.
Q: Can you tell us something about the formulation process of the “Regulations”?
Li Guobin: In May 2012, the Ministry of Industry and Information Technology started legislation research and drafting work for the “Regulations”. During the drafting process, we went to Jilin, Guangdong, Sichuan and other places for investigation in research, repeatedly sought the written opinions from departments and bureaus related to ministerial organs, all provincial (autonomous region, municipal) telecommunication management bureaus, basic telecommunications enterprises and Internet enterprises concerning the “Regulations (Opinion-Seeking Draft), organized and convened legislative conferences that provincial-level telecommunications management bureaus, basic telecommunications enterprises and internet enterprises participated in, and openly sought opinions from through the State Council Legal Affairs Office “Chinese Government Legal System Information Web” and our Ministry’s website. Through opinion-seeking, all areas of society granted vigorous affirmation to the formulation of the “Regulations”, there was no disagreement on the basis of principle. On the basis of fully hearing opinions from all sides and further perfecting relevant rules, we shaped the “Regulations (Draft)”.
On 28 June 2013, Our Ministry’s 2nd ministerial meeting deliberated and passed the “Regulations”. On 16 July, the Ministry of Industry and Information Technology Decree No. 24 promulgated the “Regulations”. The “Regulations” will take effect on 1 September.
Q: Can you tell us something about the positions of the “Regulations” concerning personal user data protection management work?
Li Guobin: The NPC Standing Committee “Decision” defined “citizens’ personal electronic data”, and clarified the principles and corresponding rules for the collection and use of data.
At present, the situation that personal data is collected and used exists commonly in all sectors, corresponding data protection work also touches upon many departments, our Ministry is not responsible for managing all personal data. The “Regulations” are based on relevant provisions of the “Decision”, and have a footing on our Ministry’s management responsibilities for the telecommunications and Internet sector, they have stipulated the scope of personal user data where our Ministry has responsibility for supervision and management using the method of “summary plus enumeration”, which is: data that can distinguish the user as well as data on users’ use of services that is collected by telecommunications business operators and Internet information service providers in the process of providing services, including users’ names, dates of birth, identity card number, address, telephone number, account number, password and other data that can identify the user independently or in combination with other data, as well as the time and place where users use services, etc.
Q: Can you tell us something about the main content of the “Regulations”?
Li Guobin: The “Regulations” contain six chapters, 25 Articles, and mainly provide for the following content:
(1) The scope of protection for personal user data in telecommunications and on the Internet. The “Regulations” are based on the relevant provisions of the NPC Standing Committee “Decision”, and clearly require the protection of users’ names, dates of birth, identity card number, address, telephone number, account number, password and other data with which the identity of the user can be distinguished independently or in combination with other data, as well as the time, and place of the user using the service and other data, collected by telecommunications business operators and Internet information service providers in the process of providing services.”
(2) The principles for collection and use of personal user data. The “Regulations” are based on the provisions of the NPC Standing Committee “Decision”, and require that telecommunications business operators and Internet information service providers shall abide by the principles of legality, propriety and necessity when collecting and using personal user data, and are responsible for the security of personal user data.
(3) The principles for collection and use of personal user data. The “Regulations” require that telecommunications business operators and Internet information service providers abide by the following principles in collecting and using data: formulating and publishing their data collection and use rules; personal user data may not be collected or used without user permission; clearly notifying users about the purpose, method, scope and other matters concerning collection and use of data; personal user data outside of the requirements for providing services may not be collected; when users end their use of the services, they shall cease the collection and use of personal user data, and provide services to cancel numbers or accounts; personal user data may not be leaked, altered, damaged, sold or illegally provided to other persons, etc.
(4) Agency management. On the basis of the principle of “who operates, is responsible, who entrusts, is responsible”, and on the basis of the rules on entrustment and agency in civil law, the “Regulations” clearly provide that telecommunications business operators and Internet information service providers are responsible for the management of personal data protection work by their agents. The “Regulations” require that: telecommunications business operators and Internet information service providers entrusting other persons to act as agent in market sales, technological services and other service-type work directly aimed at users, which involves the collection or use of personal user data, shall implement supervision and management over the personal user data protection work of the agent, they may not entrust agents who do not conform to personal user data protection requirements to act as agent in handling related services.
(5) Security protection rules. The “Regulations” clarified the measures that telecommunications business operators and Internet information service providers shall adopt to prevent leaks of, damage or harm to, or loss of personal user data from the angles of post responsibility, management systems, competency management, storage media, information systems, operational records, security prevention, etc. At the same time, the “Regulations” made corresponding provisions for self-inspection of the personal user data protection situation, training and other structures.
(6) Supervision and inspection systems. The “Regulations” require that telecommunications management organs conduct supervision and inspection of the personal user data protection situation, telecommunications business organs and Internet information service providers shall cooperate with this. The “Regulations” also clearly provide that telecommunications management organs shall inspect the personal user data protection situation during licensing and annual inspection, acts violating the “Regulations” by telecommunications business operators and Internet information service providers are listed in their social credit report.
Q: Some people believe that the punitive power of the “Regulations” is limited. How has the issue of an overly low punitive power been resolved in designing the structures?
Li Guobin: Just like you said, in the process of seeking opinions, there were in fact opinions that believed that the fine amounts established in the “Regulations” were overly low, punitive strength was overly low, it did not benefit the punishment and prevention of unlawful acts infringing personal user data, they suggested an increase of punitive power. On the basis of the “Administrative Punishment Law” and relevant State Council Provisions, departmental regulations can only establish warnings and fines of a maximum amount of 30.000 Yuan. The “Regulations” abide by the above provisions, and establish warnings and fines of 30.000 Yuan or less for corresponding unlawful acts. At the same time, in order to effectively prevent and attack corresponding unlawful activities, we have also vigorously innovated management measures, and have, at the same time as establishing corresponding punishments within the extent provided by law, established “call stop” systems, administrative punishment structures of “publication to society” and systems to “enter unlawful acts into social credit dossiers” in order to stop unlawful acts. We believe that comprehensive use of the above management systems and punitive measures will be able to effectively restrain unlawful acts infringing personal user data.