Explaining the “Telecommunication and Internet User Personal Data Protection Regulations”.

Posted on Updated on

On 16 July 2013, the Ministry of Industry and Information Technology promulgated the “Telecommunication and Internet User Personal Data Protection Regulations” (People’s Republic of China, Ministry of Industry and Information Technology Decree No. 24). A journalist interviewed Ministry of Industry and Information Technology Politico-Legal Department Inspector Li Guobin, asking him to explain the “Regulations”.

Q: Today, the Ministry of Industry and Information Technology published the “Telecommunication and Internet User Personal Data Protection Regulations”, could I ask what the significance of publishing the “Regulations” is?

Li Guobin: In recent years, our country’s telecommunications and Internet sector have developed rapidly, new technologies and new applications emerge one after another, which as had a positive effect on economic and social development. At the same time, the risk of users’ personal data leaks and the difficulty of protection have incessantly increased, legislation to strengthen users’ personal data protection has become an issue that society broadly pays close attention to.

Publishing the “Regulations” can further perfect the protection of users’ personal data in the telecommunications and Internet sectors. At present, a number of telecommunications business operators and Internet information service providers pay insufficient attention to users’ personal data security, security protections are imperfect, management systems are incomplete, data security responsibility is not satisfactorily implemented, there is a need to further perfect the legal system on users’ personal data protection and standardize activities of collection and use of users’ personal data in the process of telecommunications services and Internet information services.

Publishing the “Regulations” also implements the requirements of the NPC Standing Committee “Decision concerning Strengthening Network Information Protection” (hereafter simply named “Decision”). Implementing the “Decision” well relates to the rules on the collection and use of personal data, and corresponding supplementary regulations needed to be rolled out. Formulating the “Regulations” further clarifies the rules for the collection and use of users’ personal data by telecommunications business operators and Internet information service providers, data security protection measures, etc., it is a structure and a measure that implements the NPC Standing Committee “Decision” and the requirement of realistically protecting users’ lawful rights and interests.

Q: Can you tell us something about the formulation process of the “Regulations”?

Li Guobin: In May 2012, the Ministry of Industry and Information Technology started legislation research and drafting work for the “Regulations”. During the drafting process, we went to Jilin, Guangdong, Sichuan and other places for investigation in research, repeatedly sought the written opinions from departments and bureaus related to ministerial organs, all provincial (autonomous region, municipal) telecommunication management bureaus, basic telecommunications enterprises and Internet enterprises concerning the “Regulations (Opinion-Seeking Draft), organized and convened legislative conferences that provincial-level telecommunications management bureaus, basic telecommunications enterprises and internet enterprises participated in, and openly sought opinions from through the State Council Legal Affairs Office “Chinese Government Legal System Information Web” and our Ministry’s website. Through opinion-seeking, all areas of society granted vigorous affirmation to the formulation of the “Regulations”, there was no disagreement on the basis of principle. On the basis of fully hearing opinions from all sides and further perfecting relevant rules, we shaped the “Regulations (Draft)”.

On 28 June 2013, Our Ministry’s 2nd ministerial meeting deliberated and passed the “Regulations”. On 16 July, the Ministry of Industry and Information Technology Decree No. 24 promulgated the “Regulations”. The “Regulations” will take effect on 1 September.

Q: Can you tell us something about the positions of the “Regulations” concerning personal user data protection management work?

Li Guobin: The NPC Standing Committee “Decision” defined “citizens’ personal electronic data”, and clarified the principles and corresponding rules for the collection and use of data.

At present, the situation that personal data is collected and used exists commonly in all sectors, corresponding data protection work also touches upon many departments, our Ministry is not responsible for managing all personal data. The “Regulations” are based on relevant provisions of the “Decision”, and have a footing on our Ministry’s management responsibilities for the telecommunications and Internet sector, they have stipulated the scope of personal user data where our Ministry has responsibility for supervision and management using the method of “summary plus enumeration”, which is: data that can distinguish the user as well as data on users’ use of services that is collected by telecommunications business operators and Internet information service providers in the process of providing services, including users’ names, dates of birth, identity card number, address, telephone number, account number, password and other data that can identify the user independently or in combination with other data, as well as the time and place where users use services, etc.

Q: Can you tell us something about the main content of the “Regulations”?

Li Guobin: The “Regulations” contain six chapters, 25 Articles, and mainly provide for the following content:

(1) The scope of protection for personal user data in telecommunications and on the Internet. The “Regulations” are based on the relevant provisions of the NPC Standing Committee “Decision”, and clearly require the protection of users’ names, dates of birth, identity card number, address, telephone number, account number, password and other data with which the identity of the user can be distinguished independently or in combination with other data, as well as the time, and place of the user using the service and other data, collected by telecommunications business operators and Internet information service providers in the process of providing services.”

(2) The principles for collection and use of personal user data. The “Regulations” are based on the provisions of the NPC Standing Committee “Decision”, and require that telecommunications business operators and Internet information service providers shall abide by the principles of legality, propriety and necessity when collecting and using personal user data, and are responsible for the security of personal user data.

(3) The principles for collection and use of personal user data. The “Regulations” require that telecommunications business operators and Internet information service providers abide by the following principles in collecting and using data: formulating and publishing their data collection and use rules; personal user data may not be collected or used without user permission; clearly notifying users about the purpose, method, scope and other matters concerning collection and use of data; personal user data outside of the requirements for providing services may not be collected; when users end their use of the services, they shall cease the collection and use of personal user data, and provide services to cancel numbers or accounts; personal user data may not be leaked, altered, damaged, sold or illegally provided to other persons, etc.

(4) Agency management. On the basis of the principle of “who operates, is responsible, who entrusts, is responsible”, and on the basis of the rules on entrustment and agency in civil law, the “Regulations” clearly provide that telecommunications business operators and Internet information service providers are responsible for the management of personal data protection work by their agents. The “Regulations” require that: telecommunications business operators and Internet information service providers entrusting other persons to act as agent in market sales, technological services and other service-type work directly aimed at users, which involves the collection or use of personal user data, shall implement supervision and management over the personal user data protection work of the agent, they may not entrust agents who do not conform to personal user data protection requirements to act as agent in handling related services.

(5) Security protection rules. The “Regulations” clarified the measures that telecommunications business operators and Internet information service providers shall adopt to prevent leaks of, damage or harm to, or loss of personal user data from the angles of post responsibility, management systems, competency management, storage media, information systems, operational records, security prevention, etc. At the same time, the “Regulations” made corresponding provisions for self-inspection of the personal user data protection situation, training and other structures.

(6) Supervision and inspection systems. The “Regulations” require that telecommunications management organs conduct supervision and inspection of the personal user data protection situation, telecommunications business organs and Internet information service providers shall cooperate with this. The “Regulations” also clearly provide that telecommunications management organs shall inspect the personal user data protection situation during licensing and annual inspection, acts violating the “Regulations” by telecommunications business operators and Internet information service providers are listed in their social credit report.

Q: Some people believe that the punitive power of the “Regulations” is limited. How has the issue of an overly low punitive power been resolved in designing the structures?

Li Guobin: Just like you said, in the process of seeking opinions, there were in fact opinions that believed that the fine amounts established in the “Regulations” were overly low, punitive strength was overly low, it did not benefit the punishment and prevention of unlawful acts infringing personal user data, they suggested an increase of punitive power. On the basis of the “Administrative Punishment Law” and relevant State Council Provisions, departmental regulations can only establish warnings and fines of a maximum amount of 30.000 Yuan. The “Regulations” abide by the above provisions, and establish warnings and fines of 30.000 Yuan or less for corresponding unlawful acts. At the same time, in order to effectively prevent and attack corresponding unlawful activities, we have also vigorously innovated management measures, and have, at the same time as establishing corresponding punishments within the extent provided by law, established “call stop” systems, administrative punishment structures of “publication to society” and systems to “enter unlawful acts into social credit dossiers” in order to stop unlawful acts. We believe that comprehensive use of the above management systems and punitive measures will be able to effectively restrain unlawful acts infringing personal user data.

《电信和互联网用户个人信息保护规定》解读
2013年7月16日,工业和信息化部公布了《电信和互联网用户个人信息保护规定》(中华人民共和国工业和信息化部令第24号)。记者就《规定》采访了工业和信息化部政法司巡视员李国斌,请他对《规定》进行了解读。

记者:近日,工业和信息化部出台了《电信和互联网用户个人信息保护规定》,请问《规定》出台的意义是什么?

李国斌:近年来,我国电信和互联网行业快速发展,新技术、新应用层出不穷,对促进经济社会发展起到了积极的作用。与此同时,用户个人信息的泄露风险和保护难度不断增大,加强用户个人信息保护立法成为社会广泛关注的问题。

出台《规定》,可以进一步完善电信和互联网行业个人信息保护制度。目前,部分电信业务经营者、互联网信息服务提供者对用户个人信息安全重视不够,安全防护措施不完善,管理制度不健全,信息安全责任落实不到位,需要进一步完善用户个人信息保护法律制度,规范电信服务、互联网信息服务过程中收集、使用用户个人信息的活动。

出台《规定》,也是贯彻落实全国人大常委会《关于加强网络信息保护的决定》(以下简称《决定》)的需要。贯彻执行好《决定》有关收集、使用个人信息的制度,需要出台相关配套规定。制定《规定》,进一步明确电信业务经营者、互联网信息服务提供者收集、使用用户个人信息的规则和信息安全保障措施等,是落实全国人大常委会《决定》规定的制度和措施,切实保护用户合法权益的要求。

记者:您能否介绍一下《规定》的制定过程?

李国斌:2012年5月,工业和信息化部启动了《规定》立法研究和起草工作。在起草过程中,我们赴吉林、广东、四川等地进行了调研,多次书面征求了部机关相关司局、各省(区、市)通信管理局、基础电信企业和互联网企业对《规定(征求意见稿)》的意见,组织召开了省级通信管理局、基础电信企业和互联网企业参加的立法座谈会,并通过国务院法制办的“中国政府法制信息网”和我部门户网站向社会公开征求了意见。经征求意见,社会各方面对制定《规定》给予了积极的肯定,没有原则性的不同意见。在充分听取各方面意见并进一步完善有关制度的基础上,我们形成了《规定(草案)》。

2013年6月28日,我部第2次部务会议审议通过了《规定》。7月16日,工业和信息化部第24号令公布了《规定》。《规定》将于9月1日生效。

记者: 您能否介绍一下《规定》关于用户个人信息保护管理工作的定位?

李国斌:全国人大常委会《决定》对“公民个人电子信息”做了界定,并明确了信息收集、使用的原则和相关规则。

目前,各行业普遍存在收集、使用个人信息的情况,相应的信息保护工作也涉及到众多的部门,我部并不负责管理所有的个人信息。《规定》依据《决定》的有关规定,立足我部电信和互联网行业管理职责,以“概括加列举”的方式规定了由我部负责监督管理的用户个人信息的范围,即:电信业务经营者、互联网信息服务提供者在提供服务的过程中收集的能够识别用户的信息以及用户使用服务的信息,包括用户姓名、出生日期、身份证件号码、住址、电话号码、账号和密码等能够单独或者与其他信息结合识别用户的信息以及用户使用服务的时间、地点等信息。

记者:您能否介绍一下《规定》的主要内容?

李国斌:《规定》共六章、二十五条,主要规定了如下内容:

(一)电信和互联网用户个人信息的保护范围。《规定》依据全国人大常委会《决定》的有关规定,明确要求保护“电信业务经营者和互联网信息服务提供者在提供服务的过程中收集的用户姓名、出生日期、身份证件号码、住址、电话号码、账号和密码等能够单独或者与其他信息结合识别用户的信息以及用户使用服务的时间、地点等信息”。

(二)用户个人信息收集和使用原则。《规定》根据全国人大常委会《决定》的规定,要求电信业务经营者、互联网信息服务提供者收集、使用用户个人信息应当遵循合法、正当、必要的原则,并对用户个人信息的安全负责。

(三)用户个人信息收集和使用规则。《规定》要求电信业务经营者、互联网信息服务提供者遵守下列信息收集和使用规则:制定并公布其信息收集和使用的规则;未经用户同意不得收集、使用用户个人信息;明确告知用户其收集、使用信息的目的、方式和范围等事项;不得收集提供服务所必需以外的用户个人信息;在用户终止使用服务后应当停止对用户个人信息的收集和使用,并提供注销号码或账号的服务;不得泄露、篡改、毁损、出售或者非法向他人提供用户个人信息等。

(四)代理商管理。《规定》按照“谁经营、谁负责”、“谁委托、谁负责”的原则,根据民法上的委托代理制度,明确规定由电信业务经营者、互联网信息服务提供者负责对其代理商的个人信息保护工作实施管理。《规定》要求:电信业务经营者、互联网信息服务提供者委托他人代理市场销售和技术服务等直接面向用户的服务性工作,涉及收集、使用用户个人信息的,应当对代理人的用户个人信息保护工作进行监督和管理,不得委托不符合《规定》有关用户个人信息保护要求的代理人代办相关服务。

(五)安全保障制度。《规定》从岗位责任、管理制度、权限管理、存储介质、信息系统、操作记录、安全防护等方面,明确了电信业务经营者、互联网信息服务提供者应当采取的防止用户个人信息泄露、毁损、篡改或者丢失的措施。与此同时,《规定》对用户个人信息保护情况自查和培训等制度作了相应的规定。

(六)监督检查制度。《规定》要求电信管理机构对用户个人信息保护情况实施监督检查,电信业务经营者、互联网信息服务提供者应当予以配合。《规定》还明确规定电信管理机构在电信业务经营许可和年检中应当审查用户个人信息保护的情况,将电信业务经营者、互联网信息服务提供者违反《规定》的行为记入其社会信用档案。

记者:有人认为,《规定》的处罚力度有限。《规定》在制度设计方面如何解决处罚力度过低的问题的?

李国斌:诚如您所言,在征求意见过程中,确实有意见认为《规定》设定的罚款数额过低,处罚力度过小,不利于惩处和预防侵害用户个人信息的违法行为,建议加大处罚力度。根据《行政处罚法》和国务院的有关规定,部门规章只能设定警告和最高额为三万元的罚款。《规定》遵循了上述规定,对相关违法行为设定了警告和三万元以下的罚款处罚。与此同时,为有效预防和打击相关违法行为,我们还积极创新管理方式,在法律规定的幅度内设定相关处罚的同时,设立了制止违法行为危害扩大的“叫停”制度、“向社会公告”行政处罚的制度和将违法行为“记入社会信用档案”的制度。我们认为,综合运用上述管理制度和处罚措施,能够有效地遏制侵害用户个人信息的违法行为。

One thought on “Explaining the “Telecommunication and Internet User Personal Data Protection Regulations”.

    […] has provided more background through two interviews with spokesperson Li Guobin: one each for the telecommunications and telephone […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s