Telecommunications and Internet Personal User Data Protection Regulations

Posted on Updated on

This translation tracks the changes between the earlier opinion-seeking draft and this final version. Underlined sections are reformulations or additions, sections that are crossed out are sections from the opinion-seeking draft that have been deleted. 

People’s Republic of China, Ministry of Industry and Information Technology Decree

No. 24

The “Telecommunications and Internet Personal User Data Protection Regulations” were deliberated and passed on 28 June 2013, at the 2nd ministerial meeting of the Ministry of Industry and Information Technology of the People’s Republic of China, are hereby promulgated, and will take effect on 1 September 2013.

Minister: Miao Wei

16 July 2013

Chapter I: General principles

Article 1: In order to protect the lawful rights and interests of telecommunications and Internet users, safeguard network information security, on the basis of the “National People’s Congress Standing Committee Decision concerning Strengthening Network Information Protection”, and the “Telecommunications Regulations of the People’s Republic of China”, the “Internet Information Service Management Rules” and other laws and administrative regulations, these Regulations are formulated.

Article 2: These Regulations apply to the collection and use of personal user data in the process of providing telecommunications services and Internet information services within the borders of the People’s Republic of China.

Article 3: The Ministry of Industry and Information Technology and all provincial, autonomous region and municipal telecommunications management bureaus (hereafter jointly named telecommunications management organs) implement supervision and management over telecommunications and Internet users’ personal data protection work according to the law.

Article 4: Personal user data as named in these regulations, refers to users’ names, dates of birth, identity card number, address, telephone number, account number, password and other information with which the identity of the user can be distinguished independently or in combination with other information, as well as the time, and place of the user using the service and other information, collected by telecommunications business operators and Internet information service providers in the process of providing services.

Article 5: Telecommunications business operators and Internet information service providers that collect and use personal user data in the process of providing services, shall abide by the principles of legality, propriety and necessity.

Article 6: Telecommunications business operators and Internet information service providers are responsible for the security of personal user data collected and used in the process of providing services.

Article 7: The State encourages the telecommunications and internet sector to launch personal user data protection self-discipline work.

Chapter II: The scope of information collection and use

Article 8: Telecommunications business operators and Internet information service providers shall formulate personal user data collection and use rules, and publish these in their business or service premises, websites, etc.,

Article 9: Without user permission, telecommunications business operators and Internet information service providers may not collect or use personal user data.

Where telecommunications business operators and Internet information service providers collect and use personal user data, they shall clearly notify users about the objective, method and scope of information collection and use, the period of information preservation, the channels to consult and correct information, as well as the consequences for refusing to provide information and other matters.

Telecommunications business operators and Internet information service providers may not collect personal user data other than that necessary for the provision of service or use information for purposes other than the provision of service, they may not collect and use information through fraud, misleading, coercion or other methods or in violation of laws, administrative regulations and the contract of both sides.

Telecommunications business operators and Internet information service providers shall, after users end their use of the telecommunications service or Internet information service, cease the collection and use of personal user data, and provide number or account cancellation services to users.

Where laws and administrative regulations provide otherwise in regard to the provisions of Paragraphs 1 until 4 of this Article, those provisions are to be followed.

Article 10: Telecommunications business operators and Internet information service providers, and their work personnel, shall strictly preserve the secrecy of personal user data collected in the process of service provision, they may not divulge, distort or damage this, and may not sell or illegally provide this to other persons.

Article 11: Where telecommunications business operators and Internet information service providers entrust other persons to act as agent in market sales, technological services and other service-type work directly aimed at users, which involves the collection or use of personal user data, they shall implement supervision and management over the personal user data protection work of the agent, they may not entrust agents who do not conform to personal user data protection requirements to act as agent in handling related services.

Article 12: Telecommunications business operators and Internet information service providers shall establish user complaint handling mechanisms, publish effective contact methods, accept complaints related to the protection of personal user data, and answer to complaints within 15 days of receiving a complaint.

Chapter III: Security protection measures

Article 13: Telecommunications business operators and Internet information service providers shall adopt the following measures to prevent leaks of, damage to or loss of personal user data:

(1) defining the personal user data security management duties of departments, positions and branch organs;

(2) establishing workflow and security management systems for personal user data collection, use and related activities;

(3) implementing jurisdictional management over work personnel and agents, conducting inspections of the channelling, reproduction and destruction of information, and adopting anti-leak measures;

(4) appropriately taking care of the paper, laser, electromagnetic and other carriers that record personal user data, and adopting corresponding security preservation measures;

(5) implementing access inspection of the information systems storing personal user data, and regularly conducting security risk assessments adopting anti-hacking, anti-virus and other measures;

(6) adopting telecommunications network security prevention measures according to the provisions of telecommunications management organs recording information such as the persons, time, location, individual items, etc., of manipulation of personal user data;

(7) according to regulations on telecommunications management organs, launching telecommunications network security prevention work;

(8) other necessary measures provided by telecommunications management organs.

Article 14: Where leaks, damage or loss of personal user data under the care of telecommunications business operators or Internet information service providers occurs or may occur, they shall immediately adopt remedial measures; where grave consequences are created or may be created, they shall immediately report this to telecommunications management organ that issued permission or filing, and cooperate with corresponding departments’ conducting investigation and handling.

Telecommunications management organs shall evaluate the influence of reported or discovered acts that may violate these Regulations; where the influence is especially grave, the corresponding provincial, autonomous region or municipal telecommunications management bureau shall report the matter to the Ministry of Industry and Information Technology. Telecommunications management organs may, before making a handling decision on the basis of these Regulations, require the telecommunications business operator or Internet information service provider to provisionally cease the related act, the telecommunications business operator or Internet information service provider shall implement this.

Article 15: Telecommunications business operators and Internet information service providers shall conduct training towards their work personnel on  knowledge, skills and security duties related to personal user data protection.

Article 16: Telecommunications business operators and Internet information service providers shall conduct regular self-inspection of the personal user data protection situation at least once every year, record the self-inspection results and timely eliminate information security issues threats discovered through self-inspection.

Chapter IV: Supervision and inspection

Article 17: Telecommunications management organs shall implement supervision and inspection of the situation of telecommunications business operators and Internet information service providers protecting personal user data.

When telecommunications management organs implement supervision and management, they may require telecommunications business operators and Internet information service providers to provide relevant material, and enter into their production or business venues to investigate the situation, telecommunications business operators and Internet information service providers shall cooperate with this.

Telecommunications management organs implementing supervision and management, shall record the supervision and inspection situation, implementation of supervision and inspection this may not hamper the regular business or service activities of telecommunications business operators or Internet information service providers, and no fees of any sort may be collected.

Article 18: Telecommunications management organs and their work personnel shall preserve the secrecy of personal user data they come to learn during the implementation of their duties, they may not divulge, distort or damage it, and may not sell or illegally provide it to other person.

Article 19: When telecommunications management organs implement telecommunications business permit or business license inspection, they shall inspect the personal user data protection situation.

Article 20: Telecommunications management organs shall log acts of violation of these Regulations by telecommunications business operators and Internet information service providers violating these Regulations into the social credit dossier and publish it.

Article 21: Telecommunications and Internet sector associations are encouraged to formulate self-discipline-type management structures for personal user data protection according to the law, guide their members into strengthening self-discipline and management, and raise the level of personal user data protection.

Chapter V: Legal liability

Article 22: Where telecommunications business operators and Internet information service providers violate the provisions of Article 8 or Article 12 of these Regulations, the telecommunications management organ orders rectification within a limited time or issues a warning according to its duties, and may also impose a fine of 10.000 Yuan or less.

Article 23: Where telecommunications business operators and Internet information service providers violate the provisions of Articles 9-11, Articles 13-16, or Article 17, Paragraph 2 of these Regulations, the telecommunications management organ orders rectification within a limited time or issues a warning according to its duties, and may also impose a fine of 10.000 Yuan or more but less than 30.000 Yuan, and publish it to society; where it constitutes a crime, criminal liability is prosecuted according to the law.

Article 24: Where telecommunications management organ work personnel neglects their duty, abuses their power or engages in irregular favouritism in the process of implementing supervision and management over protection work of personal user data, they are punished according to the law; where it constitutes a crime, criminal liability is prosecuted according to the law.

Chapter VI: Supplementary provisions

Article 25: These Regulations take effect on 1 September 2013.

中华人民共和国工业和信息化部令

第24号
《电信和互联网用户个人信息保护规定》已经2013年6月28日中华人民共和国工业和信息化部第2次部务会议审议通过,现予公布,自2013年9月1日起施行。

部长 苗圩
2013年7月16日

电信和互联网用户个人信息保护规定

第一章 总则

第一条 为了保护电信和互联网用户的合法权益,维护网络信息安全,根据《全国人民代表大会常务委员会关于加强网络信息保护的决定》、《中华人民共和国电信条例》和《互联网信息服务管理办法》等法律、行政法规,制定本规定。

第二条 在中华人民共和国境内提供电信服务和互联网信息服务过程中收集、使用用户个人信息的活动,适用本规定。

第三条 工业和信息化部和各省、自治区、直辖市通信管理局(以下统称电信管理机构)依法对电信和互联网用户个人信息保护工作实施监督管理。

第四条 本规定所称用户个人信息,是指电信业务经营者和互联网信息服务提供者在提供服务的过程中收集的用户姓名、出生日期、身份证件号码、住址、电话号码、账号和密码等能够单独或者与其他信息结合识别用户的信息以及用户使用服务的时间、地点等信息。

第五条 电信业务经营者、互联网信息服务提供者在提供服务的过程中收集、使用用户个人信息,应当遵循合法、正当、必要的原则。

第六条 电信业务经营者、互联网信息服务提供者对其在提供服务过程中收集、使用的用户个人信息的安全负责。

第七条 国家鼓励电信和互联网行业开展用户个人信息保护自律工作。

第二章 信息收集和使用规范

第八条 电信业务经营者、互联网信息服务提供者应当制定用户个人信息收集、使用规则,并在其经营或者服务场所、网站等予以公布。

第九条 未经用户同意,电信业务经营者、互联网信息服务提供者不得收集、使用用户个人信息。

电信业务经营者、互联网信息服务提供者收集、使用用户个人信息的,应当明确告知用户收集、使用信息的目的、方式和范围,查询、更正信息的渠道以及拒绝提供信息的后果等事项。

电信业务经营者、互联网信息服务提供者不得收集其提供服务所必需以外的用户个人信息或者将信息用于提供服务之外的目的,不得以欺骗、误导或者强迫等方式或者违反法律、行政法规以及双方的约定收集、使用信息。

电信业务经营者、互联网信息服务提供者在用户终止使用电信服务或者互联网信息服务后,应当停止对用户个人信息的收集和使用,并为用户提供注销号码或者账号的服务。

法律、行政法规对本条第一款至第四款规定的情形另有规定的,从其规定。

第十条 电信业务经营者、互联网信息服务提供者及其工作人员对在提供服务过程中收集、使用的用户个人信息应当严格保密,不得泄露、篡改或者毁损,不得出售或者非法向他人提供。

第十一条 电信业务经营者、互联网信息服务提供者委托他人代理市场销售和技术服务等直接面向用户的服务性工作,涉及收集、使用用户个人信息的,应当对代理人的用户个人信息保护工作进行监督和管理,不得委托不符合本规定有关用户个人信息保护要求的代理人代办相关服务。

第十二条 电信业务经营者、互联网信息服务提供者应当建立用户投诉处理机制,公布有效的联系方式,接受与用户个人信息保护有关的投诉,并自接到投诉之日起十五日内答复投诉人。

第三章 安全保障措施

第十三条 电信业务经营者、互联网信息服务提供者应当采取以下措施防止用户个人信息泄露、毁损、篡改或者丢失:

(一)确定各部门、岗位和分支机构的用户个人信息安全管理责任;

(二)建立用户个人信息收集、使用及其相关活动的工作流程和安全管理制度;

(三)对工作人员及代理人实行权限管理,对批量导出、复制、销毁信息实行审查,并采取防泄密措施;

(四)妥善保管记录用户个人信息的纸介质、光介质、电磁介质等载体,并采取相应的安全储存措施;

(五)对储存用户个人信息的信息系统实行接入审查,并采取防入侵、防病毒等措施;

(六)记录对用户个人信息进行操作的人员、时间、地点、事项等信息;

(七)按照电信管理机构的规定开展通信网络安全防护工作;

(八)电信管理机构规定的其他必要措施。

第十四条 电信业务经营者、互联网信息服务提供者保管的用户个人信息发生或者可能发生泄露、毁损、丢失的,应当立即采取补救措施;造成或者可能造成严重后果的,应当立即向准予其许可或者备案的电信管理机构报告,配合相关部门进行的调查处理。

电信管理机构应当对报告或者发现的可能违反本规定的行为的影响进行评估;影响特别重大的,相关省、自治区、直辖市通信管理局应当向工业和信息化部报告。电信管理机构在依据本规定作出处理决定前,可以要求电信业务经营者和互联网信息服务提供者暂停有关行为,电信业务经营者和互联网信息服务提供者应当执行。

第十五条 电信业务经营者、互联网信息服务提供者应当对其工作人员进行用户个人信息保护相关知识、技能和安全责任培训。

第十六条 电信业务经营者、互联网信息服务提供者应当对用户个人信息保护情况每年至少进行一次自查,记录自查情况,及时消除自查中发现的安全隐患。

第四章 监督检查

第十七条 电信管理机构应当对电信业务经营者、互联网信息服务提供者保护用户个人信息的情况实施监督检查。

电信管理机构实施监督检查时,可以要求电信业务经营者、互联网信息服务提供者提供相关材料,进入其生产经营场所调查情况,电信业务经营者、互联网信息服务提供者应当予以配合。

电信管理机构实施监督检查,应当记录监督检查的情况,不得妨碍电信业务经营者、互联网信息服务提供者正常的经营或者服务活动,不得收取任何费用。

第十八条 电信管理机构及其工作人员对在履行职责中知悉的用户个人信息应当予以保密,不得泄露、篡改或者毁损,不得出售或者非法向他人提供。

第十九条 电信管理机构实施电信业务经营许可及经营许可证年检时,应当对用户个人信息保护情况进行审查。

第二十条 电信管理机构应当将电信业务经营者、互联网信息服务提供者违反本规定的行为记入其社会信用档案并予以公布。

第二十一条 鼓励电信和互联网行业协会依法制定有关用户个人信息保护的自律性管理制度,引导会员加强自律管理,提高用户个人信息保护水平。

第五章 法律责任

第二十二条 电信业务经营者、互联网信息服务提供者违反本规定第八条、第十二条规定的,由电信管理机构依据职权责令限期改正,予以警告,可以并处一万元以下的罚款。

第二十三条 电信业务经营者、互联网信息服务提供者违反本规定第九条至第十一条、第十三条至第十六条、第十七条第二款规定的,由电信管理机构依据职权责令限期改正,予以警告,可以并处一万元以上三万元以下的罚款,向社会公告;构成犯罪的,依法追究刑事责任。

第二十四条 电信管理机构工作人员在对用户个人信息保护工作实施监督管理的过程中玩忽职守、滥用职权、徇私舞弊的,依法给予处理;构成犯罪的,依法追究刑事责任。

第六章 附则

第二十五条 本规定自2013年9月1日起施行。

One thought on “Telecommunications and Internet Personal User Data Protection Regulations

    […] the Ministry of Industry and Information Technology (MIIT) promulgated two new regulations: the Telecommunications and Internet Personal User Data Protection Regulations and the Telephone User Real Identity Information Registration Regulations. These measures had been […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s