MIIT promulgates regulations on data protection for telephone, telecommunications and Internet services.
On 16 July, the Ministry of Industry and Information Technology (MIIT) promulgated two new regulations: the Telecommunications and Internet Personal User Data Protection Regulations and the Telephone User Real Identity Information Registration Regulations. These measures had been made available for public consultation in April (see: telecommunications, telephone).
On the telecommunications side, the draft has not been significantly altered in most respects. The majority of changes are language clarifications and do not impose new entitlements or obligations. The following points, however, are noteworthy.
- In Article 9, the obligation of telecommunications businesses (TBs) and Internet service providers (ISPs) to notify users about the duration of information preservation is removed.
- The same Article obliges TBs and ISPs to cease collection and use of personal data after the termination of services, and must provide means to close accounts to users.
- In Article 13(5), the obligation to conduct regular security risk assessments is replaced by the obligation to adopt anti-hacking, anti-virus and other measures.
- In Article 14, the role of administrative offices in dealing with information leaks or damage is expanded. This Article institutes a provision whereby provincial administrative departments must report grave instances to MIIT, and may demand TBs and ISPs to take preliminary measures before administrative procedures are completed.
- In Article 16, the duty of TBs and ISPs to self-inspect data protection measures is specified, it must take place one annually.
- The administrative punishment of making the unlawful activities of enterprises public is added.
The latter four points are present as well in the Regulations on telephone user information. Furthermore, the following updates are made to the telephone regulations in comparison with the earlier draft:
- The requirement to collect personal information when upgrading telephone service is dropped from Article 3.
- Article 4, which outlines administrative responsibilities of central and local departments is greatly simplified.
- A letter of entrustment from the user is no longer necessary in cases of agency for connection. (Article 6)
- TBs may not increase users’ obligations without authorizations when upgrading services. (Article 20)