Provisions on Protecting the Personal Information of Telecommunications and Internet Users

Release Date: 07-16-2013

Source: Ministry of Information and Information Technology site

Chinese Title: 电信和互联网用户个人信息保护规定

Decree of the Ministry of Industry and Information Technology No. 24

The Provisions on Protecting the Personal Information of Telecommunications and Internet Users, deliberated and adopted at the 2nd executive meeting of the Ministry of Industry and Information Technology on 28 June 2013, are hereby promulgated and shall come into effect on 1 September 2013.

Miao Wei, Minister

16 July 2013

Provisions on Protecting the Personal Information of Telecommunications and Internet Users

Chapter 1 General Provisions

Article 1 For the purposes of protecting the legitimate rights and interests of telecommunications and Internet users, and maintaining the security of network information, these Provisions are formulated pursuant to the Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection, Telecommunications Regulations of the People’s Republic of China, Administrative Measures Governing Internet Information Services and other relevant laws and administrative regulations.

Article 2 These Provisions shall apply to the activities of collecting and using the personal information of users in the process of providing telecommunications services and Internet information services within the territory of the People’s Republic of China.

Article 3 The Ministry of Industry and Information Technology and communication administrations of all provinces, autonomous regions and centrally-administered municipalities (hereinafter collectively referred to as the telecommunications authorities) shall exercise supervision and control over the protection of the personal information of telecommunications and Internet users.

Article 4 For the purpose of these Provisions, personal information of users shall refer to the information collected by telecommunications business operators and Internet information service providers in the course of providing services, such as the users’ names, dates of birth, ID numbers, addresses, phone numbers, account numbers, passwords, etc. which may be used to identify them either independently or in combination with other information as well as the time, place, etc. for the use of services by the users.

Article 5 Telecommunications business operators and Internet information service providers shall, in the course of providing services, collect and use the personal information of users in a lawful and proper manner by following the principle that information collection or use is genuinely necessary.

Article 6 Telecommunications business operators and Internet information service providers shall be responsible for the security of the personal information of users collected and used in the course of providing services.

Article 7 The state encourages the telecommunications industry and the Internet industry to exercise self-discipline in protecting the personal information of users.

Chapter 2 Standards for Information Collection and Use

Article 8 Telecommunications business operators and Internet information service providers shall formulate rules on the collection and use of the personal information of users, and publish the same at their business or service premises or websites.

Article 9 Without the consent of users, no telecommunications business operators and Internet information service providers are allowed to collect and use the personal information of users.Telecommunications business operators and Internet information service providers that collect or use the personal information of users shall clearly inform the users of the purposes and methods in the information collection or use, the scope of information collected or used, the channels for inquiring about and correcting information, the consequences of refusing to provide information and other matters.

Telecommunications business operators and Internet information service providers shall neither collect the personal information of users that is not necessary for their provision of services, nor use the personal information of users for purposes other than the provision of services, and shall not collect or use information by deceitful, misleading or coercive means, in violation of laws or administrative regulations, or in breach of the agreements reached by the parties concerned.

Once users terminate the use of telecommunications services or Internet information services, telecommunications business operators and Internet information service providers shall stop the collection and use of the personal information of users, and provide the users with services for deregistering their phone numbers or account numbers.

Where there are provisions otherwise prescribed by laws or administrative regulations on the circumstances listed under Paragraph 1 through Paragraph 4 of this article, such provisions shall prevail.

Article 10 Telecommunications business operators, Internet information service providers and their staff members shall strictly keep confidential the personal information of users collected or used in the course of providing services, and shall not divulge, tamper with, damage, sell or illegally provide others with the same.

Article 11 If collection or use of the personal information of users is involved when a telecommunications business operator or an Internet information service provider entrusts another party to provide users with face-to-face services, such as market sales and technical services, the telecommunications business operator or Internet information service provider shall supervise and administer the protection of the personal information of users by the entrusted party, and shall not entrust any party who is unable to meet the requirements on the protection of the personal information with relevant services.

Article 12 Telecommunications business operators and Internet information service providers shall establish a mechanism for handling the users’ complaints, publish their valid contact details, accept complaints relating to the protection of the personal information of users, and answer the relevant complainants within 15 days upon receipt of the complaints.

Chapter 3 Security Measures

Article 13 A telecommunications business operator or an Internet information service provider shall adopt the following measures to prevent the personal information of users from being divulged, damaged, tampered with or lost:(1) Specify the responsibilities of each department, post and branch for managing the security of the personal information of users;

(2) Establish the work process and the security management system for the collection and use of the personal information of users as well as the activities related thereto;

(3) Exercise the administration over the authority of its staff members and agents, review the export, duplication and destroying of information in batches, and take measures to prevent the leakage of confidential information;

(4) Properly keep the carriers that record the personal information of users, such as paper and optical or magnetic media, and take appropriate measures for safe storage of such information;

(5) Conduct access inspection of the information system in which the personal information of users is stored, and take anti-intrusion, anti-virus and other measures;

(6) Record the information such as the staff members who perform operations on the personal information of users, the time and place of such operations, and the matters involved;

(7) Carry out the work on communications network security protection as required by the telecommunications authorities; and

(8) Take other necessary measures as required by the telecommunications authorities.

Article 14 If the personal information of users kept by a telecommunications business operator or an Internet information service provider has been, or may be, divulged, damaged or lost, the telecommunications business operator or Internet information service provider shall immediately adopt remedial measures, and shall immediately report such case to the telecommunications authorities that have granted license or record-filing, and cooperate with the relevant departments in investigation and handling the case if serious consequences have been or may be caused.The telecommunications authorities shall assess the impact of the activities reported or found which may be in violation of these Provisions; if the impact is particularly significant, the communications administration of the relevant province, autonomous region or centrally-administered municipality shall report such case to the Ministry of Industry and Information Technology.

Before making a decision on the handling of a case in accordance with these Provisions, the telecommunications authorities may order the relevant telecommunications business operator or Internet information service provider to suspend the relevant activities, and the telecommunications business operator or Internet information service provider shall comply with such order.

Article 15 A telecommunications business operator or an Internet information service provider shall organize trainings for its staff members in terms of the knowledge, skills and security responsibilities relating to the protection of the personal information of users.

Article 16 A telecommunications business operator or an Internet information service provider shall conduct self-inspection of its protection of the personal information of users at least once a year, record the results from such self-inspection, and promptly eliminate the safety hazards discovered in the self-inspection.

Chapter 4 Supervision and Inspection

Article 17 The telecommunications authorities shall conduct supervision and inspection over the protection of the personal information of users by telecommunications business operators and Internet information service providers.When conducting supervision and inspection, the telecommunications authorities may require telecommunications business operators or Internet information service providers to provide the relevant materials, and may enter their production and business premises for investigation, and the telecommunications business operators or Internet information service providers shall offer cooperation.

When conducting supervision and inspection, the telecommunications authorities shall record relevant supervision and inspection details, but shall not hinder the normal operations or service activities of telecommunications business operators and Internet information service providers, or charge any fees.

Article 18 The telecommunications authorities and their staff members shall keep confidential the personal information of users that is acquired during the performance of duties, and shall not divulge, tamper with, damage, sell or illegally provide others with such information.

Article 19 When granting telecommunications business licenses and conducting annual verification of such licenses, the telecommunications authorities shall review the protection of the personal information of users.

Article 20 The telecommunications authorities shall record the activities of telecommunications business operators and Internet information service providers that have violated these Provisions into their social credit files and make public such information.

Article 21 Telecommunications and Internet industry associations are encouraged to formulate self-discipline rules relating to the protection of the personal information of users in accordance with the law, guide their members to strengthen self-discipline management so as to better protect the personal information of users.

Chapter 5 Legal Liability

Article 22 A telecommunications business operator or an Internet information service provider that violates Article 8 or Article 12 of these Provisions shall be ordered to make correction within the prescribed period of time and be given a warning by the telecommunications authorities according to their authority, and may be concurrently imposed a fine of up to 10,000 yuan.

Article 23 A telecommunications business operator or an Internet information service provider that violates Article 9, Article 10, Article 11, Article 13, Article 14, Article 15, Article 16 or Paragraph 2 of Article 17 of these Provisions shall be ordered to make correction within the prescribed period of time and be given a warning by the telecommunications authorities according to their authority, and may be concurrently imposed a fine of not less than 10,000 yuan but not more than 30,000 yuan. The above punishments shall be made known to the public. Where a crime is constituted, the criminal liability shall be pursued in accordance with the law.

Article 24 Any staff member of the telecommunications authorities who neglects duty, abuses power or practices favouritism for personal gains in the course of the supervision and administration over the protection of the personal information of users shall be punished in accordance with the law. If a criminal offence is constituted, the criminal liability shall be pursued in accordance with the law.

Chapter 6 Supplementary Provisions

Article 25 These Provisions shall come into effect on 1 September 2013.