On July 27, 2011, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) published a draft rule including provisions regulating the processing of personal information by “Internet Information Service Providers.” The draft rule, entitled “Provisions on the Administration of Internet Information Services” (the “Draft Provisions”), is not the first rule regulating Internet information services in China. In 2000, the MIIT enacted the “Measures for the Administration of Internet Information Services” (the “Measures”), which took effect on September 25, 2000. However, the Measures do not include any explicit provisions addressing the protection of personal information.
Although the Draft Provisions do not define “Internet Information Service Providers,” the Measures define “Internet Information Services” as “service activities for the provision of information to Internet users over the Internet.” No further clarification of these terms is included in the Draft Provisions.
Following their official enactment, these Draft Provisions (which would be a level below the Measures) would require that Internet Information Service Providers:
- Must refrain from collecting Internet users’ personal information without the users’ consent, unless otherwise provided for by law or administrative regulation;
- May only collect Internet users’ personal information as necessary to provide their services;
- Must expressly inform Internet users of the method, content and purpose of the collection and processing of their personal information, and only use their personal information for the stated purpose(s);
- Must properly maintain Internet users’ personal information, and must not disclose their personal information to any third party without the users’ consent (unless otherwise provided for by law or administrative regulation); and
- Must immediately take remedial measures when the occurrence of any Internet security event has caused or might cause the unauthorized disclosure of Internet users’ personal information, must report to the relevant governmental department any serious actual or possible consequences, and must cooperate with the government’s investigation and handling of the matter.
China already has a few regulations and local rules regarding the protection of personal information on the Internet for specific industry sectors, such as e-commerce. The Draft Provisions, however, would apply to the activities of all Internet Information Service Providers, thus broadening the scope of protection across industries. That said, the protections themselves are somewhat limited, focusing on the collection, use and disclosure of personal information on the Internet.
At this time, MIIT is soliciting public comments on the Draft Provisions. If enacted, the final text of these Draft Provisions, may differ substantially from their current form. We will provide further information when the MIIT officially enacts a final rule.