China’s New Online Information Protection Law

by Davis Wright Tremaine LLP
Contact

On Dec. 28, 2012, the Standing Committee of China’s National People’s Congress enacted a 12-article Decision on Strengthening Online Information Protection (the “Decision”), without public consultation and after just one reading. The Decision has the force of law and came into effect on the same day of its enactment. The Decision was released following a recent spate of scandals resulting from online exposure of corrupt officials’ misdeeds and apparently in response to growing public concerns about lack of protection for personal privacy.

Overview
The Decision is a fairly broad outline providing guiding principles for protecting personal information online, but no implementation or enforcement details. It is silent about which government agency or agencies will be responsible for enforcing the Decision. Although regulations for protecting people’s credit information were adopted several years ago, attempts to enact personal privacy legislation at the national level have so far been unsuccessful. The seemingly rapid promulgation of the Decision may indicate that there is growing support for comprehensive protection of private information. Now that the Decision is in effect, it will be necessary for one or more government agencies to promulgate implementing rules and regulations. The following summary highlights the Decision’s key provisions and potential impact on business activities in China.

Scope of application
The Decision only applies to the electronic version of citizen’s personal “electronic information”. No entity or individual shall steal or otherwise use illegal methods to obtain a citizen’s electronic personally identifiable information; nor shall they sell or illegally provide such information to others. The state protects each citizen’s personally identifiable electronic information and private electronic information.

Obligations of Internet Service Providers (“ISPs”) and other entities
If ISPs and other entities (collectively, “Information Collectors”) need to collect and use a citizen’s personal electronic information, they shall satisfy the following requirements:

  • Following the principles of legality, legitimacy and necessity;
  • Explicitly indicating the purpose, manner and scope of collecting and using such information;
  • Obtaining the consent of the citizen whose information is collected;
  • NOT violating any laws, regulations or agreements between the parties;
  • Formulating and publishing their policies for collecting and using such information;
  • Keeping such information strictly confidential with Information Collectors and their employees;
  • NOT divulging, distorting or destroying such information, and NOT selling or illegally providing others with such information by Information Collectors and their employees; and
  • Taking technical and other necessary measures to ensure the safety of such information, and promptly taking remedial measures in case of any divulgement, damage or loss of such information.

Internet censorship, real-name registration and ISP’s assistance in enforcement
ISPs are required to strengthen their supervision over the information posted and/or transmitted by their clients. If any forbidden information is posted and/or transmitted, ISPs must immediately stop transmitting such information, take other remedial measures such as deleting the information, keep records, and report to competent government authorities.

When an ISP registers a client for access to internet, landline phone and cell phone service, or provides information transmission services to a client, the ISP must require the client to provide true identity information for registration.

The Decision also requires ISPs to cooperate with and provide technical assistance to government agencies enforcing the Decision.

These requirements apply to all ISPs, including telecom service providers and Internet content providers, and appear to be aimed at facilitating government censorship of Internet users and information being transmitted. Weibo (the Chinese version of Twitter), for example, as an entity providing information posting and transmitting services, must follow such censorship and real-name registration requirements. Weibo must also provide assistance including disclosing the identity of specific Internet users who post or transmit certain forbidden information. Such assistance must be provided for the purpose of enforcement as deemed necessary by the responsible government authority.

No unsolicited commercial electronic messages without recipient’s consent
Without a recipient’s consent or request, no entity or individual is permitted to send unsolicited commercial electronic messages to such recipient’s landline phone, cell phone or personal email box. A citizen can request an ISP to delete or take other necessary measures to stop transmitting such unsolicited commercial electronic messages.

Government’s responsibilities and obligation of confidentiality
The Decision generally requires relevant government agencies to take technical and other necessary measures within the scope of their respective responsibilities to prevent, stop and investigate illegal acts or crimes related to Internet information. However, the Decision provides no explanation or details about which government agency or agencies are responsible for enforcing the Decision.

All government agencies and their employees are required to keep confidential citizen’s personal electronic information obtained during the execution of their responsibilities, and agencies are prohibited from divulging, distorting or destroying such information, or selling or illegally providing it to others.

Penalties
The Decision provides, in very general terms, that violators may face penalties including, but not limited to, warnings, fines, confiscation of illegal gains, license revocations, filing cancellations and website closures. Responsible individuals can potentially be subject to a lifetime ban on engaging in web-related business activities, as well as administrative, civil and even criminal punishments.

Comments
Many commentators have noted that the Decision is too broad to implement and enforce. According to the current divisions of the administrative responsibilities among various government authorities, it would appear that the National Internet Information Office (“NIIO”), the Ministry of State Security, the Ministry of Public Security and the Ministry of Industry and Information Technology (“MIIT”) would be the likely government agencies responsible for promulgating implementing regulations to enforce the Decision.

For example, NIIO and MIIT may incorporate specific implementing provisions in the expected revision of the Administrative Measures of Internet Information Services (the “New Internet Regulations”). An initial draft was published for public comment in June 2012, but the final version has yet been published. The draft New Internet Regulation, for instance, already includes requirements that reflect principles in the Decision:

  • The Internet information service provider, who provides Internet information transmission services to end-users, such as Weibo, Twitter and Facebook, must require real-name registration of its end-users;
  • The Internet information service provider must keep the records of the information posted by itself and its end-users for six months;
  • The Internet information service provider and Internet access service provider must keep the log information for 12 months, and provide technical assistance for investigation by state security authority and public security authority;
  • The Internet information service provider and internet access service provider must keep confidential the user’s private information; and
  • The Internet information service provider and Internet access service provider must immediately stop posting or transmitting the forbidden information, keep the records thereof, and report to the Internet information administrative authority and public security authority.

Depending on which direction the political winds blow in the next several months will likely decide how this Decision will be implemented.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!