On Dec. 28, 2012, the Standing Committee of China’s National People’s Congress enacted a 12-article Decision on Strengthening Online Information Protection (the “Decision”), without public consultation and after just one reading. The Decision has the force of law and came into effect on the same day of its enactment. The Decision was released following a recent spate of scandals resulting from online exposure of corrupt officials’ misdeeds and apparently in response to growing public concerns about lack of protection for personal privacy.
The Decision is a fairly broad outline providing guiding principles for protecting personal information online, but no implementation or enforcement details. It is silent about which government agency or agencies will be responsible for enforcing the Decision. Although regulations for protecting people’s credit information were adopted several years ago, attempts to enact personal privacy legislation at the national level have so far been unsuccessful. The seemingly rapid promulgation of the Decision may indicate that there is growing support for comprehensive protection of private information. Now that the Decision is in effect, it will be necessary for one or more government agencies to promulgate implementing rules and regulations. The following summary highlights the Decision’s key provisions and potential impact on business activities in China.
Scope of application
The Decision only applies to the electronic version of citizen’s personal “electronic information”. No entity or individual shall steal or otherwise use illegal methods to obtain a citizen’s electronic personally identifiable information; nor shall they sell or illegally provide such information to others. The state protects each citizen’s personally identifiable electronic information and private electronic information.
Obligations of Internet Service Providers (“ISPs”) and other entities
If ISPs and other entities (collectively, “Information Collectors”) need to collect and use a citizen’s personal electronic information, they shall satisfy the following requirements:
Following the principles of legality, legitimacy and necessity;
Explicitly indicating the purpose, manner and scope of collecting and using such information;
Obtaining the consent of the citizen whose information is collected;
NOT violating any laws, regulations or agreements between the parties;
Formulating and publishing their policies for collecting and using such information;
Keeping such information strictly confidential with Information Collectors and their employees;
NOT divulging, distorting or destroying such information, and NOT selling or illegally providing others with such information by Information Collectors and their employees; and
Taking technical and other necessary measures to ensure the safety of such information, and promptly taking remedial measures in case of any divulgement, damage or loss of such information.
Internet censorship, real-name registration and ISP’s assistance in enforcement
ISPs are required to strengthen their supervision over the information posted and/or transmitted by their clients. If any forbidden information is posted and/or transmitted, ISPs must immediately stop transmitting such information, take other remedial measures such as deleting the information, keep records, and report to competent government authorities.
When an ISP registers a client for access to internet, landline phone and cell phone service, or provides information transmission services to a client, the ISP must require the client to provide true identity information for registration.
The Decision also requires ISPs to cooperate with and provide technical assistance to government agencies enforcing the Decision.
These requirements apply to all ISPs, including telecom service providers and Internet content providers, and appear to be aimed at facilitating government censorship of Internet users and information being transmitted. Weibo (the Chinese version of Twitter), for example, as an entity providing information posting and transmitting services, must follow such censorship and real-name registration requirements. Weibo must also provide assistance including disclosing the identity of specific Internet users who post or transmit certain forbidden information. Such assistance must be provided for the purpose of enforcement as deemed necessary by the responsible government authority.
No unsolicited commercial electronic messages without recipient’s consent
Without a recipient’s consent or request, no entity or individual is permitted to send unsolicited commercial electronic messages to such recipient’s landline phone, cell phone or personal email box. A citizen can request an ISP to delete or take other necessary measures to stop transmitting such unsolicited commercial electronic messages.
Government’s responsibilities and obligation of confidentiality
The Decision generally requires relevant government agencies to take technical and other necessary measures within the scope of their respective responsibilities to prevent, stop and investigate illegal acts or crimes related to Internet information. However, the Decision provides no explanation or details about which government agency or agencies are responsible for enforcing the Decision.
All government agencies and their employees are required to keep confidential citizen’s personal electronic information obtained during the execution of their responsibilities, and agencies are prohibited from divulging, distorting or destroying such information, or selling or illegally providing it to others.
The Decision provides, in very general terms, that violators may face penalties including, but not limited to, warnings, fines, confiscation of illegal gains, license revocations, filing cancellations and website closures. Responsible individuals can potentially be subject to a lifetime ban on engaging in web-related business activities, as well as administrative, civil and even criminal punishments.
Many commentators have noted that the Decision is too broad to implement and enforce. According to the current divisions of the administrative responsibilities among various government authorities, it would appear that the National Internet Information Office (“NIIO”), the Ministry of State Security, the Ministry of Public Security and the Ministry of Industry and Information Technology (“MIIT”) would be the likely government agencies responsible for promulgating implementing regulations to enforce the Decision.
For example, NIIO and MIIT may incorporate specific implementing provisions in the expected revision of the Administrative Measures of Internet Information Services (the “New Internet Regulations”). An initial draft was published for public comment in June 2012, but the final version has yet been published. The draft New Internet Regulation, for instance, already includes requirements that reflect principles in the Decision:
The Internet information service provider, who provides Internet information transmission services to end-users, such as Weibo, Twitter and Facebook, must require real-name registration of its end-users;
The Internet information service provider must keep the records of the information posted by itself and its end-users for six months;
The Internet information service provider and Internet access service provider must keep the log information for 12 months, and provide technical assistance for investigation by state security authority and public security authority;
The Internet information service provider and internet access service provider must keep confidential the user’s private information; and
The Internet information service provider and Internet access service provider must immediately stop posting or transmitting the forbidden information, keep the records thereof, and report to the Internet information administrative authority and public security authority.
Depending on which direction the political winds blow in the next several months will likely decide how this Decision will be implemented.