McDermott Will & Emery has a strategic alliance with MWE China Law Offices, a separate law firm based in Shanghai. This China Law Alert was authored by MWE China Law Offices lawyers Henry Chen, Samon Sun and Jared Nelson.
At the end of 2012, the Standing Committee of the National People’s Congress in China adopted the Decision on Strengthening Protection of Online Information (Decision). The relatively short 12-clause Decision, which has the same legal authority as a law, went into effect on the day of its adoption, 28 December. The primary purposes of the Decision are to protect citizens’ personal online information and online privacy, and to safeguard public interests. The decision provides liabilities for those that violate the duties as outlined in the Decision.
On 28 December 2012, the Standing Committee of the National People’s Congress in China adopted the Decision on Strengthening Protection of Online Information (Decision). The relatively short 12-clause Decision has the same legal authority as a law and went into effect on the day of its adoption. The primary purposes of the Decision are to protect citizens’ personal online information and online privacy, and to safeguard public interests.
The Decision applies to entities in both the public and private sectors. However, in contrast to similar recent laws in Taiwan and Singapore that protect all personal information, the Decision only regulates the protection of personal information that is digital, which makes its scope relatively narrow.
Rights and Obligations Arising Out of the Decision
Organizations and Individuals
Citizens who find any online information divulging their personal identity, publishing private information or infringing other legitimate rights, or who suffer from the harassment of commercial messages, have the right to compel the relevant internet service provider (ISP) to delete the information or take other necessary measures to stop such activities. Under the definition of “ISP” used in the Decision, companies that provide platforms for publishing user-generated content are included along with companies that provide access to the internet. For example, both AT&T and Facebook would both be considered ISPs under the definition used in the Decision.
Organizations and individuals are prohibited from obtaining citizens’ personal digital information by theft or other illegal approaches, and are also prohibited from selling or illegally providing that information to others. In addition, organizations and individuals are prohibited from sending commercial messages to landlines, cell phones or electronic mailboxes without the recipient’s consent or request, or if the receivers explicitly refuse to receive the messages.
ISPs, Public Service Units and Other Companies
Obligations for collecting and using personal data information
ISPs, public service units (PSUs) and other companies that intend to collect and use personal digital information:
Must make their policies for collection and use public
Must explicitly state the purposes, means, and scope of the collection
Must obtain the consent of the all of the subjects of the data collection
Must not violate relevant laws and regulations
Must not violate any agreements or contracts with the subjects of the data collection
Obligations for safeguarding personal data information
ISPs, PSUs and other companies must strictly safeguard the privacy of citizens’ personal digital information that is obtained during business activities. They are prohibited from divulging, falsifying, damaging, selling or illegally providing the information to others. ISPs, PSUs and other companies must take technical and other necessary measures to prevent any citizens’ personal digital information from being divulged, damaged or lost. If the information has been or will be divulged, damaged or lost, the entity must immediately take remedial measures to correct the situation.
Obligations for information management
ISPs must strengthen the management of information published by their users. If an ISP is notified that it has been releasing or transmitting information that was forbidden from being released or transmitted, the ISP must immediately cease the transmission and remove the information. Meanwhile, ISPs are required to save relevant records and report them to the competent authorities.
Obligations for registering user’s authentic identity information
Companies that provide access to the internet, landlines and cell phones, or that provide platforms for content publishing must require users to provide authentic identity information.
Authorities must take technical or other necessary measures to prevent, stop and deal with illegal and criminal activities relating to online information, including obtaining personal digital information through stealing or other unlawful means, or selling or illegally providing information to others. Government agencies must keep personal digital information that is obtained during the performance of duties confidential, and must not divulge, falsify, damage, sell or illegally provide such information to others.
Violators of the Decision will receive punishments including warnings, fines, confiscation of illegal income, permit revocation, cancellation of records, and closing websites. Individuals who violate the Decision will be prohibited from being employed in the internet service industry. Violations will be recorded in the social credibility files and be made available to the public. Violators may also incur civil, administrative and even criminal punishments.
The Decision is a great step forward for the protection of online information in China. However, because the Decision itself is fairly broad and is meant to be more like a set of guiding principles than a law, many of the provisions lack the specificity that is essential for accurate understanding and compliance. It will be necessary to wait and see whether or not more implementing regulations or rules will clarify some of the ambiguous and broad language.