Standards for Assessment of Personal Information Protection of Internet Enterprises
2018-07-02 1269
· Area of Law: Post and Telecommunications
· Level of Authority: Group Provisions
· Date issued:03-15-2014
· Effective Date:03-15-2014
· Status: Effective
· Issuing Authority: Associations
Standards for Assessment of Personal Information Protection of Internet Enterprises
(The China Law Association on Science and Technology and the Peking University Internet Law CenterMarch 15, 2014)
I. Purpose
These Standards are developed to implement the Decision of the Standing Committee of the National People's Congress on Strengthening Information Protection on Networks, the Law on the Protection of Consumer Rights and Interests, the Provisions on Protecting the Personal Information of Telecommunications and Internet Users, the Administrative Measures for Online Trading, and other regulatory legal documents in respect of personal information protection, maintain the lawful rights and interests of users, and regulate the act of internet enterprises in their handling of personal information so as to realize a balance between the protection and use of personal information in the benign development of the industry.
These Standards, by specifically defining the obligations of internet enterprises, are dedicated to developing an effective user personal information protection practice mechanism on the basis of the regulatory legal documents in force, so as to promote, on the one hand, internet enterprises' establishing a personal information protection mechanism in compliance with the regulations and, on the other hand, to realize the protection of the lawful rights and interests of users in the aspect of personal information.
II. Basis
These Standards are developed under the Decision of the Standing Committee of the National People's Congress on Strengthening Information Protection on Networks, the Law on the Protection of Consumer Rights and Interests, the Provisions on Protecting the Personal Information of Telecommunications and Internet Users, and the Administrative Measures for Online Trading, by reference to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the APEC Privacy Framework, the Guide to Personal Information Protection in Public and Business Use Systems, and other documents regarding the personal information protection both at home and abroad, based on the current situation of development of China's internet industry.
III. Definitions
The terms as mentioned in these Standards are defined as follows:
1. “Internet enterprise”
"Internet enterprise" means an organizational entity which handles personal information in providing users with technology service or content service via an information network. "Information networks" include information networks, such as the Internet, broadcast networks, fixed communication networks and mobile communication networks, with computers, televisions, fixed-line telephones, mobile phones and other electronic devices as terminals, and local area networks open to the public.
2. Initial party, related party and third party
"Initial party" means an internet enterprise which directly collects personal information from users when providing technology service or content service.
"Related party" means an internet enterprise in a control relationship with a particular initial party and whose policy for personal information protection is not substantively different from that of the initial party. "Control" means the right to determine the financial and operational policies of an internet enterprise by means of equity or agreement and on the basis of which benefits can be obtained from the operation activities of the internet enterprise.
"Third party" means an organizational entity or natural person which does not collect personal information from users but obtains personal information from an initial party or a related party.
3. User
"User" means a natural person who uses the service provided by an internet enterprise and may be identified by the personal information. For the purpose of these Standards, "minor" means a person under 18 years of age with limited or no capacity of conduct
4. Personal information
Personal information means information or an information aggregate which is capable of effectively and feasibly identifying a particular user, separately or in combination with other information, such as name, date of birth, identification certificate number, address, telephone number, account number and password.
Where information or an information aggregate, upon the irreversible handling for anonymity or de-identification, is not susceptible of reasonably identifying particular users, these Standards shall not apply.
5. Handling
"Handling" means the collection, processing, use and transfer of the personal information of users by internet enterprises. In particular:
"collection" means the act of obtaining and storing personal information;
"processing" means the act of operation of collected personal information with automatic systems to meet the need of use and transfer;
"use" means the act of using personal information to provide technology service or information service, or making decisions based on personal information, or disclosing personal information to the general public or a particular group; and
"transfer" means the act of transmitting personal information to a related party or third party.
6. Consent, express consent and tacit consent
"Consent" means the approval which a user gives to an internet enterprise for it to handle his personal information, by an active, positive manifestation of his will or by his act of free use of service. In particular:
"Express consent" means the approval which a user gives to an internet enterprise for it to handle his personal information by an active, positive manifestation of his will.
"Tacit consent" means the approval which a user gives to an internet enterprise for it to handle his personal information by his act of free use of service.
A consent in these Standards is tacit unless otherwise specified.
7. Substantial amendment
"Substantial amendment" means the derogation made by an internet enterprise from the users' rights or its obligations with regard to the handling of personal information which it has committed to in its personal information protection policy.
IV. Basic principles
1. Knowledge and consent principle
An internet enterprise shall fully notify users of the major matters regarding the handling of personal information and obtain the express or tacit consent of users on the basis of notification, unless otherwise provided by the law.
2. Legitimacy and necessity principle
An internet enterprise shall handle personal information in a way that complies with the law and shall only process the information that is necessary for accomplishing proper business purposes or providing network services.
3. Determinate purpose principle
An internet enterprise shall handle personal information with a lawful, proper and determinate purpose and may not do so beyond such purpose.
4. Personal control principle
A user has the right to search personal information and to amend, improve and supplement his personal information.
5. Information quality principle
An internet enterprise shall provide a necessary channel for users to search and correct their personal information so as to ensure the accuracy, integrity and promptness of personal information.
6. Security responsibility principle
An internet enterprise shall adopt necessary management measures and technological means to protect the security of personal information and to prevent unauthorized search, public disclosure, loss, leakage, damage, destruction of and tampering with personal information.
V. Indicator system
1. Knowledge and consent
1.1 An internet enterprise shall, before collecting personal information, faithfully notify users of the matters with regard to the handling of personal information according to the personal information protection policy, including but not limited to:
a. purpose, means and scope of collecting personal information;
b. purpose, means and scope of processing, using and transferring personal information;
c. name, address, contact information and user complaint mechanism of the internet enterprise;
d. the channel for users to search and amend personal information;
e. consequences possibly resulting from users' refusal to provide personal information; and
f. the enterprise's personal information security management system and personal information security protection measures.
1.2 An internet enterprise shall, at a proper place at its website or in its software or service, publicly disclose its personal information protection policy and remind in a proper manner users of the possible consequences resulting from failure to consent to its personal information protection policy.
When an internet enterprise performs its obligation of notification, the act of a user to begin or continue using its technology service or content service shall be considered as content to the handling of his personal information by the internet enterprise.
2. Collection
2.1 An internet enterprise shall collect personal information with a lawful, proper and determinate purpose and may not do so beyond such purpose.
2.2 An internet enterprise shall give an express notice of the means to collect personal information and ensure that the relevant means are lawful and proper.
2.3 An internet enterprise shall give an express notice of the types of personal information to be collected and only collect the personal information required to accomplish proper business purposes and provide network services.
2.4 Except in the following special cases, an internet enterprise which collects personal information beyond the stated purposes, means and scope in its notice shall notify users in a reasonable manner and obtain the express consent of the users:
a. Separate provisions of laws and regulations as to maintaining public security and critical necessity, etc.
b. For purposes of academic research or social and public interests.
c. Compulsory actions taken by an administrative department under the law.
d. Decisions, rulings or judgments rendered by a judiciary under the law.
3. Processing
3.1 An internet enterprise shall process personal information for the purpose and within the scope as mentioned in the notice given before collection and adopt such measures and means as are necessary to ensure the security of personal information in the processing.
3.2 Except in the following special situations, an internet enterprise which processes personal information beyond the stated purposes and scope in its notice given before collection shall notify users in a reasonable manner and obtain the express consent of the users:
a. Separate provisions of laws and regulations as to maintaining public security and critical necessity, etc.
b. For purposes of academic research or social and public interests.
c. Compulsory actions taken by an administrative department under the law.
d. Decisions, rulings or judgments rendered by a judiciary under the law.
4. Use
4.1 An internet enterprise shall use personal information for the purposes and within the scope as mentioned in the notice given before collection and adopt such measures and means as are necessary to ensure the security of personal information in the use.
4.2 Except in the following special situations, an internet enterprise which uses personal information beyond the purposes and scope in its express notice given before collection shall notify users in a reasonable manner and obtain the express consent of the users:
a. Separate provisions of laws and regulations as to maintaining public security and critical necessity, etc.
b. For purposes of academic research or social and public interests.
c. Compulsory actions taken by an administrative department under the law.
d. Decisions, rulings or judgments rendered by a judiciary under the law.
5. Transfer
5.1 An internet enterprise which transfers personal information to a related party shall notify users of the information on the handling of personal information by the related party.
5.2 Except in the following special situations, an internet enterprise which transfers personal information to a third party shall notify users and obtain the express consent of the users:
a. Separate provisions of laws and regulations as to maintaining public security and critical necessity, etc.
b. For purposes of academic research or social and public interests.
c. Compulsory actions taken by an administrative department under the law.
d. Decisions, rulings or judgments rendered by a judiciary under the law.
6. Personal control
6.1 An internet enterprise shall provide users with a separate operation mechanism for them to control personal information.
6.2 An internet enterprise shall provide users with a channel to search and update personal information.
6.3 An internet enterprise shall provide users with a channel to deregister accounts or numbers.
7. Amendment of policies
7.1 An internet enterprise shall update its personal information protection policy in a timely manner according to regulatory legal documents and enterprise practice.
7.2 An internet enterprise which substantively amends its personal information protection policy shall conspicuously notify users of the contents of the amendment, consequences due to non-acceptance and corresponding resolution mechanism.
7.3 An internet enterprise which non-substantively amends its personal information protection policy shall notify users in a proper manner of the contents of the amendment.
8. Security responsibility
8.1 An internet enterprise shall develop a personal information management accountability system, implement the responsibility for personal information management, strengthen the security management of personal information, and regulate the handling of personal information.
8.2 An internet enterprise shall adopt such technological measures and means as are necessary to ensure personal information security, including but not limited to:
a. setting up a complete internal compliance management department and establishing and appointing the chief privacy officer and relevant administrators;
b. encrypting the personal information of users by technological means mandatory in the law or common in the industry;
c. handling the personal information of users for anonymity or de-identification by technological means which are mandatory in law or common in the industry and making the processed information irreversible and incapable of being used for identifying individuals; and
d. ensuring, in the process of providing services by technological means, that a user adopts defensive actions against any act of infringement upon his personal information performed by others without authorization.
9. Personal information in special fields.
9.1 An internet enterprise shall set up special measures for handling the personal information of minors, e.g. processing their personal information only with the express consent of their guardians or ceasing to handle their personal information upon awareness of their status of a minor, without the express consent of their guardians.
9.2 An internet enterprise which processes the precise geographical location information of users shall notify the users in a reasonable manner and provide them with a choice mechanism to terminate processing.
"Precise geographical location information" means the information accessed through the device used by a user to identify or describe in a timely manner the actual physical location of the user at a given time with an error of less than one kilometer.
VI. Performance mechanism
1. Assessment body
The institutions which issue these Standards shall establish an assessment body consisting of persons from the government, enterprises, universities and research institutes in the relevant field.
The assessment body shall freely assess internet enterprises within the scope of application of these Standards on the basis of these Standards, and what is to be assessed shall be the personal information protection policies and practices with respect to personal information protection as developed by internet enterprises, including configuration of services or software and typical steps. The assessment body shall publish the assessment results by regular or irregular reports.
The assessment body shall issue standards for using standard signs in good time insofar as an internet enterprise meeting the standards may place a relevant sign at a proper position of its website or in its service.
2. Participation of enterprises
An internet enterprise may compare its personal information protection policy and practice with these Standards and make adjustment thereof in a timely manner. In addition to independent adjustment, an internet enterprise may entrust the assessment body with the assessment of its policies and practices, and make adjustment thereof based on the assessment results in a timely manner.
3. Supervision of users
An internet user may assess the personal information protection policies and practices of internet enterprises with these Standards as a criterion. A user may submit the assessment results through the website to be launched by the assessment in good time.
VII. Annex
The interpretation and the basis of development of the basic provisions of these Standards shall be further explained in the annex.
These Standards shall be issued by the Self-Help Copyright License Agreement as issued by the National Institute for Digital Copyright Research and licensed under the following conditions:
[Only Retaining Attribution Right] The licensor shall only retain the right to claim authorship and to have his name mentioned in connection with the work. The licensee shall obtain the derivative license under this Agreement and must specify the author of the original work in the derivative work. The licensor shall waive all the property rights in his work.
