Provisions on Protection of Personal Information of Telecommunication and Internet Users

Order of the Ministry of Industry and Information Technology of the People's Republic of China No. 24

July 16, 2013

The Provisions on Protection of Personal Information of Telecommunication and Internet Users has been deliberated and adopted at the 2nd executive meeting of the Ministry of Industry and Information Technology of the People's Republic of China on June 28, 2013, which is hereby promulgated and shall come into force on September 1, 2013.

Minister: Miao Wei

Provisions on Protection of Personal Information of Telecommunication and Internet Users

Chapter I General Provisions

Article 1 These Provisions are formulated in accordance with the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection, the Telecommunications Regulations of the People's Republic of China and the Administrative Measures for Internet Information Services and other laws and regulations for the purposes of protecting the legitimate rights and interests of the telecommunication and internet users and maintaining the security of online information.

Article 2 These Provisions shall apply to the activities collecting or using personal information of users in the provision of telecommunication service and internet information service within the territory of the People's Republic of China.

Article 3 The Ministry of Industry and Information Technology and the telecommunication administrations of all provinces, autonomous regions and municipalities directly under Central Government (hereinafter collectively referred to as the "Telecommunication Administration Authorities") shall legally carry out supervision and administration over the protection of personal information of telecommunication and internet users.

Article 4 For the purposes of these Provisions, "Personal Information" refers to the information that can identify the user individually or in combination with other information and that is collected in the course of provision of services by the telecommunication business operators and internet information service providers, such as name, birth date, ID No., address, telephone number, account number and code of the user, and the information on the time and place when and where the user uses the aforementioned service.

Article 5 The collection or use of personal information of users in the course of provision of service by the telecommunication business operators and internet information service providers shall follow the principles of legitimacy, justification and necessity.

Article 6 Telecommunication business operators and internet information service providers shall be responsible for the security of the personal information of users they collected or used in the course of their provision of service.

Article 7 The State encourages the telecommunication and internet industries to carry out self-discipline work in connection with the protection of personal information of users.

Chapter II Rules for Collection and Use of Information

Article 8 The telecommunication business operators and internet information service providers shall formulate the rules for collection and use of personal information of users, and publish the same on their places of business or service or websites.

Article 9 Without consent of the users, telecommunication business operators and internet information service providers may not collect or use the personal information of users.
Where the telecommunication business operators or internet information service providers collect or use personal information of users, they shall expressly advise users about the purpose, method and scope of the collection or use of information, and the ways to inquire or correct information, and the consequences of refusal to provide information, etc.
Telecommunication business operators and internet information service providers may not collect personal information of users other than those necessary for them to provide service, nor use the information for any other purpose other than provision of service, and may not collect or use information by means of deceiving, misleading or force or in violation of the laws, regulations or the agreements between the parties.
Telecommunication business operators and internet information service providers shall, after users terminate their use of the telecommunication service or internet information service, cease the collection and use of the personal information of users, and provide users with account or number cancellation service.
Where the circumstance as provided in Paragraph 1 to 4 hereof is otherwise provided in laws and regulations, such laws and regulations shall prevail.

Article 10 The personal information of users collected or used in the course of provision of service by the telecommunication business operators, internet information service providers and their personnel shall be kept in strict confidence, and may not be divulged, tampered with or damaged, and may not be sold or illegally provided to others.

Article 11 Where the telecommunication business operators or internet information service providers entrust other persons to perform market sales and technology services and other services directly facing the users on their behalf and the collection or use of personal information of users is involved in such services, they shall supervise and manage the protection of personal information of users by their agents, and may not entrust agents failing the requirements for protection of personal information of users as provided herein to act for relevant services.

Article 12 The telecommunication business operators and internet information service providers shall establish user complaint handling mechanism, publish effective contacts, accept complaints in connection with the protection of personal information of users, and reply the complainants within 15 days upon receipt of the complaint concerned.

Chapter III Safety Precautions

Article 13 The telecommunication business operators and the internet information service providers shall take the following measures to prevent any divulge, damage, tamper or loss of personal information of users:
1. Determining the security management responsibilities of each department, position and branch for personal information of users;
2. Establishing the work follow and security management system for collection, use and other relevant activities of personal information of users;
3. Carrying out authority management over personnel and agents, carrying out examination on the exporting, copying or destroying information in batch, and taking anti-divulge measures;
4. Properly storing the paper media, optical media, electronic media or other carriers for recording personal information of users, and taking corresponding safe storage measures;
5. Carrying out connection examination for the information system storing the personal information of users, and taking anti-invasion and anti-virus measures, etc;
6. Recording the person, time, place, event and other information in connection with any operation to the personal information of users;
7. Carrying out telecommunication network security prevention work under the requirements of the Telecommunication Administration Authorities; and
8. Taking other necessary measures as provided by the Telecommunication Administration Authorities.

Article 14 In case of any divulge, damage or loss or potential divulge, damage or loss of the personal information of users stored by the telecommunication business operators and internet information service providers, the telecommunication business operators and internet information service providers shall immediately take remedy measures; in case of causing or possibly causing any severe consequence, the telecommunication business operators and internet information service providers shall immediately report to the Telecommunication Administration Authorities allowing their licenses or filing, and cooperate with the investigation and handling conducted by relevant authorities.
The Telecommunication Administration Authorities shall evaluate the influence of the reported or found activity that may violate these Provisions; in case of having extremely severe influence, the telecommunication administrations of relevant provisions, autonomous regions or municipalities shall report the same to the Ministry of Industry and Information Technology. The Telecommunication Administration Authorities may, prior to making any handling decision under these Provisions, demand the telecommunication business operators and internet information service providers to suspend relevant activities, and the telecommunication business operators and internet information service providers shall carry out the same.

Article 15 The telecommunication business operators and internet information service providers shall provide training on relevant knowledge, skills and security responsibilities on personal information of users to their personnel.

Article 16 The telecommunication business operators and internet information service providers shall at least carry out a self-examination on the situation of protection of personal information of users annually, and record the self-examination situation, and timely eliminate any security hidden danger found in the self-examination.

Chapter IV Supervision and Examination

Article 17 Telecommunication Administration Authorities shall carry out supervision and examination over the situation of personal information of users protected by the telecommunication business operators and internet information service providers.
When carrying out supervision and examination, the Telecommunication Administration Authorities may demand the telecommunication business operators and internet information service providers to provide relevant materials, enter into their places of production and business to investigate situation, and the telecommunication business operators and internet information service providers shall cooperate with the same.
The Telecommunication Administration Authorities shall, when carrying out supervision and examination, record the situation of supervision and examination, and may not the normal operation or service activities of the telecommunication business operators or internet information service providers, and may not charge any fee for that.

Article 18 The Telecommunication Administration Authorities and their personnel shall keep in confidential any personal information of users known in their performance of duties, and may not divulge, tamper with or damage, nor sell or illegally provide to others, such information.

Article 19 The Telecommunication Administration Authorities shall, when carrying out the annual inspection of the business licenses and the telecommunication business operation licenses, examine the situation of protection of personal information of users.

Article 20 The Telecommunication Administration Authorities shall record the violation of these Provisions by the telecommunication business operators and internet information service providers into the social credit files of them and make public the same.

Article 21 Telecommunication and internet industries association are encouraged to legally formulate self-discipline management systems on protection of personal information of users, guide members to strengthen self-discipline management and enhance the level of protection of personal information of users.

Chapter V Legal Liabilities

Article 22 Where the telecommunication business operators or internet information service providers violate the provisions of Article 8 or Article 12 hereof, the Telecommunication Administration Authorities shall order them to make correction or give a warning to them based on their powers and duties, and may also give them a fine of not more than CNY10,000.

Article 23 Where the telecommunication business operators or internet information service providers violate the provisions of Article 9-11 and Article 13-16 and Paragraph 2 of Article 17 hereof, the Telecommunication Administration Authorities shall order them to make correction or give a warning to them, and may also give them a fine of not less than CNY10,000 and not more than CNY30,000; in case of constituting any crime, the telecommunication business operators or internet information service providers shall be investigated for criminal liabilities.

Article 24 Where the personnel of the Telecommunication Administration Authorities abuse their rights, play neglect of duty or commits illegalities for personal gains in the course of carrying out supervision and administration over the protection of personal information of users, they shall be legally handled; in case of constituting any crime, they shall be legally investigated for criminal liabilities.

Chapter VI Supplementary Provisions

Article 25 These Provisions shall come into effect on September 1, 2013.