Privacy & Information Security Law Blog

In June, China’s National Internet Information Office and its Ministry of Industry and Information Technology jointly published draft amendments to the Regulation on Internet Information Services (the “Regulation”). The amendments update the Regulation to cover new issues related to the rapid development of Internet services in China since the Regulation first took effect on September 25, 2000. Although the Regulation originally contained no specific provisions directly pertaining to the protection of personal information, the draft amendments do address personal information protection issues.

Web Users Required to Register Using Their Real Identification Information 

To comply with the draft amendments, Internet information service providers (“IISPs”), which provide “services to enable Internet users to publicize information to the public,” must require users to register using their real identification information. IISPs offering these services generally provide access to internet forums, blogs, microblogs and other online services. Previously, Internet users had been able to remain anonymous when publishing information on such sites.

Since last December, the non-anonymous registration requirement has been in force on a trial basis in five Chinese municipalities: Beijing, Shanghai, Tianjin, Shenzhen and Guangzhou. When the requirement was enacted, it was the subject of heated discussions regarding its potential to have a chilling effect on freedom of speech in China. The requirement’s potential to affect the protection of personal information has also been a hot topic, as some have doubted whether the affected Internet service providers will be able to protect their users’ personal information.

Adding this requirement to the amendments would make it a part of the Regulation, giving the Chinese government the ability to apply it at the national level.

IISPs and Internet Access Service Providers Required to Maintain Confidentiality of User Personal Information

The draft amendments also would require IISPs and Internet access service providers to keep their users’ personal information confidential, including users’ login information and the real identification information they provide when registering, and would bar IISPs and Internet access service providers from selling, modifying, intentionally disclosing or illegally using their users’ personal information. Penalties for violations could include (1) an order to rectify, (2) confiscation of illegal proceeds, (3) a fine amounting to three to five times the illegal proceeds (if the illegal proceeds exceed RMB 50,000) or (4) a fine of between RMB 100,000 to RMB 150,000 (if the illegal proceeds are less than RMB 50,000). In serious cases, additional penalties may apply; for example, IISPs may be ordered to suspend services, their licenses may be revoked or their regulatory registrations (which are required for the valid provision of services) may be cancelled.

The protection of personal information in the telecommunications sector is not a new topic in China. On December 29, 2011, the Ministry of Industry and Information Technology issued the Several Provisions on Regulating Market Orders of Internet Information Services, which includes significant data protection rules governing IISPs. The June draft amendments to the Regulation are particularly noteworthy, however, because they would impose the first national rule requiring web users to register for online publication services using their real identification information.