Provisions on the protection of personal information of telecommunications and Internet users
(On June 28, 2013, the Ministry of Industry and Information Technology of the People's Republic of China deliberated and adopted the second ministerial meeting, and on July 16, 2013, the Ministry of Industry and Information Technology of the People's Republic of China promulgated Order No. 24, effective as of September 1, 2013)
Chapter I: General Provisions
Article 1: These Provisions are formulated on the basis of the "Decision of the Standing Committee of the National People's Congress on Strengthening the Protection of Network Information", the "Telecommunications Regulations of the People's Republic of China", the "Measures for the Administration of Internet Information Services", and other laws and administrative regulations, so as to protect the lawful rights and interests of telecommunications and Internet users, and to preserve network information security.
Article 2: These Provisions apply to the collection and use of users' personal information in the course of providing telecommunications services and internet information services within the mainland territory of the People's Republic of China.
Article 3: The Ministry of Industry and Information Technology and the communications administrations of all provinces, autonomous regions, and municipalities directly under the Central Government (hereinafter collectively referred to as telecommunications regulatory bodies) are to carry out oversight and management of efforts to protect the personal information of telecommunications and internet users in accordance with law.
Article 4: "Users' personal information" as used in these Provisions refers to information collected by telecommunications operators and internet information service providers in the course of providing services, such as users' names, dates of birth, identification numbers, addresses, telephone numbers, account numbers, and passwords, that can identify users, either alone or in combination with other information, as well as information such as the time and place when users use services.
Article 5: Telecommunications operators and internet information service providers shall follow the principles of legality, propriety, and necessity in the collection and use of users' personal information in the course of providing services.
Article 6: Telecommunications operators and internet information service providers are responsible for the security of users' personal information that they collect and use in the course of providing services.
Article 7: The State encourages the telecommunications and internet industries to carry out self-discipline efforts on the protection of users' personal information.
Chapter II: Norms for the Collection and Use of Information
Article 8: Telecommunications operators and internet information service providers shall draft rules for the collection and use of users' personal information, and publish them on their business or service sites, websites, and so forth.
Article 9: Telecommunications operators and internet information service providers must not collect or use users' personal information without users' consent.
Where telecommunications operators and internet information service providers collect or use users' personal information, they shall clearly inform users of matters such as the purpose, methods, and scope of the collection and use of information, the channels for inquiring into or correcting information, and the consequences of refusing to provide information.
Telecommunications operators and internet information service providers must not collect users' personal information other than those necessary for them to provide services or use the information for purposes other than providing services, and must not collect or use information by means such as deception, misleading, or coercion, or in violation of laws, administrative regulations, or agreements between the parties.
Telecommunications operators and internet information service providers shall stop the collection and use of users' personal information after users terminate their use of telecommunications services or internet information services, and provide users with services for canceling numbers or accounts.
Where laws and administrative regulations have other provisions on the circumstances provided for in paragraphs 1 through 4 of this article, follow those provisions.
Article 10: Telecommunications operators, internet information service providers, and their staffs shall strictly keep confidential users' personal information collected or used in the course of providing services, and must not leak, alter, or destroy it, and must not sell it or illegally provide it to others.
Article 11: Where telecommunications operators and internet information service providers retain others to act as agents for marketing sales and technical services, or other service work directly facing users, which involves the collection or use of users' personal information, they shall conduct oversight and management of the agent's efforts to protect users' personal information, and must not retain an agent who does not meet these Provisions' requirements for the protection of users' personal information to handle the relevant services on their behalf.
Article 12: Telecommunications operators and internet information service providers shall establish mechanisms for handling user complaints, publish effective contact information, accept complaints related to the protection of users' personal information, and respond to the complainant within 15 days of receiving the complaint.
Chapter III: Security Safeguard Measures
Article 13: Telecommunications operators and internet information service providers shall employ the following measures to prevent the leakage, destruction, alteration, or loss of users' personal information:
(1) Determine the responsibility for the security management of users' personal information in each department, position, and branch office;
(2) Establish work processes and security management systems for the collection and use of users' personal information and related activities;
(3) Implement authority management for staff and agents, conduct reviews of information exported, reproduced, and destroyed in batches, and employ measures to prevent leakage of secrets;
(4) Properly store paper, optical, and electromagnetic media that record users' personal information, and employ corresponding measures for safe storage;
(5) Carry out access reviews of information systems that store users' personal information, and employ measures such as anti-intrusion and anti-virus;
(6) Record information such as the personnel, time, location, and matters of the operation of users' personal information;
(VII) in accordance with the provisions of the telecommunications regulatory body to carry out communications network security protection work;
(H) other necessary measures prescribed by the telecommunications regulatory authority.
Article 14 Where the personal information of users in the custody of telecommunications operators or Internet information service providers is or may be leaked, damaged or lost, remedial measures shall be taken immediately;
The telecommunications regulatory body shall assess the impact of the reported or discovered acts that may violate these provisions, and if the impact is particularly significant, the communications management bureaus of the relevant provinces, autonomous regions and municipalities directly under the Central Government shall report to the Ministry of Industry and Information Technology. Before making a decision on the basis of these provisions, the telecommunications regulatory body may require telecommunications operators and Internet information service providers to suspend relevant acts, and telecommunications operators and Internet information service providers shall implement them.
Article 15: Telecommunications operators and internet information service providers shall conduct training for their staff on knowledge, skills, and security responsibilities related to the protection of users' personal information.
Article 16: Telecommunications operators and internet information service providers shall conduct a self-inspection of the protection of users' personal information at least once a year, record the circumstances of the self-inspection, and promptly eliminate potential security hazards discovered during the self-inspection.
Chapter IV: Supervision and Inspection
Article 17: Telecommunications regulatory bodies shall supervise and inspect the protection of users' personal information by telecommunications operators and Internet information service providers.
When carrying out supervision and inspection, the telecommunications regulatory body may require telecommunications operators and Internet information service providers to provide relevant materials and enter their production and business premises to investigate the situation, and telecommunications operators and Internet information service providers shall cooperate.
In carrying out supervision and inspection, the telecommunications regulatory body shall record the supervision and inspection, and shall not obstruct the normal operation or service activities of telecommunications operators and Internet information service providers, and shall not charge any fees.
Article 18 The telecommunications regulatory body and its staff shall keep confidential the personal information of users learned in the performance of their duties, and shall not disclose, tamper with or damage it, and shall not sell it or illegally provide it to others。
Article 19: When carrying out telecommunications business licenses and annual inspections of business licenses, telecommunications regulatory bodies shall conduct a review of the protection of users' personal information.
Article 20: Telecommunications regulatory bodies shall record the conduct of telecommunications operators or Internet information service providers in their social credit archives and make it public.
Article 21: Telecommunications and internet industry associations are encouraged to lawfully draft self-discipline management systems for the protection of users' personal information, guiding members to strengthen self-discipline management and increasing the level of protection of users' personal information.
Chapter V: Legal Responsibility
Article 22 Where telecommunications operators or Internet information service providers violate the provisions of Articles 8 and 12 of these Provisions, the telecommunications regulatory body shall, on the basis of its authority, order corrections to be made within a set period of time, give warnings, and may impose a fine of not more than 10,000 yuan.
Article 23 Where a telecommunications operator or Internet information service provider violates the provisions of Articles 9 to 11, Articles 13 to 16, or the second paragraph of Article 17 of these Regulations, the telecommunications regulatory body shall, on the basis of its authority, order it to make corrections within a set period of time, give a warning, and may impose a concurrent fine of not less than 10,000 yuan but not more than 30,000 yuan, and make an announcement to the public;
Article 24 Where the staff of the telecommunications regulatory body neglects their duties, abuses their powers, or twists the law for personal gain in the course of supervising and managing the protection of users' personal information, they shall be dealt with in accordance with law;
Chapter VI: Supplementary Provisions
Article 25: These Provisions take effect on September 1, 2013.
Source: China Network Information Network, Yangtze River Cloud
!["4.15" National Security Laws and Regulations Prize Answering Competition[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)