Recent news revealed new efforts by the Ministry of Industry and Information Technology (MIIT) to promote a data protection regulation in the telecommunications sector. The news reported that different departments of the MIIT visited Guangdong and Sichuan provinces to confer with the local telecommunications authorities and companies on various topics about the promulgation of a departmental administrative regulation for the protection of personal information, and carried out relevant research. This shows the continuous endeavour made by the MIIT in the area of data protection.
In the era of information resolution, the rapid development of computer science and technology and the corresponding expansion of e-commerce have brought about many challenges to the traditional legal and administrative regime, one of which is the protection of the right to personal information. Many jurisdictions have already reacted to this challenge with various approaches. But China seems not to have yet established a clear regulatory path to effectively respond to this new yet significant matter.
The right of privacy provided under the General Principle of Civil Law and Tort Liability Law and the offence of infringing a citizen's personal information right under the amended Criminal Law have provided certain legal recourse for the infringement of personal information rights. However, these laws have not sufficiently resolved issues relating to, and can hardly overall prevent, inappropriate collection, processing, transmission and disclosure of personal information. Many believe this requires a national-level data protection law. Nevertheless, under the current regulatory and administrative regime in China, drafting and enacting such a unified data protection law is an enormous challenge which may involve different voices from and the redistribution of administrative power of various governmental authorities.
Since ignorance of these urgent issues is no longer an option, many governmental authorities and local governments have started to formulate rules in their respective areas. Among the industrial administrators, the MIIT is a pioneer and now plays very important role in promoting data protection rules.
The Telecommunication Regulations (2000) provide the legal basis for data protection in the telecommunications area, which supports telecommunication users' freedom to legally use telecommunications and the privacy of the communications.
Several administrative regulations relating to the sector also include general principles in relation to data protection, such as the Regulation on Internet Information Service (2000), and the Measures for the Administration of Internet Email Services (2006). From the perspective of internet security, the Measures for Security Protection Administration of International Networking of Computer Information Networks (1997) also includes a general provision stipulating that no entity or individual may use international networks to infringe the privacy of communications.
As these regulations only contain general principles of data protection, the MIIT has in recent years published several draft regulations for public comment that contain more detailed requirements. The outcome is the Several Provisions on Regulating the Market Order of Internet Information Services (Several Provisions) issued by the MIIT effective from March 15 2012. Several Provisions includes specific provisions on personal information protection, probably the most detailed statutory requirements on ISPs so far. The Several Provisions define the "users' personal information" although they have left broad room for interpretation. Several principles for ISPs to deal with users' personal information are included such as a prior consent requirement, necessity principle, and confidentiality principle. Requirements in case of leakage of personal information are also stipulated. The Several Provisions could be viewed as a temporary reaction of the MIIT on the urgent demand of data protection rules.
The MIIT has also led and promoted the draft of the Information Security Technology Guide of Personal Information Protection (Draft Guidelines) which were approved by the China Information Security Standardization Technical Committee on April 12 2012. It is reportedly being reviewed by the National Standardization Administration Committee for final approval and expected to be formally promulgated within this year, but there is no clear timeline yet when such Draft Guidelines will be published. Once published, the Draft Guidelines may neither serve the role of statutory law but only voluntary standards, nevertheless it is believed it may facilitate the internal compliance of telecom companies and serve as the basis for future legislation.
If the MIIT's recent efforts on research of the proposed administrative regulation turn out to be fruitful, it would be a substantial step-forward for data protection in the telecommunication area. In such course, the MIIT would expectably be confronted with many new challenges, in addition to those in expanding principles already established by the MIIT for the telecommunications industry in a feasible and pragmatic method. Such challenges include how to coordinate this new regulation with existing rules issued by other governmental authorities and local governments containing various principles on data protection. New challenges may also come along with the continuous and fast development of technology and practice such as data protection issues relating to cloud computing. The new efforts by the MIIT are certainly worthy of further observance.
Jun He Law Offices
© 2021 Euromoney Institutional Investor PLC. For help please see our FAQs.