On December 28, 2012, the Standing Committee of China’s National People’s Congress, China’s legislative body, passed the “Decision on Strengthening Network Information Protection” (the “Decision”), which contains various principles for protecting, collecting and using electronic personal information in China.  According to the Decision, these principles were passed in order to protect network information security, protect the lawful interests of citizens, legal persons and other organizations, and safeguard China’s security and social order.

The Decision provides legal protection for electronic information that is personally identifiable or involves personal privacy, and imposes various obligations on network service providers and other entities that collect and use the electronic personal information of Chinese citizens (collectively, “Network Service Providers”).  Some of the significant obligations contained in the Decision include:

  • Prohibition on stealing, illegally obtaining, selling or illegally providing electronic personal information;
  • Requirement that Network Service Providers clearly and publicly indicate the objective, methods and scope for the collection and use of electronic personal information;
  • Requirement that Network Service Providers obtain consent when collecting or using electronic personal information and keep such information confidential;
  • Requirement that Network Service Providers adopt technological measures to ensure information security; and
  • Prohibition on the sending of commercial electronic communications to fixed telephones, mobile telephones or to e-mail accounts without consent.

Network Service Providers must also improve their management of information disseminated by their users.  When that information violates laws or regulations, Network Service Providers are required to take certain affirmative actions, including stopping the dissemination of the information, preserving the relevant records and informing the relevant government departments.

Further, the Decision requires any entity providing access to internet, fixed telephones or mobile telephones or providing information publication services (e.g., microblogging) to gather real identity information from users at the time of entering into agreements or confirming service provision with users.

Under the Decision, when citizens discover any network information that discloses their personal identity, invades their personal privacy or otherwise infringes their lawful rights or are being harassed by commercial electronic information, they have the ability to require Network Service Providers to delete the relevant information or adopt necessary measures to stop the infringing activity.  Any individual or organization may report illegal or criminal acts against the Decision to the appropriate government department, and the infringed may also file a lawsuit against the infringers in accordance with law.

Penalties for violating the Decision include warnings, fines, confiscation of unlawful income, cancellation of permits, closure of websites or ban on engaging in web-related business in future, which would also be entered into social credit records and be made public, or other civil, administrative or criminal penalties.

Taking effect as of the date of its publication (i.e., December 28, 2012), the Decision is a great step forward for privacy protection in China. However, the provisions of the Decision are very general and still need to be completed by more specific and detailed implementing rules. So, the implementation and enforcement of the Decision remains to be tested in practice.