By Li Jie Han

On December 28, 2012, the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China adopted the Decision on Strengthening the Protection of Online Information (“Decision”). The Decision contains twelve (12) clauses, which are applicable to entities in both the public and private sectors in respect of the collection and processing of electronic personal information on the Internet.

The Decision sets forth a number of provisions specifically governing the activities of Internet service providers (“ISPs”), other business enterprises and non-profit enterprises that handle electronic personal information.  Each of these entities must:

  • explicitly state the purpose, means and scope of their collection and use of electronic personal information, publicize their relevant policies, and obtain the consent of the subjects for the collection and use;
  • keep collected electronic personal information in strict confidentiality, and shall not disclose, alter or destroy the collected electronic personal information, or not sell or illegally provide such information to other persons;
  • adopt technical and other necessary measures to ensure the safety of electronic personal information, and should promptly take remedial measures when such information is disclosed, damaged or lost;
  • adopt information security safeguards and take prompt remedial measures in case that they discover users distributing information illegally and notify relevant government agencies.
  • refrain from sending messages without consent (or in contravention of directions not to send) to fixed telephones, mobile telephones and individual e-mail boxes

Notably, ISPs must require users to furnish authentic identity information when providing access or information related services to the users.  This provision, which could potentially undermine the protection of personal privacy, has been most widely reported.  Nevertheless, the other provisions, though limited to electronic personal information and thus somewhat narrow in scope, provide additional protection especially in commercial contexts and thus warrant attention form a compliance standpoint.

The provisions under the Decision set out basic principles and are comparatively brief. It is expected that the NPC or other government agencies, e.g., the Ministry of Industry and Information technology (MIIT), will pass further legislation to clarify and substantiate these provisions.  In the meantime, those companies collecting personal information through their websites operated within the PRC should make sure they fully and fairly disclose the type of personal information being collected and the purposes for which it will be used.  The mechanisms for doing this should be reasonable based on how sensitive the data is and how intrusive the use.

The Decision in Chinese language together with a English translation is available here: