Regulations on the Protection of Personal Information of Telecom and Internet Users

Chapter Ⅰ: General Provisions

Article 1: To protect the legitimate rights and interests of telecommunications and Internet users, maintain network information security, and in accordance with the "Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection", the "Telecommunications Regulations of the People's Republic of China", and the "Regulations on the Administration of Internet Information Services", these provisions are hereby formulated.

Article 2: This regulation applies to the collection and use of personal information by telecommunications services and Internet information services providers within the territory of the People's Republic of China.

Article 3: The Ministry of Industry and Information Technology and the provincial, autonomous regions, and municipalities directly under the Central Government communications management bureaus (hereinafter collectively referred to as telecommunications management agencies) shall exercise supervision and administration over the protection of personal information of telecom and Internet users in accordance with the law.

Article 4 The term "personal information of users" as mentioned in these Provisions refers to the information collected by telecommunications business operators and Internet information service providers during the provision of services, including the user's name, date of birth, identity card number, address, phone number, account and password, etc., which can be used alone or combined with other information to identify the user, as well as the time and location of the user's use of the service.

Article 5: Telecommunications operators and Internet information service providers shall collect and use personal information of users in accordance with the principles of legality, legitimacy, and necessity during the provision of services.

Article 6: Telecommunications service operators and Internet information service providers shall be responsible for the security of personal information collected and used by them in the course of providing services.

Article 7 The state encourages the telecommunications and Internet industries to carry out self-discipline work on protecting users' personal information.

Chapter Ⅱ: Information Collection and Use Specifications

Article 8: Telecommunications operators and Internet information service providers shall formulate rules for the collection and use of personal information of users, and publish them on their business premises, websites, etc.

Article 9: Without the consent of users, telecommunications operators and Internet information service providers shall not collect or use personal information of users.

Telecommunications operators and Internet information service providers shall inform users clearly of the purposes, methods and scope for collecting and using personal information, channels for inquiring about and correcting information, as well as the consequences of refusing to provide information.

Telecommunications operators and Internet information service providers shall not collect more personal information of users than is necessary for providing services, or use such information for purposes other than providing services. They shall not collect or use information by deception, misrepresentation, coercion, or in violation of laws and administrative regulations or the agreement between the parties.

Telecommunications operators and Internet information service providers shall stop collecting and using personal information of users after the users have terminated the use of telecommunications services or Internet information services, and provide services for users to cancel their numbers or accounts.

Where laws and administrative regulations provide otherwise for the circumstances specified in the first through fourth paragraphs of this Article, such provisions shall apply.

Article 10: Telecommunications operators and Internet information service providers, as well as their staff, shall strictly keep confidential the personal information of users collected and used during the provision of services. They shall not disclose, tamper with, or damage such information, nor shall they sell or illegally provide it to others.

Article 11: Telecommunications business operators and Internet information service providers who entrust others to handle market sales, technical services, and other customer-facing service work involving the collection and use of personal information of users shall supervise and manage the protection of such personal information by their agents and shall not entrust agents that do not meet the requirements of these Regulations on the protection of personal information of users to handle relevant services.

Article 12: Telecommunications operators and Internet information service providers shall establish a complaint handling mechanism for users, disclose effective contact information, accept complaints related to the protection of personal information of users, and respond to complainants within 15 days from the date of receipt of the complaint.

Chapter Ⅲ: Safety and Security Measures

Article 13: Telecommunications operators and Internet information service providers shall take the following measures to prevent the leakage, damage, alteration or loss of users' personal information:

(ⅰ) Identify the personal information security management responsibilities of each department, position, and branch office;

(ⅱ) Establish a workflow and security management system for the collection, use, and related activities of users' personal information.

(ⅲ) Implement access control for staff and agents, review bulk exports, copying, and destruction of information, and take measures to prevent leaks.

(ⅳ) Safeguard the paper, optical, and electromagnetic media containing users' personal information properly and take corresponding security storage measures;

(ⅴ) Conduct access reviews for information systems that store users' personal information, and take measures such as intrusion prevention and virus protection.

(ⅵ) Record the personnel, time, location, and matters related to the operation of users' personal information;

(ⅶ) Carry out communication network security protection work in accordance with the provisions of the telecommunications management agency;

(ⅷ) Other necessary measures stipulated by the telecommunications management authority.

Article 14: If the personal information of users preserved by telecommunications business operators or Internet information service providers is leaked, damaged, or lost, or if such an event may occur, remedial measures shall be taken immediately. In cases where serious consequences have been or may be caused, they shall report to the competent telecommunications authority that granted their license or registration without delay and cooperate with the relevant departments in the investigation and handling of the matter.

Telecom management authorities shall assess the impact of possible violations of these regulations that have been reported or discovered; if the impact is particularly significant, the relevant provincial, autonomous regional, and municipal communications administrations shall report to the Ministry of Industry and Information Technology. Before making a decision on handling in accordance with these regulations, telecom management authorities may require telecom operators and Internet information service providers to suspend related activities, which the telecom operators and Internet information service providers shall comply with.

Article 15: Telecommunications operators and Internet information service providers shall train their staff on knowledge, skills, and safety responsibilities related to the protection of users' personal information.

Article 16: Telecommunications service providers and Internet information service providers shall conduct at least one self-inspection of the protection of users' personal information each year, record the inspection findings, and promptly eliminate any security risks discovered during the inspection.

Chapter Ⅳ: Supervision and Inspection

Article 17: Telecommunications management agencies shall supervise and inspect the protection of users' personal information by telecommunications business operators and Internet information service providers.

Telecommunications management agencies may, when conducting supervision and inspection, require telecommunications business operators and Internet information service providers to provide relevant materials and enter their production and operation premises to investigate the situation; telecommunications business operators and Internet information service providers shall cooperate accordingly.

Telecommunications management agencies shall record the circumstances of supervision and inspection when implementing supervision and inspection, shall not hinder the normal business or service activities of telecommunications operators or Internet information service providers, and shall not charge any fees.

Article 18: Telecommunications management agencies and their staff members shall keep confidential the personal information of users obtained in the course of performing their duties, and shall not disclose, tamper with, or damage such information, nor shall they sell or illegally provide it to others.

Article 19: When implementing the telecommunications business operation license and conducting annual inspections of such licenses, the telecommunications management agencies shall review the protection of users' personal information.

Article 20: Telecommunications management agencies shall record and disclose the violations of this regulation by telecommunications business operators and Internet information service providers in their social credit records.

Article 21 encourages telecommunications and Internet industry associations to formulate self-discipline management systems for the protection of personal information of users in accordance with the law, guide members to strengthen self-discipline management, and improve the level of protection of personal information of users.

Chapter Ⅴ: Legal Responsibilities

Article 22: Telecommunications operators and Internet information service providers who violate Articles 8 and 12 of these Regulations shall be ordered to rectify within a specified time limit, issued a warning, and may also be fined up to 10,000 yuan by the telecommunications management authority in accordance with its powers.

Article 23: Telecommunications operators and Internet information service providers who violate Articles 9 to 11, 13 to 16, and the second paragraph of Article 17 of these Regulations shall be ordered by the telecommunications management authority within its jurisdiction to rectify within a time limit, issued a warning, and may also be fined not less than 10,000 yuan but not more than 30,000 yuan. The case shall be announced to the public; if a crime is constituted, criminal responsibility shall be investigated according to law.

Article 24: If staff members of the telecommunications management agency neglect their duties, abuse their powers, or engage in malpractices in the supervision and administration of personal information protection work, they shall be dealt with according to law; if a crime is constituted, they shall be investigated for criminal responsibility according to law.

Chapter Ⅵ: Appendix

Article 25 These Regulations shall come into effect on September 1, 2013.