Data privacy for internet users is a topic of concern the world over, with the P.R.C. being no exception. Internet information service providers (hereinafter also referred to as "IISPs"), such as commercial websites, regularly collect information from online visitors, sometimes with full knowledge of the visitors and sometimes unknown to the visitors. In addition, IISPs have been known to maliciously introduce software incompatible with the user's existing software, install certain software such as "spyware" onto users' computers/mobile devices and/or change users' browser configurations without permission, and it goes without saying that "pop up ads" are an ongoing online annoyance. As online users in the P.R.C. look for protections from such unwanted invasions of their privacy and restrictions upon user control of their online experience, the recently released "Several Provisions on Regulating the Market Order for Internet Information Services" (hereinafter referred to as the "Provisions") provides needed rules and regulations in this regard. 1
The Provisions, which come into effect on March 15, 2012, are to be implemented and administered by the Ministry of Industry and Information Technology and Communications Administration ("M.I.I.T.") of the P.R.C. The Provisions cover a wide range of issues relevant to the operation of IISPs in the P.R.C., such as commercial websites (as distinguished from "network service providers" which, in M.I.I.T. terminology provide network services, such as internet access), but this article will look only at those online user issues referenced above.
In relation IISPs introducing software which did so maliciously with the knowledge that it would likely be incompatible with existing user software, Article 5 (Item 5) of the Provisions notes that it is not acceptable for IISPs to "maliciously ... forc[e] the users to modify the parameters of services or products provided by other internet information services providers."2
In terms of protections against intrusion upon the user's computer/terminal device (including mobile phones, etc...), Article 7 (Item 7) of the Provisions notes thatIISPs cannot "change user's browser configurations or other configurations without notifying the user and obtaining permission from the user."3 Furthermore, as per Article 8, IISPs who are conducting operations of "downloading, installing, running, upgrading, or uninstalling software, etc., on user terminals should provide definite and complete software function information and should get permission from the users in advance".4 In addition, Article 9 of the Provisions provides that IISPs can only bundle their terminal software with other software in such a manner providing clear notice to the user and such that the user can "choose whether or not to install or use the software and should provide a separate uninstall or disable option without adding unreasonable terms".5 Finally, Article 10 provides that "if internet information service providers pop-up advertisements or other information that are irrelevant to the function of their terminal software on user terminals, internet information service providers should provide users with functional signs to close or quit the window in a prominent manner".6 Articles 5, 7, 8, 9, and 10 of the Provisions as noted make it clear that maliciously introducing software likely to cause incompatibilities, unauthorized changing of configurations on user browsers, unauthorized installation of software, such as "spyware", unduly forcing users to download software bound to other software, or serving up endless annoying "pop up ads" are unacceptable practices and, in this regard, these Provisions provide users with more control in their relationship with IISPs.
In terms of data privacy, the Provisions note in Article 11 that "[w]ithout users' consent, internet information service providers should not collect information that is related to the users and can serve to indentify the users' identities solely or in conjunction with other information (hereinafter referred to as "users' personal information") and should not provide other people with users' personal information, unless laws, or administrative regulations specified otherwise".7 Article 11 goes on to add that "[w]here the internet information service providers are permitted by the users to collect users' personal information, internet information service providers should clearly inform users of the method, content and purpose of collecting and processing users' personal information, internet information service providers should not collect information that is unnecessary for providing service or should not use users' personal information for purposes other than providing service, either."8
In addition, Article 12 of the Provisions provides that IISPs should "properly keep users' personal information. If users' personal information which internet information service providers are keeping is leaked or possibly leaked, internet information service providers should immediately take remedial measures. If serious consequences are caused or might be caused, internet information service providers should immediately report to the Telecommunications Administration and cooperate with related departments to conduct investigations."9
Finally, Article 13 of the Provisions provides that IISPs cannot without authorization or "justifiable reasons" "change or delete information uploaded by users", "provide others with information uploaded by users without users' permission, unless otherwise provided by the laws or administrative regulations", or "transfer information uploaded by users without authorization or under the guise of users' names, or cheat, mislead, or coerce users to transfer information which users uploaded".10 Such gives users more control over information which they may upload to an IISP, such as comments or blog entries. Articles 11, 12, and 13 of the Provisions provide clear rules promoting user data privacy and user control over user data, including uploaded information, and provide users with a defined framework for data protection in their online activity.
Finally, the Provisions require that IISPs provide clear contact information for relevant complaints(Article 14)11, outline a reporting, review, and assessment mechanism for relevant complaints to the M.I.I.T.(Article 15)12, and define a statutory framework for applicable punishments, including but not limited to assessment of fines of 10,000-30,000 RMB (as per Articles 16-20).13
With these Provisions coming into effect in March of this year, online internet users in the P.R.C. will then have a better means to provide themselves with additional control over their user experience when dealing with IISPs, as well as additional means to protect their valuable personal data, and internet service providers will have clear guidelines for what is acceptable conduct of business in these areas.
Note: this publication is for informational purposes only and it does not in any way constitute a legal opinion.
1 Ministry of Industry and Information Technology and Telecommunications Administration of the People's Republic of China, "Several Provisions on Regulating the Market Order for Information Services", published on December 29, 2011 and effective on March 15, 2012, found at http://www.miit.gov.cn/n11293472/n11293832/n12843926/n13917012/14414975.html (last visited on January 10, 2012) (Note: English Language translation from Chinese language original).
2 Id. at Art. 5.
3 Id. at Art. 7.
4 Id. at Art. 8.
5 Id.at Art. 9.
6 Id.at Art. 10.
7 Id.at Art. 11.
9 Id. at Art. 12.
10 Id. at Art. 13.
11 Id. at Art. 14.
12 Id.at Art. 15.
13 Id.at Art. 16-20.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.