Promulgated by: Ministry of Industry and Information Technology of the People’s Republic of China. Document No.: Order of the Ministry of Industry and Information Technology No. 24. Adopted at the 2nd Ministerial Affairs Meeting of the Ministry of Industry and Information Technology of the People’s Republic of China on 28 June 2013. Promulgated on 16 July 2013. Effective 1 September 2013.
Chapter I — General Provisions
Article 1. These Provisions are formulated in accordance with the Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection, the Telecommunications Regulations of the People’s Republic of China, the Administrative Measures for Internet Information Services, and other laws and administrative regulations, in order to protect the lawful rights and interests of telecommunications and internet users and to maintain network information security.
Article 2. These Provisions apply to activities involving the collection and use of users’ personal information in the course of providing telecommunications services and internet information services within the territory of the People’s Republic of China.
Article 3. The Ministry of Industry and Information Technology and the communications administration bureaus of each province, autonomous region, and municipality directly under the Central Government (hereinafter collectively referred to as the “telecommunications administration authorities”) shall exercise supervision and administration over the protection of the personal information of telecommunications and internet users in accordance with law.
Article 4. For the purposes of these Provisions, “users’ personal information” means information collected by telecommunications business operators and internet information service providers in the course of providing services that can identify a user individually or in combination with other information, including the user’s name, date of birth, identity document number, residential address, telephone number, account number and password, and similar information, as well as information about the time and location of the user’s use of services.
Article 5. Telecommunications business operators and internet information service providers shall, in the course of providing services, collect and use users’ personal information in accordance with the principles of lawfulness, legitimacy, and necessity.
Article 6. Telecommunications business operators and internet information service providers shall be responsible for the security of users’ personal information they collect and use in the course of providing services.
Article 7. The State encourages the telecommunications and internet industry to carry out self-regulatory work on the protection of users’ personal information.
Chapter II — Rules for the Collection and Use of Information
Article 8. Telecommunications business operators and internet information service providers shall formulate rules for the collection and use of users’ personal information and shall make those rules public at their business or service premises, websites, and other locations.
Article 9. Without the consent of a user, telecommunications business operators and internet information service providers shall not collect or use users’ personal information.
When collecting or using users’ personal information, telecommunications business operators and internet information service providers shall clearly notify users of the purpose, method, and scope of the collection and use of information, the channels and methods for querying and correcting information, and the consequences of refusing to provide information, as well as other matters.
Telecommunications business operators and internet information service providers shall not collect users’ personal information beyond what is necessary for the services they provide, nor shall they use information for purposes other than providing those services; they shall not collect or use information through deception, misleading, coercion, or other means, or in violation of laws, administrative regulations, or the agreement between the parties.
After a user ceases to use a telecommunications service or internet information service, the telecommunications business operator or internet information service provider shall cease collecting and using that user’s personal information and shall provide the user with a service to cancel the user’s number or account.
Where laws or administrative regulations otherwise provide for the circumstances set out in the first through fourth paragraphs of this Article, those provisions shall prevail.
Article 10. Telecommunications business operators, internet information service providers, and their employees shall strictly maintain the confidentiality of users’ personal information collected and used in the course of providing services; they shall not disclose, tamper with, or destroy such information, and shall not sell it or provide it to third parties by unlawful means.
Article 11. Where telecommunications business operators or internet information service providers entrust agents to carry out market sales and technical services and other service work directly facing users, involving the collection and use of users’ personal information, they shall supervise and manage the agents’ work on the protection of users’ personal information; they shall not entrust agents who do not meet the requirements of these Provisions regarding the protection of users’ personal information to perform the relevant services on their behalf.
Article 12. Telecommunications business operators and internet information service providers shall establish a user-complaint handling mechanism, publicise effective contact information, accept complaints relating to the protection of users’ personal information, and reply to complainants within fifteen days from the date of receipt of the complaint.
Chapter III — Security Safeguard Measures
Article 13. Telecommunications business operators and internet information service providers shall take the following measures to prevent the leakage, damage, tampering, or loss of users’ personal information:
(1) determining the responsibilities of each department, post, and branch for the security management of users’ personal information;
(2) establishing workflows and security management systems for the collection and use of users’ personal information and related activities;
(3) implementing permission management over employees and agents, subjecting bulk exports, copies, and destruction of information to review, and taking anti-leakage measures;
(4) properly keeping paper, optical, and electromagnetic media and other carriers on which users’ personal information is recorded, and adopting corresponding secure storage measures;
(5) subjecting information systems that store users’ personal information to access review, and adopting measures against intrusion, viruses, and similar threats;
(6) recording information about the personnel, time, location, and matters involved in operations performed on users’ personal information;
(7) carrying out communications network security protection work in accordance with the requirements of the telecommunications administration authorities; and
(8) other necessary measures prescribed by the telecommunications administration authorities.
Article 14. Where users’ personal information kept by telecommunications business operators or internet information service providers has been or may have been leaked, damaged, or lost, they shall immediately take remedial measures; where serious consequences have been or may be caused, they shall immediately report to the telecommunications administration authority that granted their licence or accepted their filing and shall cooperate with the relevant authorities in their investigation and handling of the matter.
Article 15. Telecommunications business operators and internet information service providers shall provide their employees with training on the relevant knowledge, skills, and security responsibilities relating to the protection of users’ personal information.
Article 16. Telecommunications business operators and internet information service providers shall conduct a self-assessment of their protection of users’ personal information at least once per year, shall record the results of the self-assessment, and shall promptly eliminate any security hazards identified in the self-assessment.
Chapter IV — Supervision and Inspection
Article 17. Telecommunications administration authorities shall exercise supervision and inspection over the protection of users’ personal information by telecommunications business operators and internet information service providers. When conducting supervision and inspection, telecommunications administration authorities may require telecommunications business operators and internet information service providers to submit relevant materials and may enter their production and business premises to investigate the situation; telecommunications business operators and internet information service providers shall cooperate accordingly.
Records shall be kept of the supervision and inspection; the normal business or service activities of telecommunications business operators and internet information service providers shall not be impeded; and no fees of any kind shall be charged.
Article 18. Telecommunications administration authorities and their employees shall maintain the confidentiality of users’ personal information that comes to their knowledge in the performance of their duties; they shall not disclose, tamper with, or destroy such information, and shall not sell it or provide it to third parties by unlawful means.
Article 19. When telecommunications administration authorities grant telecommunications business licences or conduct annual inspections of telecommunications business licences, they shall review the protection of users’ personal information.
Article 20. Telecommunications administration authorities shall record violations by telecommunications business operators and internet information service providers of these Provisions in their social credit archives and shall make such records public.
Article 21. The telecommunications and internet industry associations are encouraged to formulate self-regulatory management systems for the protection of users’ personal information in accordance with law, to guide their members in strengthening self-regulatory management, and to raise the level of protection of users’ personal information.
Chapter V — Legal Liability
Article 22. Where telecommunications business operators or internet information service providers violate Articles 8 or 12 of these Provisions, the telecommunications administration authorities shall, in accordance with their respective authority, order them to make corrections within a specified period, give them a warning, and may concurrently impose a fine of not more than ten thousand yuan.
Article 23. Where telecommunications business operators or internet information service providers violate Articles 9 through 11, Articles 13 through 16, or the second paragraph of Article 17 of these Provisions, the telecommunications administration authorities shall, in accordance with their respective authority, order them to make corrections within a specified period, give them a warning, may concurrently impose a fine of not less than ten thousand yuan and not more than thirty thousand yuan, and shall make a public announcement; where a crime is constituted, criminal liability shall be pursued in accordance with law.
Article 24. Where employees of a telecommunications administration authority engage in dereliction of duty, abuse of authority, or favouritism in the exercise of supervision and administration over the protection of users’ personal information, they shall be dealt with in accordance with law; where a crime is constituted, criminal liability shall be pursued in accordance with law.
Chapter VI — Supplementary Provisions
Article 25. These Provisions shall come into force on 1 September 2013.