July 28, 2014

China: Decision on Strengthening the Protection of Online Information

At the end of 2012, the Standing Committee of the National People’s Congress in China adopted the Decision on Strengthening Protection of Online Information (Decision).  The relatively short 12-clause Decision, which has the same legal authority as a law, went into effect on the day of its adoption, 28 December.  The primary purposes of the Decision are to protect citizens’ personal online information and online privacy, and to safeguard public interests.  The decision provides liabilities for those that violate the duties as outlined in the Decision.


On 28 December 2012, the Standing Committee of the National People’s Congress in China adopted the Decision on Strengthening Protection of Online Information (Decision).  The relatively short 12-clause Decision has the same legal authority as a law and went into effect on the day of its adoption.  The primary purposes of the Decision are to protect citizens’ personal online information and online privacy, and to safeguard public interests.


The Decision applies to entities in both the public and private sectors.  However, in contrast to similar recent laws in Taiwan and Singapore that protect all personal information, the Decision only regulates the protection of personal information that is digital, which makes its scope relatively narrow. 

Rights and Obligations Arising Out of the Decision

Organizations and Individuals

Citizens who find any online information divulging their personal identity, publishing private information or infringing other legitimate rights, or who suffer from the harassment of commercial messages, have the right to compel the relevant internet service provider (ISP) to delete the information or take other necessary measures to stop such activities.  Under the definition of “ISP” used in the Decision, companies that provide platforms for publishing user-generated content are included along with companies that provide access to the internet.  For example, both AT&T and Facebook would both be considered ISPs under the definition used in the Decision.

Organizations and individuals are prohibited from obtaining citizens’ personal digital information by theft or other illegal approaches, and are also prohibited from selling or illegally providing that information to others.  In addition, organizations and individuals are prohibited from sending commercial messages to landlines, cell phones or electronic mailboxes without the recipient’s consent or request, or if the receivers explicitly refuse to receive the messages.

ISPs, Public Service Units and Other Companies

Obligations for collecting and using personal data information

ISPs, public service units (PSUs) and other companies that intend to collect and use personal digital information:

  • Must make their policies for collection and use public
  • Must explicitly state the purposes, means, and scope of the collection
  • Must obtain the consent of the all of the subjects of the data collection
  • Must not violate relevant laws and regulations
  • Must not violate any agreements or contracts with the subjects of the data collection 

Obligations for safeguarding personal data information

ISPs, PSUs and other companies must strictly safeguard the privacy of citizens’ personal digital information that is obtained during business activities.  They are prohibited from divulging, falsifying, damaging, selling or illegally providing the information to others.  ISPs, PSUs and other companies must take technical and other necessary measures to prevent any citizens’ personal digital information from being divulged, damaged or lost.  If the information has been or will be divulged, damaged or lost, the entity must immediately take remedial measures to correct the situation.

Obligations for information management

ISPs must strengthen the management of information published by their users.  If an ISP is notified that it has been releasing or transmitting information that was forbidden from being released or transmitted, the ISP must immediately cease the transmission and remove the information.  Meanwhile, ISPs are required to save relevant records and report them to the competent authorities.

Obligations for registering user’s authentic identity information

Companies that provide access to the internet, landlines and cell phones, or that provide platforms for content publishing must require users to provide authentic identity information.


Authorities must take technical or other necessary measures to prevent, stop and deal with illegal and criminal activities relating to online information, including obtaining personal digital information through stealing or other unlawful means, or selling or illegally providing information to others.  Government agencies must keep personal digital information that is obtained during the performance of duties confidential, and must not divulge, falsify, damage, sell or illegally provide such information to others.


Violators of the Decision will receive punishments including warnings, fines, confiscation of illegal income, permit revocation, cancellation of records, and closing websites.  Individuals who violate the Decision will be prohibited from being employed in the internet service industry.  Violations will be recorded in the social credibility files and be made available to the public.  Violators may also incur civil, administrative and even criminal punishments.


The Decision is a great step forward for the protection of online information in China.  However, because the Decision itself is fairly broad and is meant to be more like a set of guiding principles than a law, many of the provisions lack the specificity that is essential for accurate understanding and compliance.  It will be necessary to wait and see whether or not more implementing regulations or rules will clarify some of the ambiguous and broad language.

This article was co-written by Samon Sun and Jared Nelson.

© 2014 McDermott Will & Emery

About the Author

McDermott Will & Emery is a premier international law firm with a diversified business practice. Numbering more than 1,100 lawyers, we have offices in Boston, Brussels, Chicago, Düsseldorf, Frankfurt, Houston,...

+1 312 372 2000

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.