Applications of China’s New Personal Information Protection Standards
China’s Ministry of Industry and Information Technology recently released draft voluntary regulations intended to protect citizens against the misuse of personal information by Internet Information Service Providers. The Provisions represent China’s first regulations to explicitly address the issues of unfair competition on the internet and personal information protection. This article explains the regulations and notes that, while they are still in draft form, the Provisions represent an important step toward progress in Chinese privacy legislation, and it appears likely that China will soon see new laws on personal information protection.
On 27 July 2011, China’s Ministry of Industry and Information Technology (MIIT) issued draft regulations intended to protect citizens against the misuse of personal information by Internet Information Service Providers. The draft regulations, entitled “Provisions on the Administration of Internet Information Services” (Provisions), establish users’ rights and set guidelines for the distribution of Internet services. The Provisions stipulate that, among other requirements, Internet Information Service Providers must collect only personal information relevant to Internet services, inform users about the terms of the information collection before obtaining consent and protect users’ information from distribution to third parties.
In addition, the Provisions establish guidelines for behaviour between competing Internet Information Service Providers. According to the new regulations, providers cannot slander or spread false information about competitors, nor can they force users to uninstall services offered by competitors or limit the use of competitors’ services.
The Provisions represent China’s first Internet service regulations to explicitly address the issues of competition and personal information protection. These new standards come in response to the Chinese public’s recent concerns about personal information security and privacy. In particular, they can be applied to issues rising from disputes in November 2010 between feuding technology companies Tencent and Qihoo 360.
Qihoo, China’s largest antivirus software provider, had accused Tencent and its popular QQ social networking program of spying on users and breaching personal information privacy. Qihoo claimed Tencent scanned the hard drives of QQ’s users while they were running the QQ instant messaging software—an accusation that could have affected more than 600 million QQ users. Qihoo then launched a new privacy protection program that reportedly prevented certain QQ services from working on machines installed with both 360 and QQ. In response, Tencent vehemently denied claims of spying and filed a lawsuit against Qihoo, claiming unfair trade practices. Tencent also stated it would disable its services on computers installed with 360 antivirus software. Caught in the middle of these disputes, users of both providers were left with the choice to uninstall either QQ or 360.
This case demonstrates several issues now addressed by the new Provisions. First, Article 5 of the Provisions states that “fabricating and spreading false information that harms other Internet service providers’ legitimate rights and interests” is not allowed. Based on this new regulation, Qihoo would be prohibited from slandering Tencent. The Provisions now indicate service providers that have disputes, like Qihoo, should contact the MIIT or relevant local authorities in order to resolve them.
Second, Article 5 also prohibits “interfering with or affecting the running of services or related products offered by other Internet service providers on a user’s terminal”. Had this regulation been in place during dispute between Qihoo and Tencent, both companies would have been in violation of this regulation by blocking the other provider’s programs on the computers installed with both QQ and 360. Finally, and most significantly, MIIT has put in place concrete provisions against the collection of users’ personal information without their consent. Article 12 states:
Without the user’s consent, the Internet Information Service Provider shall not collect information relevant to the user that can be use[d] alone or in combination with other information to identify the user’s identity (hereinafter referred to as “personal information”), except as otherwise provided by the laws and administrative regulations. Internet Information Service Providers can only collect user’s personal information necessary for the service. Internet Information Service Providers should clearly inform the user of the method, content, and purpose of the collection as well as its process. The collection of personal information shall not exceed the use of personal information mentioned above.”
This provision creates the first Chinese documented regulation against Internet Information Service Providers violating user privacy. If Tencent did secretly scan user hard drives through its QQ software, this act has now been prohibited by MIIT’s new guidelines. In the case between Tencent and Qihoo, the new Provisions address many user concerns about privacy as well as the competitive antics of both companies.
For all Internet Information Service Providers, failure to adhere to these Provisions could result in fines of RMB 10,000 to 30,000 (approximately US$1540 - 4620). However, it should be noted that the Provisions currently stand only as draft standards; they are voluntary regulations that lack the full strength of legal enforcement. They could be modified anytime by the MIIT, which has not yet formalized the regulation. Still, the Provisions represent an important stepping stone toward future progress in Chinese privacy legislation. With its increased focus on privacy, it appears likely that China will soon see new legislation for personal information protection.