China’s new DP Regulations to take effect on 1 September



China’s Ministry of Industry and Information Technology (MIIT) passed the Telecommunications and Internet Personal User Data Protection Regulations on 28 June 2013, to take effect on 1 September 2013. The MIIT has previously issued Regulations in 2011 and Guidelines earlier in 2013, and is clearly taking the leading role among Ministries in the area of personal information protection. The scope of these Regulations is Internet information service providers (IISPs), as for the previous Regulations, and telecommunications business operators (TBOs).

These Regulations should not be considered in isolation, but rather in terms of the cumulative effect of what they add to the previous (2011) MIIT Regulation and the 2012 National People’s Congress Standing Committee decision on Internet information. Many aspects of these Regulations are similar to the 2011 Regulations, including the requirements of minimum collection of information, notice, and data breach notification (although the details differ somewhat). Other aspects may add new elements, such as:

  1. requirements on IISPs and TBOs to supervise and manage data protection when they utilise third party processing facilities;
  2. more detailed security protection provisions; and
  3. details of how supervision and inspection by ‘telecommunications management organs’ may be carried out.

There is a requirement of annual ‘self inspection’ of security measures. Violations of the Regulations may be published by the telecommunications management organs, a ‘name and shame’ sanction. The financial sanctions for breach are low, only a maximum of 10,000 Chinese Yuan Renminbi (US$1,630) for some provisions and up to a maximum of 30,000 Yuan Renminbi (US$ 4900) for other provisions.

Many aspects of the Guidelines issued earlier in 2013 by MIIT are not included in these Regulations, such as data export limitations. China’s data protection regulation is still evolving, one relatively small step at a time.

See an unofficial English translation of the Regulation

This news was announced by Covington & Burling. This note was written by Professor Graham Greenleaf, Asia-Pacific Editor, Privacy Laws & Business International Report. He will lead Privacy Laws & Business’s 11 country Asia Roundtable, with speakers from Japan and Singapore, to be hosted by Pinsent Masons, London, on 1st October.