China's new data protection rules good step, but little bite
China's Ministry of Industry and IT recently issued its Rules on Personal Information Protection of Telecommunications and Internet Users. Effective from September 1, 2013, these offer guidance to telecoms and internet service providers (ISPs) on the collection and use of personal information.
The rules are significant in that they are the first uniform provisions applying to telecoms and internet users, and a tentative step toward personal data protection in China.
Data protection law in the country has traditionally been fractured and varying across sectors. While that has not changed, since these rules apply solely to the telecoms and internet sectors, the new rules do at least reflect data protection principles and practices already enshrined in law in Europe, the U.S., and much of Asia.
Unless contrary to another law or administrative law (I'll talk more on this later), telcos and ISPs are required to formulate and publish rules governing their collection of personal information, collect information only with a user's consent, collect only information that is necessary to provide services, stop collecting information in the event that a service is canceled, and set up a complaints mechanism. Operators are also required to ensure personal information is held securely, and manage and supervise any third parties to whom personal information is passed.
All of these rules bring Chinese telcos and ISPs under a data protection regime similar to those established in other jurisdictions. However, there is a sticking point: the maximum penalty for operators is 30,000 yuan (just short of US$5,000), and they must publish any violation in its publicly viewed enterprise credit files. In other words, a slap on the wrist financially and a public shaming.
Criticism of the rules is that they are toothless, and this may be justified.
It is not uncommon to acquire a new phone number in China and receive marketing calls before the user has even given that number to anyone. The sale of personal information by telecoms and internet operators is a big and lucrative business, and the relatively small fine and reputation damage may not be sufficient deterrent.
That said, the new rules do at least offer some protection of personal data, which will be of comfort to those hounded by direct marketing as a result of the sale of personal information by telcos and ISPs.
Those unlikely to be comforted are the individuals most worried about their personal information and anonymity online. These are typically social media users and bloggers anxious at the fact that "spreading rumors" online may lead to their detention, especially in light of China president Xi Jinping's call earlier this month to "seize the ground of new media".
The new rules protect personal data online only, unless this is contrary to another law or administrative law. Therefore, ISPs are still required to collect real names of users who post information online, and these names will be used for enforcement purposes when necessary.
Bloggers and human rights lawyers in China have already criticized the new rules as an attempt to direct attention away from the crackdown on vocal social media users in China, as the battle for free speech and internet anonymity intensifies.