Draft to enhance protection of online information
The 30th session of the 11th National People's Congress passed a draft for enhancing the protection of online information (加强网络信息保护的决定草案) on Dec. 28, 2012.
In order to protect personal online information, guarantee the legal rights of citizens, legal persons and other organizations, as well as safeguard homeland security and the public interest, the following decisions have been made:
1. The government protects any online information concerning a citizen's identity and privacy.
Any organization and individual shall not steal or acquire a citizen's personal online information through illegal acts, nor sell or offer it to a third party without permission.
2. While collecting and using a citizen's personal online information in business activities, Internet service providers and other enterprises and institutions should explicitly express the purposes, methods and range of collecting and using the information under the principles of legitimacy, justification and necessity. Permission should be given by Internet users and the collection and employment of information should observe the relevant laws and regulations, as well as any contracts between network providers and users. Internet service providers, and other enterprises and institutions, should make known to the public the rules of collecting and using the personal information of citizens.
3. Internet service providers and staff in enterprises and institutions should keep a citizen's private information secret in conducting business activities and shall not disclose, change, damage or sell personal information or provide it to a third party.
4. Technical and other necessary measures should be adopted to ensure the information security and keep a citizen's privacy from being disclosed, damaged or lost. In case of the aforementioned circumstances, remedial actions should be taken as soon as possible.
5. Internet service providers should strengthen the management of users' personal information, and when information violates laws or regulations, providers should immediately stop transmitting and remove it, and preserve any relevant records for reporting to the related authorities.
6. Internet service providers should demand to know the real identity of users in signing contracts or confirming services when they offer network access services to both fixed and mobile phones, or provide users with information service.
7. No organization or individual shall send any commercial electronic messages to fixed telephones, mobile phones or personal e-mails without explicit permission or requirement, or with the definite refusal of message receivers.
8. Citizens are entitled to require Internet service providers to remove any relevant information or take other necessary measures in defense of their legal rights when their personal information is disclosed or spread or they are disturbed by commercial electronic messages.
9. All the organizations or individuals are entitled to report or accuse criminal acts of online information to the related authorities, such as the stealing, selling and acquiring of personal information through illegal ways, or the unpermitted offering of it to a third party. While receiving reports or accusations, the authorities should deal with them immediately according to the law. Victims are entitled to institute legal proceedings in a court of law.
10. The relevant authorities should fulfill any obligations within their terms of reference and adopt technical and other necessary measures to prevent and punish online criminal acts such as stealing, selling, acquiring personal information through illegal ways or offering it to a third party without permission. Internet service providers should cooperate with investigations conducted by authorities and offer technical support if required. Staff employed in state organs should keep a citizen's private information secret and shall not disclose, change, damage or sell any personal information or provide it to a third party during investigation.
11. Any acts violating the abovementioned terms will face punishment, which may consist of a warning, fine, seizure of illegal income, certificate revocation, cancellation of record, closure of website and preventing those responsible from working in network services. The unlawful acts will be recorded in credit file and subsequently published. Any offences against the Security Administration should be punished accordingly. Those involved in crimes are to be investigated for their criminal liability according to the law and those infringing on civil rights shall bear civil liability according to the law.
12. This decision shall take effect from the date of promulgation.