2.Internet-related Service Providers
Generally speaking,there are two categories of data that will be obtained by the Internet Service Providers,Internet Access Service Providers and Internet Data Center Service Providers(“Internet-related Service Providers”):(a)personal data of users,which data will be provided by the users when they apply for Internet-related services to be provided by the Internet-related Service Providers;and(b)data recorded in the telecommunications networks,which data will be recorded by Internet-related Service Providers during the course of their provisioning different types of internet-related services to the users,such data may include login or log out time,dialing number,account number,URL,domain name,system maintenance log,time for sending and receiving email,email addresses of sender and receiver,etc. The legal requirements that the Internet-related Service Providers shall comply with in data retention are varied,depending on the nature of the data obtained by them:
(i)Users Personal Information
It is a legal requirement under the PRC that the Internet-related Service Providers shall record the personal data of the users before the users use the Internet-related services(3). There is no specific law or regulation which governs the minimum period that the personal data of the Internet users shall be retained. Based on our anonymous verbal consultation with an official of MII,the official advised that there is no time limit for such data to be retained. We understand that,in practice,some of the larger scale Internet-related Service Providers may retain the personal data of users without time limit;however,some of the Internet-related Service Providers with small scale may retain such data for 6 months only.
(ii)Internet-related Service Data
It is a legal requirement that the relevant Internet-related Service Provider shall retain the data obtained by it during the course of its providing Internet-related service to the users for a period of not less than 60 days:
Internet Service Providers:Data to be retained shall include log in and log out time,dialing number,account number,URL,domain name and system maintenance log(4);
Internet Email Service Providers:Data to be retained shall include time for sending and receiving of email,email addresses of sender and receiver,IP addresses of emails(5);
Internet Service Providers for Bulletin Board System(“BBS”):Data to be retained shall include the contents posted by users on BBS,posting time,URL and domain names(6);
Internet Access Service Providers:Data to be retained shall include the connecting time of users,users account numbers,URL,domain names,dialing numbers and track record of maintenance of its networks(7);
Internet Access Service Providers and Internet Data Center Service Providers:Data to be retained shall include the records between the URL users and internal IP if the service is provided by means of converting an internal IP and URL(8).
If an Internet-related Service Provider fails to comply with the above-mentioned requirements regarding data retention,it may be subject to the consequences set out in Article 21 of the Administrative Measures on Security Protection for International Connections to Computer Information Networks(《计算机信息网络国际联网安全保护管理办法》):
i)it may be ordered to rectify its wrongful act within a specified period,or a warning may be issued,and its illegal income may be confiscated by the public security authority;or
ii)if the wrongful act is not rectified within the specified period,a fine of up to RMB 5,000 may be imposed on the principal persons responsible for and on other persons directly responsible for the wrongful act,and a fine of up to RMB 10,000 may be imposed on it;
iii)in serious circumstances,its network connection may be suspended for a maximum period of six months and its business may be suspended so that restructuring can be done within the company. If necessary,the relevant regulatory authority may also recommend that the original certificate examination and approval authority to revoke the Internet-related Service Provider's business license or cancel its network connection qualifications.
3.Retention of Data for Public Interest
It is stipulated in Article 57 of the Telecommunication Regulations of the PRC(《电信条例》)that no organization or individual may use a telecommunication network to produce,reproduce,publish or disseminate any of the following contents(“Illegal Contents”):
(a)opposing the basic principles defined in the Constitution;
(b)endangering national security,disclosing state secrets,subverting state political power,or undermining national unity;
(c)damaging the honour or interests of the State;
(d)inciting hatred or discrimination against ethnic minorities,or undermining the unity of nationalities;
(e)undermining state religious policies,or propagating cults or feudalistic superstitions;
(f)disseminating rumours,disrupting public order or undermining social stability;
(g)propagating obscenity,pornography,gambling,violence,homicide or terrorism,or instigating criminal activity;
(h)humiliating or libeling another party,or infringing the lawful rights or interests of another party;and
(i)any other contents prohibited by the law or administrative regulations.
It is further stipulated in Article 62 of the Telecommunication Regulations of the PRC(《电信条例》)that,if a telecommunication service provider discovers that the contents of information being transmitted in its telecommunication network obviously pertains to the types of contents listed in Article 57 of the Telecommunications Regulations,the transmission must be immediately terminated,any records concerned shall be retained,and a report shall be made to relevant state authority(i.e. the public security authority). It is also stipulated in different regulations in the PRC(9) that the Internet Service Providers,Internet News Service Providers and Internet Service Providers for Bulletin Board System shall terminate the transmission of and remove any Illegal Contents,and retain original records of the Illegal Contents and report the matter to the relevant governmental authority(i.e. the public security authority).
If a telecommunications carrier or Internet-related Service Provider fails or delays to take necessary action to prevent the transmission of Illegal Contents,it may be subject to the liabilities set forth in Article 21(10) of the Administrative Measures on Security Protection for International Connections to Computer Information Networks(《计算机信息网络国际联网安全保护管理办法》).
B.Relevant Laws and Regulations on Disclosure or Delivery of Data
1.General Principles on Privacy Protection
(i)Telecommunications Carriers
It is a general principle under the Constitution Law of the PRC(《中华人民共和国宪法》)that the freedom and privacy of communication for citizens in the PRC shall be protected by law,and no individual or organization may infringe any freedom or privacy of communication of any citizen except due to the reasons of protecting national security or conducting criminal investigations,in which case the public security authority or public prosecutor shall conduct the investigations on the communications in accordance with the legal procedures(11)(for further details of the legal procedures,please refer to paragraph 2 below). In addition,it is stipulated in the Temporary Regulations on Confidentiality of Telecommunications(《电信通信保密暂行规定》)that the telecommunications carriers shall maintain the confidentiality of the personal data of the telecommunications users and the contents and records of the communications of the telecommunications users as recorded in their telecommunications networks(12). In the event that any telecommunications carrier contravenes the said regulation,it may be ordered to rectify its wrongful act,its illegal income may be forfeited and a fine of not less than the amount of the illegal income but less than three times of the illegal income may be imposed. In case that the amount of illegal income is less than RMB10,000,a fine of more than RMB10,000 but less than RMB100,000 may be imposed. Further,in case that the circumstance is serious,the telecommunication carrier may be ordered to cease business operation for internal restructuring(13).
(ii)Internet-related Service Providers
It is stipulated in Article 4 of the Administrative Measures on the Security Protection Technology(《互联网安全保护技术措施规定》)that Internet-related Service Providers shall not,except it is otherwise stipulated in the laws and regulations,disclose any information of users obtained by them during the registration process. Further,the Internet-related Service Providers shall take protective security measures to ensure the safety of the Internet and shall not abuse the Internet security measures to infringe the rights of freedom and privacy of communications of their users. In the event that an Internet-related Service Provider contravenes the said requirements,it may be ordered to rectify its wrongful act,its illegal income may be forfeited and a fine of not less than the amount of the illegal income but less than three times of the illegal income may be imposed. In case that the amount of illegal income is less than RMB 10,000,a fine of more than RMB10,000 but less than RMB100,000 may be imposed. Further,in case that the circumstance is serious,the Internet-related Service Provider may be ordered to cease business operation for internal restructuring(14).
2.Delivery/Disclosure of Information
There is no explicit law or regulation in the PRC which allows the law enforcement authorities the ability or right to gain access to any data stored by telecommunications carriers or Internet-related Service Providers remotely or in a particular format,or deliver data to the law enforcement authorities on a regular basis. However,as we have mentioned in the above,the public security authority,the national security authority or public prosecutor may conduct the investigations on the contents of telecommunications in accordance with the legal procedures due to the reasons of protecting national security or conducting criminal investigations. Pursuant to Article 8 of National Security Law(《国家安全法》)and Article 43 of Criminal Procedure Law of the PRC(《刑事诉讼法》),the policemen,prosecutors,official of national security authority and courts may,after showing their relevant identification documents,access the files and documents for the purpose of protecting national security or conducting criminal investigations. With regard to the obtaining of any information from the telecommunications carriers or Internet-related Service Providers,it is stipulated in Article 215 of the Procedures on Investigate Crime of Police(《公安机关办理刑事案件程序规定》)that the emails of the suspects may,after a Retention Notice(扣押通知书)has been issued by the relevant official in the public security authority above provincial level,be retained by the public security authority. In case that the emails of the suspect are no longer required to be retained by the public security authority,a Release of Retention Notice(解除扣押通知书)will be issued by the relevant official in the public security authority above provincial level and a notification will be sent to the relevant telecommunications carrier or Internet-related Service Provider accordingly(15).
In addition,it is stipulated in Article 8 of the of Administrative Measures on Security Protection for International Connections to Computer Information Networks(《计算机信息网络国际联网安全保护管理办法》)that any organization or individual engaging international internet business shall be subject to the supervision,investigation and guidance of the public security authority,and shall disclose information,materials and data documents to it,to assist it to investigate illegal criminal acts which are conducted through Internet networks. There are also provisions under the Implementation Rules of National Security Law(《国家安全法实施细则》)(16) and the Criminal Procedure Law of the PRC(《刑事诉讼法》)(17)which require organization and citizens to provide assistance to public security authority,national security authority,courts and public prosecutor to collect evidence for national security purpose.
Except otherwise stated in the above,there is no explicit law or regulation which governs the procedures that the public security authority,national security authority,court or prosecutor shall comply with in case that any of the said authorities require the telecommunications carriers or Internet-related Service Providers to disclose any data to it. However,we understand that,in practice,the public security authority,national security authority,court or prosecutor will usually issue an “Investigation Assistance Notice”,which will be affixed with the stamp of the relevant authority,to the telecommunications carriers or Internet-related Service Providers in case that it wishes to gain access to any data or information retained by them,and the telecommunications carriers or Internet-related Service Providers will usually provide the data or information as requested.
3.Storage of Data Within or Outside the PRC
There is no express law and regulation in the PRC which prohibits or restricts a telecommunication carrier or Internet-related Service Provider to store the data of the users in overseas;however,in case that the telecommunication carriers and Internet-related Service Providers disclose any contents of communications and records of their users to the third parties,unless such disclosure is legally allowed under the PRC laws,the telecommunication carrier or Internet-related Service Provider may face the risk of breaching the legal confidentiality obligations owed by it to the users,if it remits and stores the data in any servers belong to third parties in overseas(18). For your information,based on the result of anonymous verbal consultations with an official in MII,an affiliate or subsidiary of the telecommunication carrier or Internet-related Service Provider may be regarded as a third party in this regard.
Further,in case that any data remitted by the telecommunication carriers and Internet-related Service Providers which may be regarded as containing “State Secret” of the PRC(19),the telecommunications carriers and Internet-related Service Providers have an obligations to keep the “State Secret” in strict confidence,and any remittance of the data containing “State Secret” to overseas may be regarded as illegal disclosure of “State Secret”. It is also stipulated in Article 26 of the State Secret Protection Law of the PRC(《保守国家秘密法》)that,unless approval is obtained from the relevant supervisory authority,any transmission or postage of any documents,materials or goods containing “State Secret” to overseas is strictly prohibited. Under Article 111 of the Criminal Law of the PRC(《中华人民共和国刑法》),if a person has been successfully charged with obtaining “State Secret” for overseas institutions,organizations or people,he/she may be imposed with a retention or an imprisonment of 5 years to 10 years,or if the circumstance is very serious,he/she may be imposed with a retention or an imprisonment of more than 10 years,or if the circumstance is light,he/she may be imposed with a retention,an imprisonment,a supervision or suspension of political rights of less than 5 years. Therefore,if a telecommunication carrier or Internet-related Service Provider wishes to remit and store data in the servers outside the PRC and such data may contain any information which may be regarded as “State Secret”,there is a risk that it may be alleged to have disclosed “State Secret” to third parties illegally.
