我的书签
添加书签
移除书签2. Internet-related Service Providers
Generally speaking, there are two categories of data that will be obtained by the Internet Service Providers, Internet Access Service Providers and Internet Data Center Service Providers ("Internet-related Service Providers") : (a) personal data of users, which data will be provided by the users when they apply for Internet-related services to be provided by the Internet-related Service Providers; and (b) data recorded in the telecommunications networks, which data will be recorded by Internet-related Service Providers during the course of their provisioning different types of internet-related services to the users, such data may include login or log out time, dialing number, account number, URL, domain name, system maintenance log, time for sending and receiving email, email addresses of sender and receiver, etc. The legal requirements that the Internet-related Service Providers shall comply with in data retention are varied, depending on the nature of the data obtained by them:
(i) Users Personal Information
It is a legal requirement under the PRC that the Internet-related Service Providers shall record the personal data of the users before the users use the Internet-related services〔3〕. There is no specific law or regulation which governs the minimum period that the personal data of the Internet users shall be retained. Based on our anonymous verbal consultation with an official of MII, the official advised that there is no time limit for such data to be retained. We understand that, in practice, some of the larger scale Internet-related Service Providers may retain the personal data of users without time limit; however, some of the Internet-related Service Providers with small scale may retain such data for 6 months only.
(ii) Internet-related Service Data
It is a legal requirement that the relevant Internet-related Service Provider shall retain the data obtained by it during the course of its providing Internet-related service to the users for a period of not less than 60 days:
● Internet Service Providers: Data to be retained shall include log in and log out time, dialing number, account number, URL, domain name and system maintenance log〔4〕;
● Internet Email Service Providers: Data to be retained shall include time for sending and receiving of email, email addresses of sender and receiver, IP addresses of emails〔5〕;
● Internet Service Providers for Bulletin Board System ("BBS") : Data to be retained shall include the contents posted by users on BBS, posting time, URL and domain names〔6〕;
● Internet Access Service Providers: Data to be retained shall include the connecting time of users, users account numbers, URL, domain names, dialing numbers and track record of maintenance of its networks〔7〕;
● Internet Access Service Providers and Internet Data Center Service Providers:Data to be retained shall include the records between the URL users and internal IP if the service is provided by means of converting an internal IP and URL〔8〕.
If an Internet-related Service Provider fails to comply with the above-mentioned requirements regarding data retention, it may be subject to the consequences set out in Article 21 of the Administrative Measures on Security Protection for International Connections to Computer Information Networks (《计算机信息网络国际联网安全保护管理办法》):
i) it may be ordered to rectify its wrongful act within a specified period, or a warning may be issued, and its illegal income may be confiscated by the public security authority; or
ii) if the wrongful act is not rectified within the specified period, a fine of up to RMB 5,000 may be imposed on the principal persons responsible for and on other persons directly responsible for the wrongful act, and a fine of up to RMB 10,000 may be imposed on it;
iii) in serious circumstances, its network connection may be suspended for a maximum period of six months and its business may be suspended so that restructuring can be done within the company. If necessary, the relevant regulatory authority may also recommend that the original certificate examination and approval authority to revoke the Internet-related Service Provider's business license or cancel its network connection qualifications.
