strictly implement information security management responsibilities, including, but not limited to: (i) authenticate the identity of the registered users, (ii) protect user information and obtain users’ consents for collecting and using their personal information in a lawful manner, (iii) establish information content audit and management mechanism, and prohibit any content in violation of laws or regulations, and (iv) record and keep users’ logged information for 60 days.
Regulations on Internet Security
Internet information in China is regulated and restricted from a national security standpoint. The SCNPC, has enacted the Decisions on Maintaining Internet Security on December 28, 2000, amended on August 27, 2009, which may subject violators to criminal punishment in China for any effort to: (i) gain improper entry into a computer or system of strategic importance; (ii) disseminate politically disruptive information; (iii) leak state secrets; (iv) spread false commercial information; or (v) infringe intellectual property rights. In 1997, the Ministry of Public Security has promulgated measures that prohibit use of the internet in ways which, among other things, result in a leakage of state secrets or a spread of socially destabilizing content. If an internet information service provider violates these measures, the Ministry of Public Security and the local security bureaus may revoke its operating license and shut down its websites.
On November 7, 2016, the SCNPC promulgated the Network Security Law of the PRC, or the Network Security Law, which became effective on June 1, 2017. The Network Security Law requires network operators, including online lending information intermediaries, to comply with laws and regulations and fulfill their obligations to safeguard security of the network when conducting business and providing services. The Network Security Law further requires network operators to take all necessary measures in accordance with applicable laws, regulations and compulsory national requirements to safeguard the safe and stable operation of the networks, respond to network security incidents effectively, prevent illegal and criminal activities, and maintain the integrity, confidentiality and usability of network data.
Regulations on Privacy Protection
In December 2011, the MIIT issued The Several Provisions on Regulating the Market Order of Internet Information Services, which provides that an internet information service provider may not collect any user’s personal information or provide any such information to third parties without such user’s consent. Pursuant to The Several Provisions on Regulating the Market Order of Internet Information Services, internet information service providers are required to, among others, (i) expressly inform the users of the method, content and purpose of the collection and processing of such users’ personal information and may only collect such information necessary for the provision of its services; and (ii) properly maintain the users’ personal information, and in case of any leak or possible leak of a user’s personal information, online lending service providers must take immediate remedial measures and, in severe circumstances, make an immediate report to the telecommunications regulatory authority.
In addition, pursuant to the Decision on Strengthening the Protection of Online Information, issued by the SCNPC in December 2012, and the Order for the Protection of Telecommunication and Internet User Personal Information, issued by the MIIT in July 2013, any collection and use of any user personal information must be subject to the consent of the user, and abide to the applicable law, rationality and necessity of the business and fall within the specified purposes, methods and scopes in the applicable law.
Pursuant to the Ninth Amendment to the Criminal Law, issued by the SCNPC in August 2015, which became effective in November, 2015, any internet service provider that fails to fulfill its obligations related to internet information security administration as required under applicable laws and refuses to rectify upon orders, shall be subject to criminal penalty. In addition, Interpretations of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues Concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Personal Information, issued on May 8, 2017 and became effective on June 1, 2017, clarified certain standards for the conviction and sentencing of the criminals in relation to personal information infringement.
In addition, the PRC General Provisions of the Civil Law, promulgated on March 15, 2017, which became effective on October 1, 2017, require personal information of individuals to be protected. Any organization or individual requiring personal information of others shall obtain such information legally and ensure the security of such information, and shall not illegally collect, use, process, or transmit such personal information, or illegally buy, sell, provide, or publish such personal information.
Furthermore, the Interim Measures require online lending information intermediaries to reinforce the management of lenders’ and borrowers’ information, so as to ensure the legitimacy and security regarding the collection, processing and use of lenders’ and