The regulations, require IISPs to "provide [users with] clear and complete information on software functions and other information" and obtain their consent prior to conducting "operations on user terminals such as downloading, installation, running, upgrading or uninstallation of software".
IISPs are prohibited from deceptive, misleading or forceful practices that convince users to "download, install, run, upgrade and uninstall software" and are required to give users a method for uninstalling software that is at least as "convenient" as the method for installation. IISPs are generally barred from "leaving executable codes or other unnecessary files on user terminals after the software is uninstalled".
Chinese law expert William Soileau of Pinsent Masons, the law firm behind Out-Law.com, said that the rules would benefit Chinese industry and consumers.
"The rest of the world typically views China's internet policy as the monolithic realm of pervasive censors and great firewalls. But the reality on the ground is one of fiercely freewheeling competition and creativity, mostly untouched by official policy," he said. "The new regulations will establish China as a leader in the protection of online consumer rights."
"China has perhaps over 500 million internet users, giving it the largest and still one of the fastest growing internet markets in the world. China sees the Internet as an important engine for economic growth, a catalyst for both new technologies and new markets, so it has every interest in ensuring good market order." he said.
Under the new regulations IISPs are not allowed to collect personal data about users nor pass that information on to others without consent "unless it is otherwise provided by laws or administrative regulations". When permission has been granted, IISPs are still required to "clearly inform users of the methods, contents and purposes for collecting and processing the personal information of users". They are banned from collecting any personal information that is "unnecessary for providing services" and cannot use the data it has "for purposes other than providing services".
The regulations require that IISPs keep personal information "properly" and take immediate "remedial measures" if data is, or could be, "divulged".
In circumstances where users upload data to services provided by IISPs those companies must "strengthen system security protection, protect the security of information uploaded by users according to law, and guarantee the use, modification and deletion of the information uploaded by users".
IISPs are prohibited from altering or deleting uploaded personal data without a "justifiable reason", or from passing on the information to others other than in order to comply with legal or administrative requirements. Where users upload data IISPs are also banned from "transferring" that data without consent or "under the guise of users' names", or from "deceiving, misleading or forcing users to transfer the information they uploaded".
IISPs that allow pop-up advertising or other "information windows" must provide users with "functional signs" in a "conspicuous manner" that allow them to close or exit the window.
The regulations set out that IISPs are also prohibited from infringing upon certain defined "legitimate rights and interests" of other IISPs.
Activity banned includes "maliciously interfering" with services provided by rivals "on user terminals" or "with the downloading, installation, running and upgrading of software and other products" related to IISPs.
Spreading or "fabricating" false information that damages legitimate rights and interest of other IISPs, or "denigrating" the services or products they provide is also prohibited. "Maliciously modifying or deceiving, misleading or forcing users to modify the parameters of services or products of other internet information service providers" is also an offence.
The regulations also do not permit IISPs to refuse, delay or suspend their "provision" of services or products "without any justifiable reason" for doing so. IISPs are banned from providing users with products through the use of "deceit, force or misleading" behaviour or from altering service agreements or business rules with users "without authorisation" where the change results in a reduction in service quality or increase in user responsibility.
Users' browser configurations and other settings also cannot be changed by IISPs "without reminding users and obtaining their voluntary consent".
The regulations require that all "those engaged in internet information services and activities" comply with the laws and that various "telecommunications administrative organs" at provincial, regional and municipal level supervise the activities of those internet information services.
Online information service providers are obliged to deliver their services "under the principles of equality, free will, fairness and good faith."
IISPs that break the regulations could face fines between 10,000 and 30,000 yuan (between approximately £1,000 and £3,000) and be forced to make changes to their service.
"The regulations should be a good thing for consumers and the industry," said Soileau. "The regulations are drafted in fairly general terms, and the fines are really just symbolic. But this is an important effort to establish a set of working principles and guidelines for consumer protection and data protection in this area."
