律师之道（一）如何起草法律备忘录之实例推演（上）

下面将通过实例来对上文提到的要点进行说明。

一客户的要求

首先客户作出了一个很简单的指示。客户是一个电信运营商，他要求备忘录应阐述他在两个方面的义务：第一，客户的信息保存义务;第二，依据法，客户被要求提供信息的义务。

二对于客户信息保护义务部分的分析

1. 关于电信运营商的义务

就电信运营商的义务，备忘录在第一部分列举了一系列规范电信运营商保存信息的法律法规，包括《邮电部关于市内电话业务规程》和《电信服务规范》等，对每一类服务涉及哪些信息，需要保存信息的时间和法律依据都作出了说明，并对服务中断的情形下进行信息保存的义务进行了说明。

为了让结构合理，使客户看起来比较清晰，所以在备忘录中，将信息分为两类，第一类是用户个人信息保留时间为5年，第二类是账单需要保存5个月，另外，重大电信中断时，保存的信息和保存时间不一样。同时指出上述信息不保存的法律后果。

2. 关于网络服务供应商的义务

由于网络服务供应商和电信运营商接触的资料不一样，所以其义务和电信运营商的义务不同。网络服务供应商，包括网络服务供应商、网络邮件服务供应商、BBS服务供应商和网络准入服务商，备忘录分别列举了不同的供应商需要保留的信息，及所有这些信息保留时间的要求，随后是关于如果违反该规定的法律后果的分析。

三对于信息披露义务部分的分析

客户提的第二个问题是在什么情况下需要披露信息?

备忘录第一部分是关于个人信息保护的规定。由于这方面的规定比较少，这里就进行了一般性的介绍。对于个人信息的保护，由于对电信运营商和供应商的要求不一样，所以就分类介绍。

第二部分是关于特殊情况下披露信息的要求。说明虽然没有明确的法律规定电信运营商应披露其在运营中取得的信息，但按照《安全法》、《刑事诉讼法》等法律的规定，应向公、检、法及安全机构提供信息。

第三部分是关于信息在境内保存和境外保存是否有相应要求。由于客户是境外公司，客户服务器很有可能是放在境外的，因此这是客户所希望知道的。这里主要告诉客户基本的法规，和不同的公司、企业和服务者需要符合的条件，以及如果违反上述规定所产生的相应后果。一般在法规有明确规定的情况下，就写规定，如果规定有不足的，可以做咨询。咨询的结果应当在备忘录中有所体现，并且在备忘录中写明，就此问题没有法律依据，咨询结果如何，但该咨询结果有可能发生改变。因为咨询结果可能由于受咨询部门的地点甚至不同官员的回答产生差异。特别是如果没有限定在某一地点进行，将来如果在当地产生的结果不一样，客户也能够理解。

具体写法如下：

M E M O R A N D U M

To: XXX

Co: BBB

From:

Date: [ ],2008

Re: General Legal Requirements on the Retention and Delivery of Data  in the  PRC

We refer the email from XXX dated [ ], 2008 regarding the legal  advice  required by DEF in respect of the general legal requirements  in the People's  Republic of China (“PRC”) on the retention and  delivery of data by  telecommunications carriers and Internet service  providers operating under the  laws of the PRC. As instructed, we have  conducted updated legal research under  the laws of the PRC and below  are our preliminary advice in this regard for your  reference:

A. General Legal Requirements on Data Retention in the PRC

Under the PRC laws, the telecommunications carriers and Internet  service  providers shall comply with the applicable legal requirements  regarding data  retention when they provide different types of  telecom-related or  Internet-related services to the users:

1. Telecommunications Carriers

Generally speaking, there are two categories of data that will be  obtained by  the telecommunications carriers: (a) personal data of  users, which data will be  provided by the users when they apply for  telecom services to be provided by the  telecommunications carriers;  and (b) billing data recorded in the  telecommunications networks,  which data will be recorded by the  telecommunications carriers during  the course of their providing different types  of telecom-related  services to the users, such as, domestic calls, domestic long  distance calls, mobile calls and domestic IP calls. The legal  requirements that  the telecommunications carriers shall comply with  in retention of data are  varied, depending on the nature of the data  obtained by them:

(i) Users Personal Information

The telecommunications carriers shall record the personal data of the  users  in registration cards and enter into agreements with the users  when they install  or transfer the telephone lines for the users[1].  The registration card shall be  completed by each of the users, and  the personal data of the user (such as, name  of user, installation  address, employer, ID card number, etc) shall be verified  by the  telecommunications carriers. Further, the telecommunications carriers  shall retain all records of the users (including telephone line  installation  records) and related agreements for a period of not less  than 5 years after the  date of termination of each of the agreements.

(ii) Billing Data

The telecommunications carriers shall, during the ordinary course of  their  providing different types of telecom-related services to the  users, such as,  domestic calls, domestic long distance calls, mobile  calls and domestic IP  calls, retain the original billing data for no  less than 5 months[2]. There is  no explicit law or regulation in the  PRC which governs the scope of the billing  data to be retained by the  telecommunications carriers. Based on our anonymous  verbal  consultation with an official of Ministry of Information Industry of  the  PRC (“MII”), “billing data” shall include dialing and dialed  numbers, numbers of  the sender and receiver of messages, time when a  call or message is made,  duration of call or message and calling  tolls or message charges.

Further, in the event that there is a material telecommunications  outage, the  telecommunications carriers shall retain all data related  to the outage for at  least 6 months. Again, there is no legal  definition as to what will constitute a  “material telecommunications  outage”; however, based on our anonymous verbal  consultation with an  official of MII, in practice, a “material telecommunication  outage”  usually refers to an outage of telecommunications services which  affect  more than 100,000 households in an hour.

Pursuant to Article 19 of the Telecommunication Services Rules  (电信服务规范), if a  telecommunications carrier fails to comply with the  above-mentioned requirements  on data retention, the  telecommunications regulatory authority may request it to  rectify its  wrongful within a specified period, failing which a fine of more  than  RMB10,000 and less than RMB 30,000 may be imposed on the  telecommunications  carrier.

2. Internet-related Service Providers

Generally speaking, there are two categories of data that will be  obtained by  the Internet Service Providers, Internet Access Service  Providers and Internet  Data Center Service Providers  (“Internet-related Service Providers”): (a)  personal data of users,  which data will be provided by the users when they apply  for  Internet-related services to be provided by the Internet-related  Service  Providers; and (b) data recorded in the telecommunications  networks, which data  will be recorded by Internet-related Service  Providers during the course of  their provisioning different types of  internet-related services to the users,  such data may include login  or log out time, dialing number, account number,  URL, domain name,  system maintenance log, time for sending and receiving email,  email  addresses of sender and receiver, etc. The legal requirements that the  Internet-related Service Providers shall comply with in data retention  are  varied, depending on the nature of the data obtained by them:

(i) Users Personal Information

It is a legal requirement under the PRC that the Internet-related  Service  Providers shall record the personal data of the users before  the users use the  Internet-related services[3]. There is no specific  law or regulation which  governs the minimum period that the personal  data of the Internet users shall be  retained. Based on our anonymous  verbal consultation with an official of MII,  the official advised  that there is no time limit for such data to be retained.  We  understand that, in practice, some of the larger scale  Internet-related  Service Providers may retain the personal data of  users without time limit;  however, some of the Internet-related  Service Providers with small scale may  retain such data for 6 months only.

(ii) Internet-related Service Data

It is a legal requirement that the relevant Internet-related Service  Provider  shall retain the data obtained by it during the course of  its providing  Internet-related service to the users for a period of  not less than 60 days:

Internet Service Providers: Data to be retained shall include log in  and log  out time, dialing number, account number, URL, domain name  and system  maintenance log[4];

Internet Email Service Providers: Data to be retained shall include  time for  sending and receiving of email, email addresses of sender  and receiver, IP  addresses of emails[5];

Internet Service Providers for Bulletin Board System (“BBS”): Data to  be  retained shall include the contents posted by users on BBS,  posting time, URL  and domain names[6];

Internet Access Service Providers: Data to be retained shall include  the  connecting time of users, users account numbers, URL, domain  names, dialing  numbers and track record of maintenance of its networks[7];

Internet Access Service Providers and Internet Data Center Service  Providers:  Data to be retained shall include the records between the  URL users and internal  IP if the service is provided by means of  converting an internal IP and  URL[8].

If an Internet-related Service Provider fails to comply with the  above-mentioned requirements regarding data retention, it may be  subject to the  consequences set out in Article 21 of the  Administrative Measures on Security  Protection for International  Connections to Computer Information  Networks(《计算机信息网络国际联网安全保护管理办法》):

i) it may be ordered to rectify its wrongful act within a specified  period,  or a warning may be issued, and its illegal income may be  confiscated by the  public security authority; or

ii) if the wrongful act is not rectified within the specified period,  a fine  of up to RMB 5,000 may be imposed on the principal persons  responsible for and  on other persons directly responsible for the  wrongful act, and a fine of up to  RMB 10,000 may be imposed on it;

iii) in serious circumstances, its network connection may be  suspended for a  maximum period of six months and its business may be  suspended so that  restructuring can be done within the company. If  necessary, the relevant  regulatory authority may also recommend that  the original certificate  examination and approval authority to revoke  the Internet-related Service  Provider's business license or cancel  its network connection qualifications.

3. Retention of Data for Public Interest

It is stipulated in Article 57 of the Telecommunication Regulations  of the  PRC(《电信条例》) that no organization or individual may use a  telecommunication  network to produce, reproduce, publish or  disseminate any of the following  contents (“Illegal Contents”):

(a) opposing the basic principles defined in the Constitution;

(b) endangering national security, disclosing state secrets,  subverting state  political power, or undermining national unity;

(c) damaging the honour or interests of the State;

(d) inciting hatred or discrimination against ethnic minorities, or  undermining the unity of nationalities;

(e) undermining state religious policies, or propagating cults or  feudalistic  superstitions;

(f) disseminating rumours, disrupting public order or undermining  social  stability;

(g) propagating obscenity, pornography, gambling, violence, homicide  or  terrorism, or instigating criminal activity;

(h) humiliating or libeling another party, or infringing the lawful  rights or  interests of another party; and

(i) any other contents prohibited by the law or administrative  regulations.

It is further stipulated in Article 62 of the Telecommunication  Regulations  of the PRC(《电信条例》)that, if a telecommunication service  provider discovers that  the contents of information being transmitted  in its telecommunication network  obviously pertains to the types of  contents listed in Article 57 of the  Telecommunications Regulations,  the transmission must be immediately terminated,  any records  concerned shall be retained, and a report shall be made to relevant  state authority (i.e. the public security authority). It is also  stipulated in  different regulations in the PRC[9] that the Internet  Service Providers,  Internet News Service Providers and Internet  Service Providers for Bulletin  Board System shall terminate the  transmission of and remove any Illegal  Contents, and retain original  records of the Illegal Contents and report the  matter to the relevant  governmental authority (i.e. the public security  authority).

If a telecommunications carrier or Internet-related Service Provider  fails or  delays to take necessary action to prevent the transmission  of Illegal Contents,  it may be subject to the liabilities set forth  in Article 21[10] of the  Administrative Measures on Security  Protection for International Connections to  Computer Information  Networks (《计算机信息网络国际联网安全保护管理办法》).

-------------------------

[1] Articles 12 and 94 of Business Rules on Fixed Telephony of  Ministry of  Post (《邮电部关于市内电话业务规程》).

[2] Appendices 1.1.2, 2.1.9, 4.1.7 6.7 and 7 of the Telecommunication  Services Rules (电信服务规范).

[3] Articles 8, 10 and 13 of the Provisions on Internet Security  Protection  Technology Measures (《互联网安全保护技术措施规定》).

[4] Article 7 of the Provisions on Internet Security Protection  Technology  Measures (《互联网安全保护技术措施规定》).

[5] Article 7 of the Internet Email Service Administration  Measures(《互联网电子邮件服务管理办法》).

[6] Articles 14 and 15 of the Provisions on Internet Bulletin Board  System  Service(《互联网电子公告服务管理规定》).

[7] Article 14 of the Regulations on Internet Information Service  Administration (《互联网信息服务管理规定》).

[8] Articles 8 and 10 of the Provisions on Internet Security  Protection  Technology Measures (《互联网安全保护技术措施规定》).

[9] Article 10 of the Administrative Measures on Security Protection  for  International Connections to Computer Information Networks  (《计算机信息网络国际联网安全保护管理办法》), Articles 9 and 10 of the Administrative  Measures on the  Security Protection Technology (《互联网安全保护技术措施规定》),  Article 16 of the Internet  Regulations on Information Service  Administration (《互联网信息服务管理办法》), Article 13 of  the Provisions on  Internet Bulletin Board System Service(《互联网电子公告服务管理规定》 and  Article 20  of the Regulations on Internet News Information Service  Administration (《互联网新闻信息服务管理规定》).

[10] The Internet-related Service Provider (i) may be ordered to  rectify its  wrongful act within a specified period, or a warning may  be issued and its  illegal income may be confiscated by the public  security authority; or (ii) if  the wrongful act is not rectified  within the specified period, a fine of up to  RMB 5,000 may be imposed  on the principal persons responsible and on other  persons directly  responsible for the wrongful act, and a fine of up to RMB  10,000 on  the unit; or (iii) in serious circumstances, its network connection  may be suspended for a maximum period of six months and its business  may be  suspended so that restructuring can be done in the company. If  necessary, the  relevant regulatory authority may also recommend that  the original certificate  examination, approval and issuing authority  revoke the Internet-related Service  Provider‘s business license or  cancel its network connection qualifications.

文章内容截取自北京大学出版社2010年出版的《律师之道