On January 2, 2018, the Standardization Administration of China (SAC) issued the final version of the national standards governing the protection of personal information, formally entitled “GB/T 35273-2017 Information Security Technology – Personal Information Security Specification” (Standards). The Standards come into effect on May 1, 2018. Although the Standards are only recommendations for now, they could be deemed mandatory at a later date. The Standards are an important development as they explain critical data protection concepts introduced in China’s Cybersecurity Law (CSL) and set forth best practices for the collection, retention, use and sharing of personal information. Furthermore, the Standards define key privacy concepts such as “sensitive personal information,” “informed consent” and “explicit consent,” all of which are currently absent in the mandatory People’s Republic of China (PRC) privacy laws and regulations.
The Standards, for the first time, adopt the EU concepts of “data subject,” “data controller” and “data processors,” and they also adopt the eight Organisation for Economic Co-operation and Development privacy principles.
Personal information vs. sensitive information
The Standards expand the definition of “personal information” in CSL, which refers to information that can be used to identify a person if used separately or in combination with other information. Under the Standards “personal information” now includes additional information reflecting a person’s activities such as geolocation data and browsing history. “Sensitive information” is more narrowly defined to include information that, if leaked, illegally provided or used without authorization, will endanger human rights and property interest, or cause damages to reputation, physical and mental health, or lead to discriminatory treatment. Examples of sensitive information include a person’s precise location, biometric information and personal information of minors under 14 years old.
Basic principles of collection, retention and use of data
Similar to the General Data Protection Regulation (GDPR), data controllers are recommended to follow basic principles during the collection, retention, use, sharing, transfer and disclosure of personal information. These basic principles include accountability, purpose specification and fairness, consent, data minimization, openness, security and data subject’s rights.
Consent for data processing
The Standards include stronger requirements for consent. Informed consent must be given before data controllers collect and use personal information. New informed consent must be given thereafter when the scope of data collection and use expands. The consent request must be intelligible, use clear and plain language and be easily accessible. It must also include the purposes of processing the personal information.
In situations where the data controller wishes to process sensitive personal information, the data subject must give “explicit consent.” Explicit consent is defined as express consent given by a data subject in writing or through other affirmative actions. A data controller is also required to provide the means for the data subject to withdraw their consent.
Consent is not required to collect and process personal information when, inter alia, it is necessity for criminal investigation, troubleshooting products and services, news reporting or performing a contract. The Appendix of the Standards provides templates and examples of how consent should be obtained for collecting and processing personal information.
Rights of data subjects
Use of data processors, incident response and data sharing
Additionally, the Standards set out other critical provisions relating to the use of data processors, incident response and data sharing. Regarding the use of vendors and data processors, the Standards require data controllers to conduct risk assessments before outsourcing data processing. Controllers must monitor data processors by way of conducting audits and security assessments. Data processors must promptly notify controllers when they are “unable to offer an adequate level of security” or when processing exceeds the scope of the controller’s instructions.
With regards to cyber incidents, the Standards require organizations to implement information security incident response plans, conduct training and emergency drills (at least annually), adhere to the “National Network Security Incident Contingency Plan” issued by the Cyberspace Administration of China for notification of incidents to authorities and notify security incidents to affected individuals. There is no specific time period within which breach notification is required. Nor is there a harm threshold defined as to when a breach is deemed material. Notably, “network operators” are required to notify regulators and affected individuals of an incident when there has been an actual or potential “leakage, damage, or loss” of personal data under CSL. Further clarification as what constitutes as a “potential” breach is needed.
Finally, in circumstances where parties wish to share or transfer personal information, prior notice and consent from the data subject are required. Data controllers must keep records of the sharing and transfer, and they are ultimately responsible for any harm suffered by the data subjects. Different rules for data sharing are applied in the cases of merger, acquisition, corporate reorganizations and “other kinds of [corporate] change.”
Businesses that collect and/or process personal information in China should compare the new Standards with their current practice to identify potential gaps. Particular attention should be given to the areas of consent, data processing contracts, security incident response plans and privacy policies.
Client Alert 2018-033