Reed Smith Client Alerts

After much anticipation and public comment, on January 2, 2018, the Standardization Administration of China (SAC) issued the final version of the national standards governing the protection of personal information (“GB/T 35273-2017 Information Security Technology – Personal Information Security Specification” (Standards), effective May 1, 2018). The Standards are an important development as they explain critical data protection concepts introduced in China’s Cybersecurity Law (CSL) and set forth best practices for the collection, retention, use and sharing of personal information. Furthermore, the Standards define key privacy concepts such as “sensitive personal information,” “informed consent” and “explicit consent,” all of which are currently absent in the mandatory People’s Republic of China (PRC) privacy laws and regulations. Although the Standards are only recommendations for now, they could be deemed mandatory at a later date. Businesses that collect and/or process personal information in China should compare the new Standards with their current practice to identify potential gaps. Particular attention should be given to the areas of consent, data processing contracts, security incident response plans and privacy policies.

Authors: Xiaoyan Zhang Amy Yin

On January 2, 2018, the Standardization Administration of China (SAC) issued the final version of the national standards governing the protection of personal information, formally entitled “GB/T 35273-2017 Information Security Technology – Personal Information Security Specification” (Standards). The Standards come into effect on May 1, 2018. Although the Standards are only recommendations for now, they could be deemed mandatory at a later date. The Standards are an important development as they explain critical data protection concepts introduced in China’s Cybersecurity Law (CSL) and set forth best practices for the collection, retention, use and sharing of personal information. Furthermore, the Standards define key privacy concepts such as “sensitive personal information,” “informed consent” and “explicit consent,” all of which are currently absent in the mandatory People’s Republic of China (PRC) privacy laws and regulations.

The Standards, for the first time, adopt the EU concepts of “data subject,” “data controller” and “data processors,” and they also adopt the eight Organisation for Economic Co-operation and Development privacy principles.