On January 2, 2018, the Standardization Administration of China (SAC) issued the final version of the national standards governing the protection of personal information, formally entitled “GB/T 35273-2017 Information Security Technology – Personal Information Security Specification” (Standards). The Standards come into effect on May 1, 2018. Although the Standards are only recommendations for now, they could be deemed mandatory at a later date. The Standards are an important development as they explain critical data protection concepts introduced in China’s Cybersecurity Law (CSL) and set forth best practices for the collection, retention, use and sharing of personal information. Furthermore, the Standards define key privacy concepts such as “sensitive personal information,” “informed consent” and “explicit consent,” all of which are currently absent in the mandatory People’s Republic of China (PRC) privacy laws and regulations.
The Standards, for the first time, adopt the EU concepts of “data subject,” “data controller” and “data processors,” and they also adopt the eight Organisation for Economic Co-operation and Development privacy principles.