Reed Smith Client Alerts

On February 1, 2019, the National Information Security Standardization Technical Committee issued draft amendments (Amendments) to the national standards governing the protection of personal information, formally entitled “Information Security Technology – Personal Information Security Specification” (Standards, effective May 1, 2018). Although the Standards are not legally binding, they provide guidance on interpreting China’s Cybersecurity Law (CSL) and set out best practices for the collection and processing of personal information in China. See our previous client alert on the Standards. The Amendments, public comments on which are to be submitted by March 3, 2019, introduce new requirements and clarify the existing requirements in the six areas addressed below. If adopted, the Amendments would potentially place the Standards in line with the other leading privacy regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

Authors: Xiaoyan Zhang Vincent James (Jim) Barbuto Trevor J. Satnick Amy Yin Catherine Jing

Content personalization (new)

Two types of companies that provide personalized contents to individuals are subject to this amendment. First, content providers that curate personalized news or information based on the data subject’s browsing history, interests, and other online data are required to provide notice that a personalization service is being provided and give data subjects the right to opt-out.

Second, the amendment requires that companies looking to tailor ads and offers to target individuals based on their purchase or search histories also provide product and service options that are not tailored to that particular data subject.

Breach notification (revised)

The Amendments narrow the scope of the notification requirement of the Standards. While the Standards require notification to data subjects after any security incident, the Amendments require that the data controller notify only when data subjects’ rights and interests might be impacted by a breach.
The Amendments also require that a breach either affecting the personal information of more than one million data subjects or involving sensitive personal information affecting China’s national security (such as gene information, biometrics, and medical records) be reported to the Cyberspace Administration of China or its local counterparts.

Record-keeping (new)

The Amendments recommend that data controllers establish and maintain records of their data collection and processing activities, including: (i) identifying the category, quantity, and source of the personal information being collected; (ii) distinguishing data processing activity (such as sharing and cross-border transfer) based on different business functions and authorization; and (iii) identifying the systems, individuals, and entities that are involved with personal information processing.