Content personalization (new)
Two types of companies that provide personalized contents to individuals are subject to this amendment. First, content providers that curate personalized news or information based on the data subject’s browsing history, interests, and other online data are required to provide notice that a personalization service is being provided and give data subjects the right to opt-out.
Second, the amendment requires that companies looking to tailor ads and offers to target individuals based on their purchase or search histories also provide product and service options that are not tailored to that particular data subject.
Breach notification (revised)
The Amendments narrow the scope of the notification requirement of the Standards. While the Standards require notification to data subjects after any security incident, the Amendments require that the data controller notify only when data subjects’ rights and interests might be impacted by a breach.
The Amendments also require that a breach either affecting the personal information of more than one million data subjects or involving sensitive personal information affecting China’s national security (such as gene information, biometrics, and medical records) be reported to the Cyberspace Administration of China or its local counterparts.
Record-keeping (new)
The Amendments recommend that data controllers establish and maintain records of their data collection and processing activities, including: (i) identifying the category, quantity, and source of the personal information being collected; (ii) distinguishing data processing activity (such as sharing and cross-border transfer) based on different business functions and authorization; and (iii) identifying the systems, individuals, and entities that are involved with personal information processing.
Independent third parties (new)
The Amendments set out new requirements governing how a data controller interfaces with an independent third party capable of collecting personal information but not as a processor or a co-controller. Under these circumstances, the data controller is required to:
- Establish management controls and work flow for the third-party interface
- Specify security and privacy obligations of each party through contractual terms and keep the contract for the official’s inspection
- Inform data subjects if a particular product or service is provided by a third party
- Require third parties to obtain any necessary consent to process personal information in accordance with the Standards
- Ensure that third parties have a process in place for handling data subject requests
- Monitor third parties’ compliance with their security and privacy obligations and disable the interface to the third-party product when necessary
- Inspect and audit automated tools provided by third parties for compliance with their security and privacy obligations and for processing data within the agreed scope.
This new amendment appears to be in line with privacy regulations in the other jurisdictions. For example, under the GDPR, a data controller must ensure that any comingling of data generated from independent sources does not result in the data controller using that data in a manner that the data subject has not previously agreed to. The CCPA similarly requires disclosure of the intended use of any communication or transfer of a consumer’s personal information by a CCPA-covered business to a third party (with exceptions) for monetary or other valuable consideration, gives consumers over 16 years old the right to opt-out, and those less than 16 years old the affirmative right to opt-in to that disclosed use.
Notice and consent (revised)
While the Standards contain relatively robust consent requirements, the Amendments take these further in at least three ways. Under the current Standards, the collection of personal information and its subsequent use is subject to prior consent of data subjects, and new consent is required for data processing exceeding the original purpose. The collection of sensitive personal information requires explicit consent that is freely given, specific, and unambiguous. Moreover, a different form of consent applies to sensitive personal information based on whether a product feature is deemed “core” or “ancillary.” Data controllers can obtain “singular” consent from the data subject for the provision of core features. Ancillary features, however, require that data subjects consent to each individual feature. If a data subject chooses not to consent to any ancillary feature, the data controller cannot deprive the data subject of core features.
First, the Amendments revise a “core” feature to a “basic” feature, which is defined to include the main features of the product or service that would be apparent to data subjects when they initially signed up or purchased the product or service, and an “ancillary” feature to an “extended” feature, which is defined to include any features beyond the basic, and further provide criteria to distinguish such two types of features of the product or service.
Further, while data subjects must opt-in to collection of personal information, opt-out methods should also be easily accessible. If the data subject does not consent to any of the extended features, repeatedly asking for consent or hampering other services to encourage consent is prohibited.
Finally, the Amendments call for a more robust privacy policy, requiring that data controllers disclose the information collected and whether that information falls under a “basic” or “extended” feature. Data protection principles, security controls, and information on cross-border data transfers must also be included in the policy.
Exemptions (revised)
The Amendments add Article 5.7, which provides 10 scenarios where consent is not required for the collection and processing of personal information. This Article modifies the Standards’ previous Article 5.4 by including an exemption for “complying with legal obligations,” and by eliminating the exemption of contractual obligations. The exemptions provided by Article 5.7 are narrower in scope than the GDPR, which similarly provides for compliance with legal obligations, but additionally allows for the processing of personal data pursuant to the lawful basis that such processing is necessary to enter into or perform a contract.
Implications
The Amendments expand upon the data subject’s rights and privileges granted under the original Standards, but at the same time also attempt to ease the burden placed on data controllers. If adopted, the Amendments would bring the Standards closer in line with some of the strictest privacy regulations in the world. Notably, the Standards appear to adopt concepts such as “controllers,” “processors,” and “data subjects” from the GDPR, which do not exist in the mandatory regulations such as the CSL. International businesses thus face the challenge of bridging the gap when interpreting the CSL and other mandatory laws based on the stricter requirements of the amended Standards.
Client Alert 2019-046