On 24 October 2019 the App Governance Panel released a revised version of the Personal Information Security Specification for public consultation following the previous draft versions published in June and January 2019 (for further information please see "Amended personal information security specifications released for public comment").(1)

The revised draft includes the following amendments:

  • Data subjects should not be forced to consent to the collection of their personal information on the grounds of improved quality of service, user experience or security or for the research and development of new products.
  • The following requirements must be met with regard to users' unsubscribing from an online service:
    • an easily navigable interface should be created to allow data subject's to unsubscribe without difficulty;
    • requests to unsubscribe should be dealt with within 15 days;
    • if a data controller needs to verify a data subject's identity, no further information than that collected during the registration for and use of a service should be required;
    • if sensitive personal information is required to unsubscribe, what will happen to this data after the identity verification has been completed should be specified; and
    • no unreasonable conditions or additional obligations should be imposed on data subjects that wish to unsubscribe.
  • If a data controller finds that a data processor has failed to process information as agreed or to take adequate measures to protect said information, it should immediately require the processor to stop any processing or take effective remedial measures to control or remove the security risk. If necessary, the data controller should terminate its business relationship with the data processor and require it to delete any personal information provided.
  • If a data controller jointly manages personal information with a third party, the parties should enter into a contract to determine their security requirements and obligations to protect personal information and notify data subjects in case of any breaches. If a data controller fails to notify data subjects of the identity of a third party and their respective obligations in this context, the data controller will assume any security liabilities incurred by the third party.


(1) Further details are available here.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.