The final text of the "Information Security Technology - Personal Information Security Specification" (Personal Information National Standards) is finally published after much anticipation. As discussed in Update (9), the National Information Security Standardization Technical Committee released the Personal Information National Standards on 29 December 2017. The new standards are one of the most important national standards concerning protection of personal information in China and will become effective on 1 May 2018.
Although the Personal Information National Standards do not have the force of law (it is a "recommended" national standard as opposed to a mandatory national standard), its importance cannot be underestimated; it is already being specifically referred to by the Cybersecurity Administration of China in recent cases concerning protection of personal information under the China Cyber Security Law (CSL). The new standards could also become mandatory when it is referred to in other laws and regulations, mandatory national standards or binding contracts. We expect that compliance with the new standards will be instrumental for businesses in China to demonstrate compliance with the data protection requirements under the CSL.
The Personal Information National Standards set out data protection principles and requirements on protection of personal information which are much more extensive than the provisions under the CSL. The key provisions and requirements under the new standards include the following:
- What constitutes personal information?
Under the CSL, "personal information" relates to information which can be used independently, or combined with other information, to identify a natural person. The Personal Information National Standards extends the definition of personal information further to include information that will reflect the activities of an identified natural person (e.g. tracking location information and communications content). In addition, similar to the data protection laws in other parts of the world, the new standards further sets out specific and more stringent requirements applicable to "personal sensitive information" – defined to refer to information which, if leaked, illegally provided or used without authorization, will endanger human rights and property security, easily lead to damage to reputation, physical and mental health or discriminatory treatment. Examples of personal sensitive information include health and biometric information as well as personal information of minors under the age of 14 years. The specific scope of personal information and personal sensitive information is summarized in Appendix A and B of new standards.
- What principles should be followed when processing personal information in China?
Following the spirit of the data protection laws around the world including the General Data Protection Regulation of the European Union, the Personal Information National Standards set out the basic principles of processing personal information in China, i.e. accountability principle, purpose specification principle, consent principle, data minimisation principle, openness principle, security principle and personal information subject rights principle. Personal information controllers are recommended to follow up these basic principles during their collection, retention, use, sharing, transfer and disclosure of personal information in China.
- Have the consent requirements been strengthened?
The Personal Information National Standards have strengthened the conditions for consent and require that a request for consent must be given in an intelligible and easily accessible form with the purposes of processing personal information attached to the consent request. The request for consent must also be distinguishable from other matters by using clear and in plain language. In certain specific circumstances e.g. where information to be processed fall within the definition of "personal sensitive information", the explicit consent from personal information subject must be obtained. Explicit consent is defined to mean express consent given by a personal information subject in writing or other positive action. A personal information controller is also required to provide the means for the personal information subject to withdraw his/her consent.
The Personal Information National Standards further clarify the exemptions to the consent requirement. For example, consent of personal information subjects would not be required if the information to be collected has been legally published, either by personal information subject or through a lawful channel, e.g. legal press report and disclosure by the government, if the information will be used for criminal investigations, or for purposes of execution or implementation of a contract etc.
Appendix C of the new standards set out helpful templates/illustrations of how consent should be obtained for collecting and processing personal information. Personal information controllers may follow the templates to update their terms and conditions for consent when reviewing their own consent mechanisms.
- What are the rights of personal information subjects?
The Personal Information National Standards further clarify the rights of personal information subjects, including the following:
- Right to access
Personal information subjects shall have the right to access their personal information controlled by a personal information controller and obtain confirmation from the personal information controller where and for what purpose their personal information is being processed.
- Right to rectification
Personal information subjects may request the personal information controller to either rectify the personal information or provide the means for the personal information subject to rectify their personal information when personal information subjects find that their personal information controlled by personal information controller is incorrect or incomplete.
- Right to erasure (also known as the "right to be forgotten")
Personal information subjects have the right to request the personal information controller to erase their personal information, cease further dissemination of the personal information and have the third parties halt processing of the personal information if the personal information controller terminates its service or products or if the processing of personal information by the personal information controller is against applicable laws and administrative regulations or the agreed scope with the personal information subjects.
Upon the request of a personal information subject, the personal information controller is required to provide the personal information subject with a copy of following personal information or, at the request of the personal information subject, transmit such copy to a third party provided it is technically feasible:
- Personal basic information and personal identity information
- Personal health and physiological information and personal education information.
Personal information controllers should have in place internal policies in place to handle requests made by personal information subjects when exercising such rights.
In addition to the above, the Personal Information National Standards also set out other important provisions relating to security breach notification, data retention and storage, data transfer to third parties and data governance. Given the detailed provisions under the new standards and the significance of the new standards in the context of the CSL, businesses collecting and processing personal information in China should review their current practices against the new standards and take actions to comply with the new requirements.