An updated draft of China’s Amended Personal Information Security Specification (“Amended PIS Specification”) and proposed new amendments to the privacy specification for mobile apps (“App Privacy Specification”) were published this week, alongside brand new draft privacy regulations for the banking sector. These drafts will, if implemented, introduce some significant changes to current data protection practices in China, as follows:

1. Amended PIS Specification

  • Bundled consent will be banned. Separate consent may now be required for each specific scope of collection (e.g. separate tick boxes for direct marketing), rather than an overarching consent.
  • Mobile phone numbers are no longer deemed to be “sensitive personal information”. On the other hand, contact lists on personal mobile devices are now deemed sensitive personal information.
  • Helpful clarification is provided as to when and how Personal Information Security Impact Assessments (“PIIAs”) must be conducted. An earlier proposal to introduce annual PIIAs has been deleted, and there is no obligation to report PIIAs to regulators (except if they affect national interests). Nonetheless, PIIA reports must be available for inspection by “relevant parties” (e.g. staff, data subjects, business partners etc.). This generally aligns with the draft assessment guide on the conduct of PIIAs, published back in September 2017.
  • Promotion of online mechanisms for users to exercise data subject rights (deletion, de-registration, access, correction, revoke consent etc.).
  • Clarity that data controllers are liable for their data processors’ acts and omissions. In turn this will require data controllers to have stricter oversight over their data processors.
  • Additional governance/administration activities, including: (i) appointment of DPO and management committee; and (ii) record keeping obligations. This aligns with the PSB’s draft guidelines on the protection of personal information security, published earlier this year.
  • Clearer data breach notification procedures and requirements. In particular organisations should notify data subjects if a data breach is so serious that it may seriously threaten their lawful rights (e.g. leakage of sensitive personal information). This aligns with the national network security response plan.

2. App Privacy Specification

  • Mobile app providers are encouraged to minimise personal information collection via their apps, i.e. avoid excessive data collection. This aligns with broader data minimisation guidelines published in August 2019. Specific examples are given of what might constitute excessive data collection for certain types of apps, such as car hailing, e-commerce and IM apps.

3. Personal Financial Information Measures

The PBOC has published for consultation a first draft of measures to apply to processing of “personal financial information” by regulated banks and credit service providers in China. It is reported that the final draft will be available by the end of 2019. Key proposals include:

  • Approval must be obtained from PBOC by banks and credit service providers before they can collect personal financial information from individuals or offer individual credit services. It is rare for regulators in the PRC to require regulatory notification/approval of data processing, and it will be interesting to see what steps will be required to obtain the approval.
  • “Bundled consent” is prohibited when collecting and processing personal financial information.
  • Purchase of personal financial data from third parties who are unauthorised to offer credit information services will be banned.

This is now the third draft of the Amended PIS Specification, but there still may be further changes before it is finalised and brought into force. However, organisations are encouraged to plan now in anticipation of these regulations evolving.

Unfortunately the big uncertainties – i.e. what data can leave China, and who is a CIIO – still remain.