On 7 March 2020, China published an updated version of the “Information security technology – Personal information security specification” (“New Specification”), which will take effect on 1 October 2020 and substitute the currently effective 2017 version (“Current Specification”).
While both versions are by nature suggested technical standards rather than mandatory regulations, they are considered best practice in China and their detailed suggestions are almost always taken into consideration during enforcement actions by authorities.
Compared with the Current Specification, the New Specification includes the following changes:
Adding new requirements to prevent excessive collection of personal data – a data controller is required to differentiate between basic business functions and additional or expanded business functions, and is prohibited from bundling all these functions together. The controller must obtain a data subject’s specific consent in order to collect and process his personal data for each specific function. A data subject’s refusal to provide consent or his request to withdraw consent for the additional or expanded functions must not affect his use of the basic functions. When pooling together personal data collected for different functions, a data controller must carry out security impact assessments and take all necessary protective measures. He must also obtain the consent of the data subjects on the pooling and the potential use of the analysed results.
Adding new requirements concerning user profiling and personalised display – when displaying information, goods, services or research results to a data subject based on his browsing history or transaction records, the subject must also have the option of a non-personalised display. The data subject should be able to control the degree and extent to which his personal data can be utilised to generate a personalised display.
Adding new requirements concerning third-party plugins – if a third party also collects personal data via a data controller’s products or services (e.g. via plugin tools or certain cooperation mechanisms), the data controller is responsible for evaluating the third party's data protection capabilities, requiring the third party to obtain the necessary consents from data subjects and to establish channels to receive their inquiries and complaints. The data controller must also monitor the data protection measures that the third party has implemented for his daily operations.
Adjusting requirements on organisational measures – a data controller must established a designated data protection officer and department if its business involves personal data processing and has more than 200 employees working towards this business; if it processes or expects to process personal data for more than one million individuals within 12 months; or if it processes the sensitive personal data of more than 100,000 individuals.
Adding new requirements concerning personal biometric data – a data controller must separately inform a data subject of the collection or sharing of his personal biometric data (e.g. when other non-biometric personal data is collected at the same time) and obtain his specific consent. Personal biometric data must be stored separately from personal identification data. In principle, raw biometric data (e.g. NDA samples and fingerprints) should not be stored. In order to fulfil the relevant business functions, measures that can be taken under this principle include only storing the key components or summaries that cannot be used to re-generate raw data; only using biometric data directly on the clients or terminals where the data is collected; and deleting raw data after the data is transferred to backend servers and the relevant functions have been realised (e.g. ID authentication or verification).
Please click here for a full version of the New Specification (Chinese only).