With the General Data Protection Regulations (GDPR) taking effect on 25 May 2018 across the EU, its Chinese equivalent came into force even earlier on 1 May 2018. The Personal Information Security Standards (Standards) are the first set of national standards to be published on personal information protection in China. The Standards set out detailed requirements on personal information protection and are expected to be used as a good practice guide for entities processing personal information in China.
In this e-bulletin we highlight the key features of the Standards and set out our observations and advice to affected companies.
Before the Cyber Security Law was enacted in 2016, personal information protection provisions were scattered in different regulations and rules. In 2012, the regulators published a 5-page guideline document on personal information protection for public and commercial information systems, which fell short of a national standard and expired in 2015.
The Cyber Security Law was the first national law to dedicate a chapter on "information security on network". In particular, articles 41 to 45 laid down general legal principles and requirements for personal information protection, the implementation of which requires a set of specific provisions to be published. The Standards are the first set of national standards on personal information protection and are a key step to implementing the personal information protection provisions in the Cyber Security Law. The Standards apply to all entities processing personal information.
I. Innovative definition of personal information
Identifiable and identified person
The Standards extend the scope of personal information well beyond that under the Cyber Security Law. Under the Standards, personal information is defined to encompass any information, recorded electronically or otherwise, that can be used solely or in combination with other information to (i) identify a natural person; or (ii) reflect the activities of a specific natural person.
Whilst the definition of personal information under the Cyber Security Law covers only information that can be used to identify a person, the Standards extend it to include information relating to the activities of an identified person.
Under the Standards, personal information does not have to be able to identify a person and is caught if such information reflects an identified person's activities and can be attributed to that person. Examples of personal information of an identified person include a person's location, call history and browsing history.
Sensitive and non-sensitive personal information
The Standards also offer extra protection for sensitive personal information compared to under the Cyber Security Law. Sensitive personal information is defined as personal information, the leak, illegal provision or abuse of which could harm personal and property safety or could easily cause harm to someone's personal reputation or mental or physical health or give rise to unfair treatment.
Examples include a person's ID number, biometric information, bank account number, communication record and content, information about a person's property, credit rating, position tracking, accommodation, health and trading and personal information of children under 14 years of age. Notably, internet cookies are expressly included as sensitive personal information.
The Standards set out special measures to provide extra protection for sensitive personal information, including the following:
(i) Explicit consent of the data subject is required before collecting sensitive personal information (for children under 14 years of age, the consent of their guardians is required),
(ii) The data controller should divide its service or product functions into core and ancillary functions and specify the sensitive personal information required for each (see further details below).
(iii) Sensitive personal information must be encrypted for transmission and storage, and personal biometric information must be specially processed before being stored.
(iv) Special measures should be imposed on access to and modification of sensitive personal information by way of controls over the authorisation granted to personnel on the basis of their operational needs.
(v) For the transfer and sharing of sensitive personal information, the data controller should notify the data subject of the type of sensitive personal information, the identity of the data recipient and the data security capacity and obtain explicit consent.
(vi) For public disclosure of sensitive personal information, the data controller must notify the data subject of the relevant information that is to be disclosed and obtain explicit consent.
(vii) The data controller must conduct background checks on personnel with access to a large amount of sensitive personal information.
Anonymisation and de-identification
The Standards introduce and distinguish between the concepts of "anonymisation" and "de-identification".
Anonymisation is defined as the process through which personal information is technically processed so that the data subject cannot be identified and the personal information cannot be recovered after being processed. The Standards exclude anonymised personal information from the scope of personal information, and thus the protection measures afforded to personal information under the law and the Standards.
De-identification is defined as the technical processing of personal information so that the data subject cannot be identified without additional information. Examples of the technical methods used to de-identify personal information include pseudonymisation and encryption.
Under the Standards, the data controller should anonymise or delete personal information in the following circumstances:
(i) upon expiry of the storage term for the personal information ; or
(ii) where the data subject has cancelled its account with the data controller.
The data controller should de-identify personal information:
(i) once the personal information has been collected;
(ii) where the data controller has to publicly display personal information; and
(iii) where the data controller provides academic research or results to a third party which contains personal information.
II. Consent and notification
When will consent and notification be required?
The Standards make it clear that consent of the data subject is required for the collection, outsourcing processing, sharing, transfer and public disclosure of personal information.
In addition, the Standards provide that the data subject must be notified of the following information:
(i) before collection, the type of personal information to be collected for each of its service or product functions and the rules for the collection and use of the personal information;
(ii) before voluntary provision or automated collection of sensitive personal information,
a. the sensitive personal information that is required for the core functions o and the consequence of refusing to provide or consent to the collection of such information; andb. the ancillary functions that the sensitive personal information is required for;
(iv) before sharing and transfer of personal information, the purpose of such sharing and transfer, the type of data recipient, and, in the case of sensitive personal information, the type of personal information, the identity of the data recipient and their data security capability;
(v) information relating to the transfer of personal information due to any merger and reorganisation of the data controller;
(vi) before public disclosure of personal information, the purpose and type of disclosure and, in the case of sensitive personal information, the content of such information;
(vii) if the personal information is jointly controlled by two or more data controllers, the security requirements that the data controllers must satisfy and the responsibilities and obligations of each data controllers; and
(viii) in case of a security incident, the information and impact of the security incident, the remedial measures that have been or will be taken, advice to the data subject on mitigation of the risks,; remedial measures provided to data subject; and the contact details of the person and body responsible for data protection.
Consent and explicit consent
The Standards provide for two types of consent: consent and explicit consent. Explicit consent is defined as unequivocal authorisation on specific treatment of personal information by either a written statement or a voluntary affirmative act. The Standards use consent instead of "implied consent" due to concerns that implied consent can be abused. However, the Standards do not prohibit the use of implied consent unless explicit consent is specifically required. Explicit consent is required:
(i) where the data controller exceeds the scope of consent when processing personal information provided by a third party;
(ii) for the collection of sensitive personal information or personal information of under-aged data subjects;
(iii) where the use of personal information will exceed the scope that is directly or reasonably connected with the purpose stated at the time of collection;
(iv) for sharing or transferring sensitive personal information;
(v) where there is a change to use of personal information after a merger, acquisition or reorganisation; and
(vi) where there is public disclosure of personal information.
Exceptions to the consent requirement
Under the Standards, a data controller may collect and use personal information without the consent of the data subject if such collection and use of the personal information:
(i) is related to national security or defence;
(ii) is relevant to public security, public hygiene or significant public interest;
(iii) is relevant to any criminal investigation, prosecution, trial or enforcement of a court decision;
(iv) is for the purpose of protecting the life, property or other significant legal interest of the data subject or others and consent cannot be obtained;
(v) concerns information that the data subject voluntarily discloses to the public;
(vi) is obtained from legal and public sources, such as news reports or government disclosure;
(vii) is required under a contract that is signed and performed upon the request of the data subject;
(viii) is necessary to maintain the secure and reliable operation of the products or services, for example fixing a product or service fault;
(ix) is necessary for the news reporting activities of a news agent which is the data controller; and
(x) is necessary for statistics or academic research conducted in the public interest by data controllers that are academic or research institutions (provided personal information must be "de-identified" when research reports are provided to third parties).
We note that when sharing, transferring or publicly disclosing personal information, the data controller is not required obtain consent in scenarios (i) to (vi) above.
In addition, a data controller may refuse to respond to requests by data subjects to exercise their rights to personal information (as further discussed below) in the above scenarios.
III. Core functions and ancillary functions
The Standards require that a data controller divides its services into two categories when collecting sensitive personal information, namely core functions and ancillary functions. The Standards lay down different requirements for each:
(i) Core functions: the data controller should notify the data subject of the core functions, the sensitive personal information to be collected and the consequence of refusing to provide such information; and
(ii) Ancillary functions: the data controller should specify which ancillary functions sensitive personal information is collected for and should allow the data subject to choose whether to consent to sensitive personal information being collected for each ancillary function (any withholding of consent should not be a reason for not providing the core functions).
The Standards do not define "core functions". The intention, according to the lead drafter of the Standards, is to allow data controllers to define their core functions according to their particular business.
The reason for the demarcation is to prevent the consumers from being forced to consent to collection of personal information for ancillary functions in order to use the core functions.
IV. Personal information security impact assessment
The Standards establish a security impact assessment regime in respect of personal information, under which a data controller should test the legality of its data processing activities, assess the risks to data subjects and evaluate the effectiveness of its data protection measures.
A security impact assessment must be conducted in the following circumstances:
(i) before engaging a data processor to process personal information;
(ii) before sharing or transferring personal information;
(iii) before publicly disclosing personal information;
(iv) where there has been a change to applicable legal or regulatory requirements, its business model, information systems, or to the operational environment;
(v) in the event of a major personal information security incident; and
(vi) on a regular basis (at least once a year).
A draft guide on the security impact assessment regime has been published for public comment.
V. Rights of the data subject
The Standards grant data subjects a range of rights in respect of their personal information, including:
(i) the right to access, rectify or delete their personal information;
(ii) the right to withdraw their consent;
(iii) the right to deregister their account;
(iv) the right to obtain a copy of certain personal information or require such information to be provided to a third party (including basic personal information and information on the person's identity, health, education and employment); and
(v) the right to appeal against automated decisions made through data profiling, for instance, in an application for a personal loan.
Under the Standards, a data controller is required to respond to a data subject's request within 30 days and notify the data subject of the external dispute resolution channels. If satisfaction of a data subject's request is overtly costly or difficult, the data controller may provide an alternative solution.
In addition, the data controller may refuse to respond to a data subject's requests in the following scenarios where:
(i) the collection and use of personal information is related to:
a. national security or defence;b. public security, public hygiene and significant public interest;c. any criminal investigation, prosecution, trial or enforcement; or
(ii) the data controller has sufficient evidence that the data subject is abusing the right or has a malicious intent;
(iii) response to the request will result in serious damage to the legal interests of the data subjects or other individuals or organisations; or
(iv) the request concerns commercial secrets.
I. Effectiveness and enforcement
The Standards are not mandatory in the sense that a data controller is not required to comply and a deviation from the Standards will not by itself result in a penalty. The Standards are more of a good practice guide.
However, pursuant to the Standards, it applies to "personal information processing activities of all kinds of organisations and can be used by the governing authorities and third party evaluation institutions to supervise, administer and evaluate personal information processing activities. This language suggests that the Standards cover a broad range of data controllers, including both public and private sectors. In the absence of any other detailed data protection regulations, the Standards may be used as the only reference by the authorities in their enforcement actions.
Neither the Cyber Security Law nor the Standards have established a dedicated data protection body to enforce the data protection regulations. Enforcement will still take the form of civil claims, criminal prosecutions and administrative actions by the Cyberspace Administration of China, police, courts or industry regulators. Nonetheless, the Standards may be used as the criteria to determine whether a data controller has discharged its data protection obligations. Although a deviation from the Standards may not itself result in a data controller being held liable, the data controller would very likely be required to justify its deviation and prove that the measures it adopted were equivalent to or better than the Standards in defending an enforcement action.
II. Extraterritorial effect?
The Standards do not specify the territorial scope of the data processing activities, nor do they specify whether the data protection obligations apply to data controllers or processors located outside China where they control or process the personal information of Chinese residents.
The extraterritorial effect of the Standards could arise from of the security assessment requirement on the export of personal information that "is collected and generated within China". The Standards briefly mention that regulations and standards on the security assessment regime on data export will be separately published by the authorities. In fact, drafts of these were published last year but there has not been any indication that these will be enacted soon.
It appears that the current focus is still on the onshore data controllers and the security of the data export.
III. Consent-based approach
The Standards seem to take the approach that the informed consent of a data subject provides an adequate ground for a data controller to collect and process personal information, subject to the consent exemptions listed above. The Standards do not include a generic "legitimate interest" ground that exempts consent. Apparently the drafters feared that such a ground could cause confusion to the data controllers and data subjects as to what amounts to a "legitimate interest' and is susceptible to abuse by the data controllers.
The Standards further enhance the right of consent by requiring data controllers to obtain explicit consent for sensitive personal information on an item-by-item basis for ancillary functions. This will no doubt require companies to overhaul their current privacy policies and processes for obtaining consent.
IV. Anonymisation or de-identification?
Under the Standards, both anonymisation and de-identification will render a data subject unidentifiable. The major different between anonymisation and de-identification is that anonymised personal information cannot be recovered and the process is irrevocable, whereas de-identified personal information can be recovered and can still be used to identify a data subject with the help of additional information.
The two concepts seem to refer to the same process of removing the link between the personal information and the data subject but to a different extent. There appears to be a spectrum of different levels of de-identification with anonymised personal information at the extreme end.
The Standards exclude anonymised personal information from the concept of personal information whilst de-identified personal information remains as a special category of personal information. This implies that personal information protections will not apply to anonymised data. This is consistent with the Cyber Security Law, which provides that where personal information has been processed in a way that the data subject cannot be identified and the personal information cannot be recovered (which clearly refers to anonymization as defined under the Standard), such information can be provided to a third party without the consent of the data subject.
However, the Standards are inconsistent with the Cyber Security Law and with even the position in the Standards by providing that a data controller may share or transfer personal information without the data subject's consent if such personal information has been de-identified and cannot identify the data subject. The Cyber Security Law only extends the exemption of consent to anonymised personal information. This is consistent with the definition in the Standards to not treat anonymised personal information, but not de-identified personal information, as personal information.
The regulators have released a draft standard on de-identification, but not yet on anonymisation. As such, it is difficult to evaluate whether the data subject's personal information has been sufficiently anonynimised to remove it from the data protection laws or has only been de-identified and thus remains as personal information.
V. Compliance measures for companies
Companies are advised to take the following measures to comply with the Standards:
(i) Carry out an overhaul of the current data collection, use, storage, transfer and sharing processes, policies and contracts and identify and rectify any non-compliance issues;
(ii) Review and revise its privacy policies, in particular the processes for obtaining consent for sensitive personal information;
(iii) Appoint a person or a department to be responsible for data protection or appoint a dedicated data protection officer or department if a) the company's main business is personal information processing with a total of over 200 dedicated personnel; or b) the company processes or expects to process the personal information of over 500,000 data subjects over a 12-month period;
(iv) Establish a response mechanism to enable data subjects to exercise their rights in relation to their personal information;
(v) Conduct personal information security impact assessments once the relevant standards have been implemented;
(vi) Provide training to employees who have access to personal information; and
(vii) Prepare contingency plans in the event of a personal information security incident.
The Standards mark a significant step towards implementing the data protection obligations under the Cyber Security Law. Despite their lack of mandatory effect, the Standards could serve as an important reference for the authorities and courts in assessing whether a data controller has discharged its data protection obligations under the law. Additionally, the comprehensive scope and detailed measures set out in the Standards render them a useful good practice guide for companies. With more implementing standards yet to be published, China is developing a structured data protection regime. We encourage companies to take measures to implement the Standards and will keep you abreast with the latest developments through our insight articles and other regular updates.
FIND OUT MORE
Herbert Smith Freehills is a Hong Kong partnership which is affiliated to Herbert Smith Freehills LLP (an English limited liability partnership). Herbert Smith Freehills LLP, its subsidiaries and affiliates and Herbert Smith Freehills, an Australian Partnership are separate member firms of the international legal practice known as Herbert Smith Freehills.
The contents of this publication, current at the date of publication set out in this document, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2018
This message is sent by Herbert Smith Freehills, 23/F Gloucester Tower, 15 Queen's Road Central, Hong Kong. Tel: +852 2845 6639. e-mail: email@example.com.
© Herbert Smith Freehills LLP 2018