The long awaited new National Standards on Information Security Technology – Personal Information Security Specification GB/T 35273-2017 (“PI Specification”) has now been released, and will come into force on 1 May 2018. This represents the new de facto standard for practical data protection handling, in effect complementing and clarifying the various existing data protection laws (for example, under the Cybersecurity Law and the Consumer Protection Law) and outlining practical compliance steps. Regulators will encourage companies to comply with the PI Specification, so organisations operating in China are strongly advised to review and update their compliance programmes to reflect the new standard.
So what will this involve?
Some of the highlights of the new PI Specification are:
- Clarification of key definitions, and providing typical examples of key terms (e.g. “personal information” and “sensitive personal information”). The term “data administrator” has been replaced by “data controller”.
- Explicit consent (i.e. confirmative responses by data subject via written notice or a positive and affirmative action) is required for collection of sensitive personal information or use of personal information for a new purpose, etc.
- Personal information security impact assessments are required for: (i) outsourcing of data processing; (ii) sharing and transfer of personal information; or (iii) disclosing personal information to public. The appendix on security impact assessment in previous drafts of the specification has been deleted, but a section outlining the requirements for conducting such security impact assessments remains.
- Request for access to, correction of, copies and deletion of personal information, and withdrawal of consent, must be responded to within 30 days, and there should be no charge for any reasonable request unless repeated requests are made within a certain period of time.
- Personal information of children under 14 years of age is considered as sensitive personal information.
- A security assessment is required for providing personal information collected and produced in China to offshore parties, and such assessment shall be conducted in accordance with the measures and methods formulated by relevant authorities (not yet published).
- Data breach notification: a specific incident response plan is required; together with regular review and rehearsal with various business units (at least once a year); and a record of incidents (e.g. scope of data, number of affected individuals) must be kept. In the event of an incident, organisations are advised to report to relevant authorities in a timely manner in accordance with the National Network Security Incident Contingency Plans published by the Cyberspace Administration of China in January last year.
- Data controllers are advised to appoint a data protection officer and a data protection department to be directly responsible for the protection and security of personal information. Some of the key responsibilities of a data protection officer and a data protection department are: organise and implement internal measures for the protection of personal information; conduct security impact assessments; provide training on personal information security; draft, publish, update and implement privacy policies and other relevant regulations; and conduct security audits. A data controller must appoint a designated data protection officer and a data protection department if: (i) the organisation’s main business line involves data processing and has over 200 employees; or (ii) the organisation processes or anticipates to process personal information of more than five hundred thousand individuals within 12 months.
A raft of additional new and updated national standards – covering key areas such as data anonymisation, big data, overseas data transfers, and on various aspects of information security – are expected to be published and come into force in the coming months. Some of these are anticipated to reference/adapt ISO standards so, while the PI Specification does not bring China’s data protection framework as close to GDPR requirements as some commentators had suggested, there is a definite movement in China towards adoption of international best practices. This will be welcomed by international businesses currently undertaking GDPR compliance reviews and who are now turning their attention to their China practices, although clear local distinctions (notably data localisation, the requirement for consent, and restrictions on handling of non-personal data) remain in China and must be specifically addressed.
Enforcement action is already a reality in China. While seemingly currently focused on content, reports suggest the authorities are gearing up for wider investigations of online activities from Q2 2018. Therefore, although the data protection framework is likely to evolve further over the coming months, organisations are recommended to take steps now to review and update China data protection policies and practices to reflect the PI Specification.