On 19 April 2019 the Security Protection Bureau of the Ministry of Public Security, the Beijing Cyber Industry Association and Research Institute Number 3 of the Ministry of Public Security jointly issued the Guidelines for the Protection of Personal Information Security on the Internet. The guidelines set out a series of management measures, security technology measures and business processes for the protection of personal information. It is recommended that the following parties comply with the guidelines:
- enterprises which provide services via the Internet; and
- other entities and individuals that control or process personal information (regardless of whether they use a network to do so).
The key elements of the guidelines are as follows.
- The guidelines define a number of key concepts, including:
- 'personal information';
- 'personal information subject';
- 'holding personal information';
- 'holder of personal information';
- 'lifecycle of personal information'; and
- 'personal information system'.
- Personal information systems must meet the relevant multi-level protection scheme (MLPS) requirements under National Standard GB/T 22239.
- Parties are prohibited from collecting, on a large scale, sensitive data concerning Chinese citizens, including information regarding their:
- political views; or
- religious beliefs.
- Parties are prohibited from collecting individuals' original biometric information; such collection should be limited to summary biometric information.
- Personal information collected within China must be stored in China. The transfer of such data outside China must be done in accordance with the relevant regulations.
- A personal information subject's explicit consent is required when user portrait technology – which relies entirely on automated processing – is applied to precision marketing, the sorting of search results, personalised push news or targeted advertising (among other things), provided that the subject is allowed to object to such use. Further, the user's explicit consent is required if the user portrait technology is to be:
- applied to a credit service or value-added application that may have legal consequences for the user (eg, administrative or judicial decision making); or
- used by cross-network operators.
- Data breaches should be notified to the relevant authorities and the affected personal information subjects. The general public should also be warned in a timely manner.
The guidelines provide no penalties and appear to be non-binding, calling for entities to adopt the principles and rules therein on a voluntary basis. However, because of their official nature and China's lack of data protection law, the guidelines are likely to be treated as a statute-like norm and may be referred to in enforcement campaigns by the police authorities.
In addition, while these guidelines may help companies to establish sound personal information mechanisms, some of the specific provisions therein – such as the personal data localisation requirement and the MLPS requirements for personal information processing systems – may create onerous burdens for companies operating in China. That said, the actual application of the guidelines remains to be seen.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.