A draft document, entitled Information Security Technology - Guidelines for Personal Information Protection, has been issued in China for comment. While comments are being solicited at this time, if issued in its proposed form, this document has the potential to add significantly to the rules governing the handling of personal information in China.
The document is being prepared as a national standard, and would be issued by the General Administration for Quality Supervision, Inspection and Quarantine and the Commission for the Administration of Standardization. If actually promulgated as a national standard, portions of the Guidelines could be mandatory (rather than merely recommended) if the Chinese government deems it necessary. It is still too early, however, to speculate as to precisely whether and what mandatory requirements may emerge in the end.
According to a Chinese-language press report, the drafter of the document has said that the purpose of the Guidelines is to promote both the establishment of more complete policies for the protection of personal information, and the implementation of effective measures for protecting personal information among websites that currently manage large quantities of personal information. An expert from a trade association for businesses in the electronics sector also said that the promulgation of clearer policies under the Guidelines would help clarify the rights and interests of website users.
The document is still in draft form and it is therefore too early to know which requirements it will actually impose, if in fact a final and binding version ultimately is promulgated. The draft proposes a principle-based system, setting forth a number of data protection principles, rights of data subjects, and practical steps for implementing the data protection principles. Significantly, the draft proposes cross-border data transfer restrictions. Any final, definitive version of the Guidelines, however, could vary significantly from the current draft.