By Xue Han, Liu Keer, Xue Yingyuan King & Wood Mallesons‘ Corporate & Securities group
Against the backdrop of cyber security law, Updated privacy policies, do they live up to the hype?
Quite a few major internet giants in mainland China, apparently encouraged by regulatory authorities, have put in considerable efforts in recent months to update their privacy policies. It appears that the relevant regulatory authorities have completed assessing the updated policies. These updated policies are likely to be viewed as having a certain effect in setting a precedent or benchmark for personal data compliance in mainland China.
While this undoubtedly represents a significant improvement in personal information protection, it is also interesting to examine certain key details based upon, needless to say, some of the updated policies available in the public domain.
Explicit Consent vs. Consent Given by Use of Services/Products
While some set to request explicit consent to collection, storage and use of personal information, others appear to be content with consent given by way of use/acceptance of services/products.
Consent in Privacy Policy vs. Just-in-time Notice/Consent
Some, but not all, updated privacy policies offer just-in-time notice/right to consent before collecting sensitive information. Others seek consent to collection and use in privacy policies. No one seems to offer to provide continuous warning when collecting sensitive information, e.g., individual’s physical location and movements.
Right to obtain personal information from third parties
Some appear to commit to obtain relevant individual’s consent before obtaining his or her personal information from third parties; others generally undertake that personal information will be obtained from third parties in compliance with applicable legal requirements.
Right to share personal information with third parties
While some appear to commit to obtain consent before sharing personal information with third parties, most provide for certain leeway to share with third parties, not inconsistent with industry practice, e.g., information sharing reasonably necessary for third parties to provide products/services as needed by the individuals.
Personal information disposal and right to be forgotten
Most offer to delete or anonymize personal information upon cessation of relevant services/business operation. Some takes one step further to offer deletion/anonymization upon account closure.
Cookie policies/on-line tracking
Most advise users to avoid cookies by way of changing their browser/account setting without offering straight cookie opt out.
Behavioral based/targeted advertisement
Some, but not all, offer opt-out options for behavioral based/targeted advertisements.
Access right and data portability
Most offer the right to access information to a certain degree but mostly appears to be limited to information stored within the account and not all information collected; none appear to commit to data portability, e.g., facilitating transfer of personal data to other services provider.
Encryption/pseudonymization in transmission or at rest
All commit to take technological measures to safeguard privacy of personal information to certain extents; some are specific that the data will be encrypted/pesudonymized when transmitted and/or stored.
Children’s Privacy
Most appear to touch upon children’s privacy but stop at asking children to obtain their guardians’ consent to information collection and use; some subject information collection to obtaining of guardians’ consent without expressly committing to obtain such consent before commencing information collection.