By Susan NING, WU Han King & Wood Mallesons’ Commercial & Regulatory group.

2017 has witnessed a quickened pace of legislative development on personal information protection worldwide. A variety of countries in the Asia-Pacific region introduced or amended their legislation on personal information protection. Such as in China the Cybersecurity Law of the People’s Republic of China (the “Cybersecurity Law”) was implemented on June 1, 2017, the Mandatory Data Breach Notification was approved in February, 2017 in Australia, and the revised Personal Information Protection Act took effective on May 30, 2017 in Japan.

The year of 2018 is also expected to see a great development in personal information protection. The General Data Protection Rules (the “GDPR”) issued by the European Commission will come into force on May 25, 2018. According to the GDPR, any organizations that provide goods or services to the EU or monitor activities of EU residents within the EU, whether or not having entities in the EU member states or processing personal information within the member states, shall be governed by the GDPR. In view of the trend of global economic integration, the extended jurisdiction of the GDPR will influence the global practice of personal information protection to a great extent. Following the GDPR, the legislation of other countries with respect to personal information protection will inevitably strike the relevant practice of local and foreign enterprises, which have to seek commonality in different countries’ personal information protection rules and establish their own generally applicable compliance systems.

Against such background, the Information Technology – Personal Information Security Specification (GB/T 35273-2017) (hereinafter the “Specification”), formulated by the Standardization Administration of China based on domestic laws and regulations, international rules, and practices, was released on January 24, 2018 and will be effective as of 1 May 2018.

This article will focus on the application of the Specification from a practical perspective based on legislative practice in other countries.

Overall framework of the Specification

The Standing Committee of the NPC adopted “Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection” in December 2012, and the Cybersecurity Law in November 2016 (hereinafter collectively as the “Law and Decision”). The promulgation and adoption of the Law and Decision indicated basic legal requirements for personal information handled by enterprises, e.g. the Cybersecurity Law summarizes fundamental principles, operators’ obligation for their conducts, etc. in Chapter IV Network Information Security. Despite the existing statutes that are general principles or high-level summary in nature, compliance in practice for enterprises was still not informed by any specific guidance. The promulgation of the Specification, in terms of national standards, provides detailed guidance for compliance in information processing including an enterprise’s collection, storage, use, sharing, transfer, public disclosure, etc.

Terms and definitions In addition to those in the Cybersecurity Law, several core standard terms and definitions are identified, e.g., personal information, sensitive personal information, controller of personal information, express consent, user profile, assessment of security impact of personal information, anonymization and de-identification
Basic principles of personal information security Consistency in right and responsibility, clear purpose, selective consent, minimized sufficiency, transparency, guarantee of security, participation of subject
Procedure of processing personal information Collection of personal information Detailed, exclusive explanation of requirements for controller of personal information, rights subjects entitled to in all stages of the procedure
Storage of personal information
Use of personal information
Commissioned processing, sharing, transfer and public disclosure of personal information
Handling of personal information security incidents
Management requirements for organizations
Schedules Examples of personal information Criteria and examples of personal information and sensitive personal information introduced with qualitative description + non-exhaustive examples
Criteria of sensitive personal information
Measures to protect subjects’ rights to selective consent In combination with the Specification, by providing practical model, explains key points and requirements for enterprises when they need to collect sensitive personal information and preparing privacy policies for their products and services
Format of privacy policies
References From the contents of references, it can be seen that in the procedure described in the Specification, the drafters not only took into account major domestic laws, regulations and existing national standards, but also relied on several foreign laws, regulations and standards, e.g., General Data Protection Regulation of the EU, EU-US Privacy Shield, good practices of CEN, OECD Privacy Framework, APEC Privacy Framework and relevant literature of NIST.

Jurisdiction of “Personal Information Security Specification”

Pursuant to Standardization Law of the People’s Republic of China (amendment adopted on 4 November 2017, effective as of 1 January 2018), “Standards shall include national standards, industry standards, local standards, community standards, enterprise standards. National standards shall comprise mandatory standards and recommended standards; industry standards and local standards are recommended standards”[1]. The Specification is a recommended national standard, not mandatory for enterprises. In other words, inconsistency with the Specification does not necessarily constitute violation of relevant laws and regulations.

According to “Circular of the General Office of the State Council of the People’s Republic of China, on Printing and Issuing the Development Plan of National Standardization System Construction (2016-2020) ”, construction of national standardization system adheres to the principle of “mandatory as threshold, recommended for general practices, enterprise for strengthening quality”. Recommended standards are generally universal. So the Specifications should be deemed as a universal standard for enterprises’ practice.

Besides, enterprises should also pay attention to the fact that, despite the non-binding nature of recommended national standards, apart from providing practical guidance for all types of entities, they may also be used as references in enforcement of regulatory authorities. The Specification expresses that it “applies to regulation over personal information processing by all types of organizations”, as well as “supervision, administration and assessment of personal information processing by competent authorities or third party evaluation agencies”.

Given that the associated measure system for the Law and Decision are still under construction, we understand that although the Specification is not a mandatory national standard, because of its universal applicability, and the possibility of serving as reference for regulators, in case an enterprise goes astray in practice, it may have to use more effort in proving the compliance of its conduct. Therefore, we suggest that enterprises fully implement the requirements under the Specification in practice to ensure compliance, security, and efficiency in its establishment of protection systems on personal information security.

Key issues in applying the Specification for domestic enterprises 

In response to introduction of the Cybersecurity Law, a majority of domestic enterprises have established their basic protection systems for personal information security in accordance with the fundamental principles of the Cybersecurity Law and industry practices. The Specification, formulated based on the Cybersecurity Law in combination with legislation and legal practices in many jurisdictions, imposes more specific and detailed requirements for enterprises. Thus, enterprises need to follow the requirements of, and break the inconsistent industry practices with the Specification, and re-examine their internal protection systems for personal information security. 

1.What constitutes a valid consent?

In practice, enterprises usually treat the requirements of obtaining subjects’ consent in a simplified way that a consent is deemed to be given if relevant subject does not expressly refuse to give such consent, therefore, the subject’s informed consent right turns into mere formality. The Specification explicitly defines “expressed consent”, and provides a new requirement that “collection and use of sensitive personal information requires expressed consent of the user whose sensitive personal information will be collected”. Besides, it gives exemplary practice on “expressed consent”. Accordingly, enterprises need to develop the most appropriate method to obtain approval and consent of the subject of personal information based on data type, and scenario of collection and use to strike balance between user experience and personal information protection.

2.Can enterprises rest easy with users’ consent?

In current industry practices, a majority of enterprises condition personal information collection upon users’ informed consent for full compliance, while ignore the threshold of the principle of necessity.  With respect to the necessary information to be collected and used under Article 41 of the Cybersecurity Law, Article 5.2 of the Specification further provides three criteria: direct connection, minimum frequency and amount between personal information collection and realization of product or service functions. Compared with the “Purpose Limitation” and “Data Minimisation” principles under the GDPR, the Cybersecurity Law does not explain the principle of necessity. Detailed provisions in the Specification provide better protection for legitimate interests of personal information subject.

It is therefore necessary for enterprises to streamline the functions of its products and services and the type, frequency and amount of information collection necessary to realize such functions. In absence of such necessity for collection and use of personal information, enterprises may subject to questions and challenges imposed by users and competent agencies. When pro-bono class action arises out of infringing the legitimate rights and interests of personal information subject, enterprises will face not only risks of property and reputational damage, but also possible severe impacts on their business models since they need to change the method and type of data collection in a short period of time.

3.Different approaches to different types of personal information

In general, enterprises adopt one-size-fits-all approach for all aspects of personal information collection, including collection, storage, and use. However, the Specification distinguishes general and sensitive personal information. Schedule B of the Specification also provides standards for determination and specific types of sensitive personal information, for example, information concerning an individual’s personal property, physical health, personal biological identification information, personal identification information, and online personal identification information.

In accordance with the Specification, enterprises should first understand the type and amount of their data collection, and sort them out accordingly. With respect to sensitive personal information, it is suggested to collect, store and use such information in accordance with requirements of the Specification:

  • Expressed consent of the subject of personal information is required before collection of sensitive personal information;
  • In collection of sensitive personal information, core and additional functions of a product should be distinguished;
  • Sensitive personal information should be stored in encrypted form or under other security protection;
  • Role-based access control should be implemented to access and revise sensitive personal information, and such authorization may only be triggered when necessary for business procedure.

4.User rights could not be ignored

With respect to the subjects of personal information, in addition to the rights to request deletion and correction of information provided by the Cybersecurity Law, the Specification further specifies their rights in order to strengthen control by the subjects over their personal information. For example, the subjects of personal information may have rights to withdraw consent, close account, obtain copy of personal information, appeal against automated decisions, etc.[2] Moreover, it is also required that the methods to exercise such rights must be expressly set forth in each personal information controller’s privacy policy.

Furthermore, for enterprises without response mechanism for requests relating to personal information, it is necessary for them to establish such mechanism in light of the business practices and data processing requirements of the enterprise as early as possible. For example, an enterprise may provide users with contact phone number in its privacy policy or methods for searching and correcting personal information or closing account on its service platform, so as to help realize the rights to visit and correct information and to close account.

5.How to respond to security incident

Articles 25 and 42 of the Cybersecurity Law separately require network operators to establish, and upon its occurrence, promptly implement emergency response plan for cybersecurity incidents, and to make prompt report to users and corresponding authorities in the event of any severe breach of personal information. Section 9 of the Specification specifies requirements on emergency response plan for cybersecurity incidents and handling of personal information security incidents, including provisions relating to the emergency handling and report, and notification of security incidents.

With respect to emergency response, enterprises are suggested to establish emergency response plan for personal information security incidents. Such plan should cover classification and grading of security incidents, organizational structure and duties, prevention and early warning, emergency response and safeguard measures; regular training on emergency response and emergency exercise for internal personnel; and timely notice to affected subjects of personal information and corresponding authorities in the event of any personal information security incident.

6.Establishment of mechanism is of significance

Generally, prevention is better than making amends. For the purpose of addressing security incidents, it will be more effective with a solid “firewall” consisting of well-functioned management system and personal information protection organ supported by adequate technical team with clear leadership and responsibilities in all aspects. The Specification provides a set of requirements on organizational management, especially for enterprises having a large number of employees specialized in personal information processing or dealing with significant amount of personal information, which are required to assign special responsible person and organ for personal information protection.

Key organizational management measures for enterprises relating to personal information include regular assessment on personal information security impact and establishment of self-assessment mechanism. In addition, enterprises should build adequate data security capacity, provide regular training on management for related personnel, conduct audit on effectiveness of its own privacy policy and security measures, improve specific auditing system and implement necessary management and technical measures, in order to prevent the leakage, corruption and loss of personal information to the maximum extent. 

Key points for multinational corporations when applying Specification

For domestic companies, the problem of personal information protection facing multinational corporations is more complex. Because data transfer of multinational corporations involves multiple links and jurisdictions, the personal information security compliance system within the corporation often needs to coordinate with the laws and requirements about personal information protection among multiple countries.

The announced Specification has referred to the OECD (Organization for Economic Co-operation and Development) framework, APEC (Asia-Pacific Economic Cooperation) framework and other international privacy rules, GDPR, EU-U.S. Privacy Shield Framework, Consumer Privacy Bill of Rights (U.S.) and other legislations of personal information protection, and has formulated a lot of rules similar to those in these countries. For example, for the purpose of rendering individual rights as the center, Specification and GDPR put forward the basic principles of personal information security for the personal information processing by personal information controllers, by referring to OECD, APEC and other international standards and national legislative provisions.

However, multinational corporations need to pay attention to the differences in case of confusion arising in practice:

1. Examples of differences between GDPR and Specification 

Regarding the rights of the subject of personal information to be satisfied by network-operators, there are many similarities between the Specification and the provisions of the GDPR that are worth noting. Take rights to data portability as an example:

Users require WeChat to provide personal data to DingTalk?! 

Rights to data portability are a controversial right. In the case that data is enterprises’ competitive resources, few enterprises are willing to transmit a duplicate of the user’s personal information to other enterprises even if requested by the user.

However, Article 20 of GDPR provides that, data subjects have the right to obtain their personal data in an orderly, commonly used, and machine-readable form, as well as have the right to transfer such data to another controller. The original controller to collect and store these data shall not interfere with the transfer of data subjects. Where technically practicable, the data subject has the right to require the controller who originally collected and stored his or her personal data to transfer the data directly to another controller. Rights to data portability shall not adversely prejudice the rights and freedom of others. According to this Article, if required by data subjects, WeChat would have to provide a duplicate of the user’s personal data to DingTalk.

What is a relief for most Chinese enterprises is that, although Article 7.9 of Specification also provides rights to data portability, unlike GDPR, Specification limits the exercise of rights to data portability to four specific categories of personal information: (a) personal basic information and personal ID information; (b) personal health information and personal education and work information. Therefore, only when user’s basic information, user’s benefits, and public interests are concerned, WeChat might have to provide user’s personal data to DingTalk.

2.Specification has more specific requirements in comparison with GDPR

It’s worth noting that, Specification is not merely a copy or application of foreign rules, rather it provides more specific requirements based on the practice of personal information protection in China. For most companies that have finished internal adjustment according to GDPR, the followings are worth noting:

EU GDPR Cybersecurity Law and Specification
Prompt management No specific provision of the measures to be taken by data controllers in every stage of data processing. After personal information is collected, the controller of personal information should immediately de-identify and take technical and administrative measures to store separately de-identified data from the information that can be used to recover personal identity. In addition, controller should ensure that there will be no re-identification in the subsequent individual data processing.
Requirements on storage No specific provision of the measures to be taken by data controllers in every stage of data processing. Personal information controllers should adopt security measures such as encryption when storing personal sensitive information. When storing personal biometric information, technical measures should be used to process the information before storage, such as only the digest of personal biometric information can be stored.
Proper notification For published data only, data controller upon the request of data subject, should adopt “reasonable measures” to inform (third party) to delete the data (therefore not an absolute obligation). Where the personal information controller violates the provisions of laws and regulations or violates the agreement with data subject to share and transfer personal information, and personal data subject requests to delete, the personal information controller shall immediately stop sharing and transferring and notify the third party to promptly delete.
Short time limit for response Taking into account the complexity of the request and the large number of requests, the response can be postponed for up to two months. Personal information controller shall reply and provide reasonable explanation to the request of data subject within thirty days or within the time limit prescribed by laws and regulations (there is no stipulations on delays).
Local storage of special information No such requirement. Personal information and important data collected and generated by critical information infrastructure operators during its operation in China must be stored in China.
Parents’ authorities

Consent from guardian is only required for processing the social service information of minors under the age of 16.

 

Collection of any personal data of minors under 14 must obtain expressed consent from the minor’s guardian.
Strict review on unclear sources

Data controllers shall provide the data subject with relevant indirectly obtained information.

 

When obtaining personal information indirectly, data controllers shall require the personal information provider to specify the source of the personal information and verify the legitimacy of source of personal information.
Cautious about user portraits No distinction between user portraits Distinguish between direct and indirect user portraits. In order to accurately assess the personal credit status, direct user portraits can be used. However, where only for the purpose of promotion of commercial advertisements, indirect user portraits is suggested to be used.
Detailed privacy policy Privacy policy shall include the purpose and legal basis for the processing of personal data. Privacy policy shall include the purpose of collecting and using personal information, as well as business functions covered by such purpose, such as using personal information for the promotion of commercial advertisements, using personal information for forming direct user portraits and their uses, etc.

Summary 

“The Wise Adapts to the Changing Time.” 

Under the trend of globalization of the data economy, the legislation in countries for the personal information protection not only affects the legal rights of related subjects, but also indirectly relates to the development speed of the data economy of their own countries. One of the keys to find a balance between the development of data economy and the protection of personal information is to resolve the conflict between the rapid development of the data economy and the stability of laws and regulations governing personal information protection. As a national recommended standard, the Specification combines both technique and flexibility and refers to international rules to timely fill the gap in between. In the current booming period of the data economy, conforming to the development trend and changing with time and circumstances is an important reference for corporate compliance and regulatory authorities.

Corporations should also “change with the time and circumstances” to discard outdated industry practices used in the collection of personal information, break through inertial thinking, re-examine business practices as required by the Specification, sort out internal personal information security protection systems. It will reduce compliance risks, and improve the competitiveness of corporate data assets at the same time. 

“The Informed Adapts to the Changing Circumstances.” 

Although the Specification provides an important reference for the corporate compliance, different entities, industries and even different business models all have different needs for personal information, and adopt different methods of collection, use, storage and transmission. Therefore, it is not only impossible to meet the needs of individualized business development but also hard to realize the goal of fully developing the data value by mechanically applying the regulation. The Specification does provide recommendations about the compliance system that complies with the relevant articles of the Cybersecurity Law, but corporations still need to ensure that their own compliance systems not only meet the requirements of the Cybersecurity Law, but also follow their development needs and industry features.

In conclusion, “the wise and informed adapts to the changing time and circumstances.” Corporations should break the outdated industry practice, pay active attention to the personal information protection legislation and law enforcement trends, innovatively develop personal information protection, build a new structure to meet their own needs by reference to Specification, and strive to a win-win resolution of data security compliance and commercial application.


[1]See Article 2 of Standardization Law.

[2] Article 43 of the Cybersecurity Law provides that Each individual is entitled to require a network operator to delete his or her personal information if he or she founds that collection and use of such information by such operator violate the laws, administrative regulations or the agreement by and between such operator and him or her; and is entitled to require any network operator to make corrections if he or she founds errors in such information collected and stored by such operator. Such operator shall take measures to delete the information or correct the error.