PRIMER: China's national standards for personal data protection
What is the national standard for personal data protection? China's National Standards on Information Security Technology-Personal Information Security Specification came into force May 1 2018. They stipulate that explicit consent is required for collection of sensitive personal information.
Personal information security impact assessments are also required for outsourcing of data processing, sharing and transfer of personal information and the disclosure of personal information to the public. Any requests to access, collect and delete personal information must be responded to within 30 days. For data breach notification, a specific incident response plan is required together with regular review of the plan.
How does the national standard for personal data protection relate to the Cybersecurity Law? The new standard refers to the Cybersecurity Law as a reference document. Clarice Yue, counsel at Bird & Bird observes that in 2018, the Cyberspace Administration of China specifically expressed concern over a potential violation of the new standards when enforcing the Cybersecurity Law and considering the manner in which Alipay and Sesame Credit Management collected personal information in China. While the Cybersecurity Law sets out broad principles of data protection, the national standard for personal data protection contains detailed explanations of many relevant requirements and provides practical guidance to data controllers.
"Corporations whose business does not involve or necessitate frequent collection and processing of personal information could find it cumbersome to adopt the recommended practices contained in the standard"
How does it relate to the GDPR?
The new standard's principles and concepts are very similar to the General Data Protection Regulation (GDPR). Michelle Chan, partner at Bird & Bird, observes that for instance, the new standards include references to accountability, requirements to appoint data protection officers in certain circumstances, requirements to conduct data protection impact assessments, and concepts such as anonymisation, de-identification or pseudonymisation. On the other hand, there are some aspects of the new standard which embody requirements that are quite unique for China.
Chan explained that for example, consent of data subjects is a key legal basis for collection and processing of personal data and there are very little other legal bases available. The definition and scope of sensitive personal information is also very broad in China, and includes items of data such as email address, personal phone number and residential information. There are some very specific and detailed requirements on consent that needs to be obtained for collection and processing of sensitive personal information.
Although the standard incorporates and contains a considerable number of provisions of the OECD privacy framework and the EU's GDPR, it generally follows and incorporates the principles set forth in the Cybersecurity Law. "Compared to the GDPR, it places more emphasis on the obtaining of data subjects' express consent on collection, use and processing of personal information," said Zhenyu Ruan, partner at Baker McKenzie. The standard recommends that the privacy notice and the obtaining of consent from data subjects by data controller/data processor should be differentiated based on the intended purpose of collection and use of personal information whether personal information collected will be used for provision of core services or non-core or add-on services.
"This is rather innovative, as proper use of this service function or purpose specific approach could help data controllers/data processors to better control the potential risk of non-compliance with the data privacy protection requirements," said Ruan. What are businesses finding most challenging? There are a number of areas that businesses find challenging under the new standards. "In particular, the standards contain some very intricate requirements on consent that needs to be obtained for collection and processing of sensitive personal information," said Yue.
The definition of sensitive personal information includes some items of information which are not generally expected to be sensitive such as email address, personal phone number and residential address. "Many businesses find the requirements on collection and processing of sensitive personal information unduly complicated and burdensome to implement," said Chan. For instance, businesses need to identify the core purposes and ancillary purposes for collection of sensitive personal information and obtain separate consent for each item of sensitive personal information that is collected for ancillary purposes.
Other complex areas include what needs to be included in privacy statements, which businesses in China will now need to provide to data subjects under the Cybersecurity Law. "The standard contains a list of such content but when read in conjunction with the model privacy statement included in the annex, some businesses have expressed concern that the privacy statements may become an unduly complex and long document which when presented to consumers and may not be an easy document to digest," said Yue. Some businesses are finding that while the provisions contained in the standard are detailed and specific, these provisions may not be sufficiently relevant to their daily business operations.
"Corporations whose business does not involve or necessitate frequent collection and processing of personal information could find it administratively cumbersome to adopt the recommended practices contained in the standard," said Ruan. A commonly-asked question by businesses is whether the provisions are practically feasible and meaningful for their handling of their employees' personal information either in the course of HR management or daily business operations. Which areas lack clarity?
The area that is least clear to businesses is how the new standards will be enforced. "Given that some of the requirements are indeed quite onerous, businesses are quite concerned as to the extent to which they should comply with the requirements and the risks of enforcement for not fully complying," said Chan. Although there are no specific penal provisions under the new standards, its close relationship with the Cybersecurity Law means that the requirements should not be taken lightly.
This uncertainty would only be addressed when actual enforcement actions are taken referencing non-compliance with the new standards. Ruan notes that the brief section 8.3 concerning transfer of personal information in the context of M&A or restructuring requires further and more practical guidance. Additionally, Ruan observes that the details concerning cross-border transfer of personal information are left to the pending guidelines for security assessment of provision of personal information and important data to overseas.
The material on this site is for financial institutions, professional investors and their professional advisers. It is for information only.
All material subject to strictly enforced copyright laws. (C) 2018 Euromoney Institutional Investor PLC.
For help please see our FAQ.