On 1 May 2018, the “Information Security Technology – Personal Information Security Specification” (PI-Specification) by China’s National Information Security Standardization Technical Committee (NISSTC) will come into effect. The PI-Specification, inter alia, provides guidance on the collection, storage, use, transfer and disclosure of personal information. While the PI Specification is voluntary and not legally binding, it is likely that Chinese regulators will take into account breaches of the PI Specification when enforcing cybersecurity obligations.

The requirements for the collection, use, and storage of personal information are briefly outlined below.

Collection, Use and Storage of Personal Information

The requirements for the collection, use, and storage of personal information under the PI-Specification are very similar to those adopted in other jurisdictions. For example, the PI Specification requires the personal data controller to notify personal data subjects of the type of personal information being collected and the rules of collection, and to obtain the personal data subject’s consent prior to collecting the personal information. The collection of sensitive personal information can only be made with explicit consent. Sensitive personal information, such as information, relating to a person’s reputation or physical and mental health, is subject to increased protection under the PI Specification.

When storing personal information, personal data controllers are required to perform de-identification of all personal information immediately after collection and to store the de-identified information separately from information that can be used to re-identify the information. Storing sensitive personal information requires additional security measures such as encryption.

Moreover, data controllers are required to provide data subjects access to their personal information and provide a way for the personal data subjects to correct or complete their personal information.

Other Requirements

The PI-Specification also sets out guidance on expected data breach incident responses and enterprise standards for safeguarding and processing of data. Among other things, data controllers are required to devise and publish a privacy policy.

For further information, click here to read the full legal update in our “Asia IP & TMT: Quarterly Review” of Q1 2018.


This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.