On 2 January 2018, the Standardization Administration of China (“SAC”) released the final draft of “Information Technology – Personal Information Security Specification” (National Standard GB/T 35273-2017) (GB/T 35273-2017 信息安全技 术个人信息安全规范) (“Specification”). The Specification came into effect on 1 May 2018. The Specification sets out the recommended practices on personal information protection. Although the Specification is not legally binding, compliance is expected by the PRC authorities and may be taken into account when assessing a company’s compliance with related laws (e.g. China’s Cybersecurity Law).
On 1 February 2019, China’s National Information Security Standardization Technical Committee (“NISSTC”) issued a revised draft of the Specification (“Revised Draft”) for public consultation. The consultation period ended on 3 March 2019.
What is the effect of the Revised Draft? The Revised Draft imposes more stringent requirements on data controllers,particularly with regard to obtaining consent. It shows a clear intent of the PRC government to give control back to individuals on how their personal information is used, and to curb the excessive collection of data and the manner in which data can be shared by companies. A summary of the key changes proposed by the Revised Draft are set out below.
Collection and Consent
Under Article 5.3 of the existing Specification (moved to Article 5.4 in the Revised Draft), where the personal information is being directly collected from a data subject, the data controller must obtain the informed consent of the data subject in relation to the collection and use of their personal information (e.g. type of personal information being collected, purpose of use, etc.). For indirect collection of personal information, the existing Article 5.5 of the Specification requires the data controller to ask the third party supplier of the personal information to verify and confirm the legitimacy of the source of the personal information, and to confirm the scope of consent obtained by the supplier from the data subject.
The Revised Draft introduces a new requirement that prohibits data controllers from coercing data subjects to agree to services or functions and associated data collection. In particular:
- data controllers must not obtain a one-off consent from the data subject to the collection of different types of personal information in relation to the provision of a bundle of services or functions;
- data controllers should only activate a service or function and start to collect related personal information when the data subject actively opts-in;
- data controllers shall provide opt-out mechanisms that are as easily accessible and user-friendly as the opt-in mechanisms; and d. if a data subject terminates, opts out or refuses to opt-in for certain functions or services, then the data controller shall not: (i) frequently ask the data subject for consent; or (ii) suspend or downgrade the functions or services that the data subject has opted-in to receive/use.
Annex C of the Revised Draft further requires the data controller to categorise their functions into “basic functions” and “extended functions”. For basic functions, data controllers can obtain a single consolidated informed consent from the data subject for all basic functions. Such consent must be obtained through a positive action (e.g. submitting a form, ticking a box to indicate consent, etc.). Any amendments to a data controller’s basic functions in light of any changes to their products or services, will require fresh consent to be obtained from the data subjects.
With regard to any extended functions, data controllers must obtain a separate informed consent from the data subject for each such extended function. Unless the data subject takes the initiative to activate the extended function, the data controller can only request consent from a data subject once in every 24 hours. Failure of a data subject to provide their consent to any extended function cannot result in the data controller downgrading or terminating the provision of any basic function.
A basic function is defined as a function that falls within the core expectations or key requirements of the data subject when they opt in to receive the relevant service or function from the data controller. The Revised Draft specifically states that functions relating to the enhancement of customer experience or research and development of new products cannot amount to a basic function.
For example, if a data subject downloads a restaurant review app provided by a data controller, then the basic function may be to enable the data subject to upload their own restaurant reviews and to access reviews and comments posted by other users on a restaurant. Other functions, e.g. to use data to create a personalised experience and to recommend restaurants, or to carry out analytics, etc., will be considered as extended functions.
Exceptions to Consent Requirement
The existing Specification provides certain exceptions to the consent requirement. For example, a data controller can collect and use personal information directly related to national security, public interest and judicial procedures, without prior consent. The Revised Draft moves Article 5.4 to Article 5.7 and further adds an exception that allows data controllers to collect and use personal information without consent, if it is required in order for the data controller to comply with their legal and regulatory requirements. However, a significant change is the deletion of the existing exception that allows the data controller to use personal information without consent, in order to execute and perform a contract with a data subject. Therefore, data controllers can no longer rely on contracts with data subjects as a ground for its data collection – the data controller would need to obtain the data subject’s express consent.
Personalisation and Targeted Advertising
The new Article 7.4 proposed in the Revised Draft regulates how data controllers provide personalised recommendations to data subjects based on their interests, transaction records, and browsing history, etc.:
- if a data controller provides personalised news or information services (e.g. search engines, news sites, etc.), it should clearly identify the personalised results by labelling the relevant news or information with words such as “personalised display” or “targeted push”, and provide the data subject with a user-friendly mechanism to opt-out of the personalised function;
- e-commerce operators or merchants that provide personalised search results or recommendations must simultaneously also provide non-personalised recommendations and results to that consumer;
- data controllers must provide a mechanism for data subjects to manage their preferences in relation to receiving targeted advertisements and personalised displays; and
- when a data subject opts-out of personalised displays or targeted marketing, the data controller should provide the data subject with the option to delete or anonymize the personal information used for such purpose.
Consolidating Personal Data
When a data controller consolidates personal information of a data subject that has been collected from different sources, different purposes of use may apply. Article 7.5 of the Revised Draft requires the data controller to ensure that it still only uses each type of consolidated personal information for the relevant purpose notified and consented to by the data subject. In addition, the data controller should carry out a personal information security impact assessment and take appropriate measures to safeguard the personal information in light of the consolidation.
Third Party Access
The existing Article 8 includes provisions regarding the use of data processors, and the sharing, transfer and public disclosure of personal information. The Revised Draft adds a new Article 8.7, which imposes additional requirements when a data controller allows a third party to collect personal information through that data controller’s products or services (e.g. through Application Programming Interfaces (APIs), etc.), and such personal information will be used by the third party for its own purposes (and not as a data processor or joint controller). These requirements include the following:
- establish restrictions, conditions and a mechanism to manage the third party’s access, e.g. a security assessment;
- specify through contractual or other means the security responsibilities of both parties and the personal data security measures to be implemented by the third party;
- clearly notifying the data subjects of the services or products that will be provided by the third party;
- retain relevant contracts and management records relating to the third party’s access;
- require the third party to obtain consent from the data subjects for the collection of their personal information in accordance with the Revised Draft, and verify that the third party has complied with this requirement;
- require the third party to establish a mechanism to handle a data subject’s complaints and requests;
- monitor the third party’s data security management practices, require the third party to rectify any issues and terminate the third party’s access in the event of any issues; and
- for automatic tools embedded by the third party in the data controller’s products or services (such as coding, scripts, interfaces, etc.), the data controller must ensure that the data collection activity of such tools are in compliance with the agreed requirements, monitor the data collection of such tools and terminate access if its activity exceeds what was agreed.
Data Breach Notification
The existing Article 9.1 requires data controllers to formulate an emergency response plan to handle security data breaches. When an incident occurs, data controllers must keep a record of the incident, assess the possible impact, adopt necessary measures to handle, rectify and mitigate the situation, and report the incident in a timely manner in accordance with the National Cybersecurity Incident Emergency Response Plan.
In addition, the current Specification requires data controllers to notify affected data subjects of any security incident in a timely manner (no matter how small). If it is difficult to notify each affected data subject individually, then a public notice may be provided. The Revised Draft proposes to introduce a threshold, which will only require notification to be made to affected data subjects if the incident would adversely affect the data subject’s rights and interests, for example if the breach involved sensitive personal information.
The Revised Draft further requires data controllers to report an incident to the Cyberspace Administration of China if it involved the personal information of more than one million individuals or it concerned sensitive personal information relevant to national security or public interest (such as genetic information, information related to biological characteristics, health records or other personal sensitive data).
The Revised Draft amends Article 10.1 and imposes an obligation on those responsible for the protection of personal information within the data controller, to (amongst other things) conduct personal information security assessments, provide recommendations on data protection, disclose information such as complaint and reporting mechanisms, and handle any reported incidents in a timely manner.
In addition, the Revised Draft introduces a new Article 10.2, which requires data controllers to keep a data processing record of its collection and use of personal information. The record shall include:
- the types, quantity and sources (whether collected directly or indirectly from the data subjects) of the collected personal information;
- the purpose of collection and use of the personal information;
- whether data processors are involved, and whether any personal information is shared, transferred, publicly disclosed or transferred overseas; and
- the system, organisation, and personnel involved in each step of the data processing.
The Revised Draft is keeping in line with the recent proactive enforcement steps being taken by the PRC Authorities to protect personal information. For example, in January 2019, the Cyberspace Administration Authority, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation issued a joint notice on illegal data collection by mobile apps, which stated, amongst other things, that mobile app operators must not collect personal information unrelated to their services, must obtain users’ consent, and must protect their data in compliance with the Cybersecurity Law. On 18 March 2019, the Jiangsu province police also stated that they have been focusing on regulating the online environment, including protecting personal information, clamping down on illicit online activities and urging network operators to comply with their cybersecurity obligations.
The Revised Draft acts as a precursor to what we can expect from the PRC’s new overarching personal information protection law that is in the process of being formulated.
This article was originally published on AllAboutIP – Mayer Brown’s blog on relevant developments in the fields of intellectual property and unfair competition law.