The State Administration for Market Regulation (SAMR) and Standardization Administration of China (SAC) jointly published the Information Security Technology – Personal Information Security Specification (GB/T 35273-2020) (PI Specification)1 proposed by the National Information Security Standardization Technical Committee (TC260) on March 6, 2020 as an amendment to and replacement for the November 2017 version (GB/T 35273-2017).  The PI Specification will take effect on October 1, 2020.  

Although the GB/T code indicates that it is a voluntary and recommended rather than a mandatory document setting out best practices concerning protection of personal information (PI), Chinese regulators will likely expect that companies of all sizes comply with the Information PI Specification with respect to auditing and enforcement of the Cybersecurity Law (effective June 1, 2017) and proving compliance with laws and regulations in government investigations and other legal proceedings.  

The PI Specification will strengthen privacy protection, place more weight on the independence of will of individuals in deciding whether to share one’s PI as a condition of access to products and services that offer Business Functions (most mobile apps) (capitalized terms defined below), and the guarantee of the right to Consent in PI collection and usage, among other provisions. 

Read more in our alert, "China Issues New Personal Information Security Specification."