The State Administration for Market Regulation (SAMR) and Standardization Administration of China (SAC) jointly published the Information Security Technology – Personal Information Security Specification (GB/T 35273-2020) (PI Specification)1 proposed by the National Information Security Standardization Technical Committee (TC260) on March 6, 2020 as an amendment to and replacement for the November 2017 version (GB/T 35273-2017). The PI Specification will take effect on October 1, 2020.
Although the GB/T code indicates that it is a voluntary and recommended rather than a mandatory document setting out best practices concerning protection of personal information (PI), Chinese regulators will likely expect that companies of all sizes comply with the Information PI Specification with respect to auditing and enforcement of the Cybersecurity Law (effective June 1, 2017) and proving compliance with laws and regulations in government investigations and other legal proceedings.
The PI Specification will strengthen privacy protection, place more weight on the independence of will of individuals in deciding whether to share one’s PI as a condition of access to products and services that offer Business Functions (most mobile apps) (capitalized terms defined below), and the guarantee of the right to Consent in PI collection and usage, among other provisions.
According to the Preamble of the PI Specification, the principal amendments compared to the 2017 version include:
- Addition of “voluntary selection of multiple Business Functions”;
- “Exceptions to Consent”;
- “Restrictions on use of User Profiling”;
- “Use of Personalized Display”;
- “Convergence and consolidation (汇聚融合) of PI collected for different business purposes”;
- “Third-party connection management”;
- “Clarification on departments and personnel”;
- “PI security engineering”;
- “Recording of PI processing activities”;
- Revisions to “exceptions to soliciting Consent”; and
- Refinements with respect to personal biometric information.
Below please find highlights of the changes:
- Personal Sensitive Information: The definition of “Personal Sensitive Information” is expanded to include information created by the PI Controller (defined as the organization or individual that can decide the purpose and ways to process PI) through the processing of PI or other information which, if leaked, illegally provided or abused, may harm the security of person or property, personal reputation, or physical or mental health of the PI Subject (defined as the natural person identified or associated with by the PI), or lead to discriminatory treatment (3.2).
- Consent: Consent is defined as clear authorization by the PI Subject to have its PI processed in a specific way (3.7). Consent includes “Explicit Consent” (明示同意) and implied consent.
Explicit Consent is defined as an affirmative act of authorization electronically or in writing, such as checking the box, clicking on “Agree”, “Register”, “Send”, or “Call”, or voluntarily filling out or providing information (3.6).
Implied consent is not a defined term and generally refers to presumed authorization (such as not leaving the area after being informed of the information collection behavior).
- Multiple Business Functions: Business Function is defined as a type of service that meets the specific need of PI Subjects, such as navigation, online car hailing, instant messaging, social media, online payment, news, online shopping, express delivery, and transportation ticketing (3.17).
PI Controllers may not force PI Subjects to accept Business Functions and the associated PI collection requests through the bundling of multiple Business Functions to request a one-time acceptance and Consent for Business Functions including those not applied for or used by PI Subjects. Only voluntary affirmative act by PI Subjects, such as an active click or filling in information, would be treated as the condition for enabling a specific Business Function, and only after which may PI Controllers begin to collect PI. PI Controllers must stop collecting PI when the PI Subject closes or exits a certain Business Function. It is prohibited to force collecting PI in the names of service and experience improvement, product innovation and enhancement of security (5.3).
PI Controllers, especially mobile Internet application business operators, shall differentiate basic Business Functions and expanded Business Functions (C.2 Appendix C). If the PI Subject does not consent to the collection of PI essential for basic Business Functions, the PI Controller may refuse to provide such Business Functions (C.3.b Appendix C). If the PI Subject does not consent to the collection of PI essential to the expanded Business Functions, the PI Controller may not make repeated requests for consent more than once every 48 hours unless the PI Subject voluntarily chooses to enable the expanded Business Functions. If the PI Subject does not consent to the collection of PI essential to the expanded Business Functions, the PI Controller may not refuse to provide basic Business Functions or reduce the quality of service of the basic Business Functions (C.4.b, c Appendix C).
- User Profiling: User Profiling is defined as the process of forming personal characteristics of an individual based on the individual’s PI such as occupation, income, health, education, personal preferences, credit rating and behavior (3.8).
User Profiling may not result in discrimination based on ethnicity, race, religion, disability, or disease. When using User Profiles in internal operations or external business cooperation, PI Controllers may not endanger national security, honor or interests, incite subversion of state power, instigate secessionist activities, or disseminate terrorism, radicalism, ethnic hatred, violence or obscenity (7.4).
- Personalized Display: Personalized Display is defined as the display of information and search results of products or services based on the individual’s PI such as Internet browsing history, hobbies, consumption records and habits (3.16).
When PI Controllers use Personalized Display in the provision of Business Functions, visible distinctions need to be made to the contents for Personalized Display and contents of non-Personalized Display, such as the labeling of “Targeted Push” (定推) (7.5). Non-Personalized Display of search results of products or services shall also be provided to consumers together with Personalized Display. The PI Subject shall be given the ability to control the degree and extent to which its PI can be utilized to generate the Personalized Display.
Regarding the effect of accumulation of PI collected based on multiple business purposes, PI Controllers are required to conduct PI security assessments in accordance with the purposes for use of the PI after convergence and consolidation (汇聚融合) and adopt effective protection measures (7.6).
- Third-Party connection management: PI Controllers, when combining third-party PI collectors of PI to their own products and services, shall evaluate the third parties’ security capability, ensure that the third parities collect PI by legal means with necessary Consents as well as inquiry and complaint channels. PI Controllers are advised to make technical tests of such third-party embedded automation tools as codes, scripts, interfaces, algorithm models, and software development kits, and immediately disconnect them if the third party collected PI exceeds the agreed scope (9.7).
- PI protection personnel and department: A designated PI protection personnel and PI protection department shall be established if the relevant organization employs more than 200 people and its main business involves processing of PI, if the organization processes PI of over 1 million people or expects to process PI of more than 1 million people within 12 months, or if the organization processes Personal Sensitive Information of more than 100,000 people (11.1).
- Personal biometric information: Personal biometric information is a type of Personal Sensitive Information and includes personal genes, fingerprints, voice prints, palm prints, auricles, irises, facial recognition features, etc. In principle, personal biometric information may not be shared or transferred (9.2.i), unless actually essential for business needs in which case the PI Subject shall be separately informed of the purpose, types of biometrics involved, and identification of the recipient and its data security capacity, and the PI Subject’s Explicit Consent for the sharing/transfer shall be obtained. The PI Controller may not store original personal biometric information in principle (6.3.c) but just the abstract thereof (6.3.c.1) which in general is non-traceable to the original information. Personal biometric information shall be stored separately from personal identification information (6.3.b).
- PI processing record: The PI Controller is advised to establish, maintain, and update records of processing activities in connection with PI being collected and utilized thereby, which may include PI type, quantity, and source (e.g., directly from the PI Subject or indirectly); differentiate the purpose of PI processing, usage scenarios, and such information as PI processing under entrustment, sharing, transfer, public disclosure, and any outbound transmission; and the information system, organizations or personnel in connection with different segments of the PI processing activity (11.3).
China is still ramping up regulations with regard to PI protection and is expected to issue the finalized version of the Measures for Security Assessment for Cross-Border Transfer of PI in the near future. We will continue to monitor developments and provide updates of PI regulations accordingly.