10 May, 2019
Since the implementation of the Cyber Security Law and the Personal Information Security Specification (PIS), Chinese regulators have intensified their efforts to tackle unacceptable practices in the collection and use of personal data. In November 2018, the China Consumers’ Association published a report (CCA Report) identifying some common malpractices by a wide range of mobile applications in China. These include excessive collection of personal data through general or bundled consent targeted mainly at geographical locations, mobile numbers and contact lists, and businesses having non-compliant privacy policies.
In order to address such malpractices, China’s National Information Security Standardisation Technical Committee (TC260) published a draft amendment to the PIS (Draft Amended PIS) in February 2019 for public consultation, which proposes stricter obligations on data controllers. According to discussions during TC260’s first working meeting on 22 April 2019, the Draft Amended PIS has been revised after the public consultation, but the finalised version has not been officially released yet. This article highlights some key proposed changes which may impact your business in China. Whilst it is not compulsory to adopt the PIS / Draft Amended PIS, compliance is highly recommended as they will be considered by the regulators when taking enforcement actions and should be regarded as best practice.
Purpose-orientated personal data collection
To address the problem of “general or bundled consent”, the Draft Amended PIS prohibits data controllers from forcing data subjects to consent to bundled services and functions. Data controllers are required to clearly identify the business functions offered and to categorise them as “core” or “extended” business functions, and to inform data subjects of the type of information that will be collected for each function.
The concepts of core and extended business functions are not new. Under the current PIS, when seeking to collect sensitive personal data, data controllers are required to indicate whether such data will be collected or used for the purpose of performing a core business function or an extended business function. The rationale is to ensure that data controllers collect no more data than necessary. If an item of sensitive personal data is required only for performing an extended, rather than a core, business function, and the data subject does not actually require such extended business function, the data subject can opt out of such function and does not have to provide the relevant sensitive personal data.
The Draft Amended PIS seeks to expand the requirement to distinguish between core and extended business functions to the collection of, not only sensitive personal information, but all types of personal information. A data controller may obtain a combined consent to data processing in relation to core business functions but, in relation to extended business functions, data subjects must be allowed to give separate consent in relation to each individual extended function. Data controllers are prohibited to send repeated consent requests to the data subjects and cannot refuse to provide core business functions, or offer substandard core business functions, if the subject refuses to consent in relation to extended functions.
The Draft Amended PIS proposes some factors to help determine whether a business function is core or extended according to the expectations of the data subjects based on considerations such as the name, description and category of the product/service, as well as the way the product/service is promoted. A core business function refers to the main function or service which a data controller provides, while extended business functions are commonly understood as any functions other than the core business function.
For example, for a search engine, searching will be considered the core business function. If the business also offers a payment service to support its search function, the payment service will be deemed as an extended business function. To provide more clarity, the recent revisions to the Draft Amended PIS also lists some non-exhaustive examples of business functions, such as mapping, navigation, ride hailing, instant messaging, social media, news and information, online shopping, express courier and transportation ticketing which are more relevant to mobile applications and other activities conducted by electronic means.
Consents should be sought before the initial configuration or installation of an application, or setting up the user accounts by the data subjects. Affirmative acts such as completing a form, clicking or checking a box is required to indicate consent. Data controllers must also provide a user-friendly mechanism for data subjects to partially or completely unsubscribe.
It is important to note that under the current PIS, there is an exemption for requiring consent where the data processing is necessary in order to enter into or perform a contract with the data subject, which is in line with European law. Although it does add an exemption for “complying with legal obligations”, the Draft Amended PIS originally removed the performance of a contract exemption, which emphasised the consent-based nature of China’s personal data protection regime. However, in the revised, the performance of a contract exemption has been reinstated, but specifically excludes privacy policies, so that data controllers are not allowed to rely on a privacy policy alone as a contractual agreement to collect personal data without obtaining consent.
Personalised displays and targeted advertising
Offering personalised displays of content such as news feeds, search results, or targeted advertising, has been subject to the scrutiny of regulators, even though it is not regulated by the PIS. The Draft Amended PIS requires data controllers to prominently mark the material as “personalised display” or “targeted delivery”, to provide a simple mechanism for data subjects to opt out of news or other information delivered by way of personalised recommendations, and also recommends data controllers to put in place mechanisms to allow data subjects to manage their preferences for receiving targeted advertising. Data controllers should delete or anonymise personal information once a data subject has opted out.
Privacy policies
According to the CCA report, nearly half of the mobile applications reviewed had problems with their privacy policies, including:-
- failure to actively display their privacy policies;
- failure to specify, or make clear, the purpose, manner and scope of collecting and using personal data and the duration and location of storage of the data;
- the incorporation of unreasonable disclaimers or other standard terms limiting the data controller’s liabilities.
To address these common problems, the Draft Amended PIS specifically requires:-
- displaying the substantive content of privacy policies by way of a pop-up window or other pro-active manner, upon first use of the products/services, on account registration, or before collecting or using the data subject’s personal data;
- the purpose, manner and scope of collecting and using personal data, and the duration and location of storage of the data to be clearly specified including highlighting the collection of any personal sensitive information and the risks of providing the personal data and the consequences of not doing so;
- any cross-border transfer of personal data must be disclosed;
- privacy policies to be construed in favour of data subjects, essentially rendering unreasonable standard disclaimers ineffective from a data controller’s perspective.
Other major changes
- Management of third party API access – A higher degree of care is expected of data controllers in monitoring and supervising their service providers. The Draft Amended PIS imposes an obligation on data controllers to manage and supervise third parties who may have access to personal data through an API (application programming interface) rather than as a third party data processor or joint data controller. Data controllers should enter into contracts to regulate third parties’ duties and obligations including establishing procedures to obtain consent, handle complaints and requests from data subjects, and should ensure retention of all the access and management records and carry out continuous monitoring and regular audits and inspections on the APIs. Data subjects should be informed that certain services are provided by a third party.
- Security assessments and protective measures when consolidating personal data – Where personal data collected for different sources is consolidated, the Draft Amended PIS requires data controllers to ensure that the use of the consolidated data is compatible with the original purpose consented to by the data subjects. Security assessments should be conducted and appropriate measures taken to protect against data breach.
- Experienced data protection officer required – The current PIS requires data controllers to appoint personal information protection officers or units without specifying the qualification required to assume this position. The Draft Amended PIS now specifically requires the responsible officers to possess relevant working experience and professional knowledge in personal information protection.
- Internal data processing records – The Draft Amended PIS requires data controllers to keep detailed records of the types, volume and sources of personal data collected, the corresponding business functions for which they are collected and used, whether such personal data will be shared, transferred, disclosed to public and transferred overseas, and the responsible personnel involved in their processing. Therefore, data controllers will be under an onerous obligation to maintain an updated data inventory. In practice, data controllers should maintain such records anyway, for internal investigation purposes, as well as compliance with the authorities’ requests in case of a data breach.
- Data breach notification – under the current PIS, the requisite threshold for reporting data breach incidents to the authorities was unclear. The Draft Amended PIS specifies that if data controllers must report to the authorities if the data breach concerns leakage, destruction, or loss of the personal data of more than 1 million individuals, or sensitive personal data affecting the public interest, people’s livelihood or the national economy. However, the timing of the reporting and the relevant authorities to whom the notifications should be directed, remain unclear.
- Privacy by design – under the revised version of the Draft Amended PIS, data controllers are recommended to consider privacy by design when creating products and services which involve processing of personal data.
Conclusion
The proposed amendments to the PIS is clearly in line with the trend of China’s continued efforts to strengthen its personal data protection regime, particularly targeting major malpractices identified in recent enforcement actions. In the absence of a comprehensive law on personal data protection, the latest version of the Draft Amended PIS will be an important guideline as to the requirements of the Chinese regulators and could form the blueprint for the upcoming data protection law which has been on legislators’ agenda since 2018.
For further information, please contact:
Andy Yu, Deacons
andy.yu@deacons.com.hk