13 April, 2020
On March 6, 2020, TC260 released an updated version of the recommended national standard, Personal Information Security Specification (“PI Specification”, (GB/T 35273-2020). Several drafts have previously been released for public consultation over the last two years, since the PI Specification came in to effect in May 2018. The general data protection requirements under the PRC law, primarily the Cybersecurity Law, remains at a high-level. The PI Specification provides extensive and practical guidance for complex data collection and processing circumstances and has been frequently referred to in litigation and government enforcement actions.
The updated version of the PI specification has tried to respond to a number of issues that have arisen in practice in the last two years, and it also reflects the attitude of regulators in enforcement actions. Below are some of the key points of the amendments and insertions into the update of the PI specification.
1. The Definition of Consent has been Expanded to Include Implied Consent
The definition of consent has been amended and provides that consent may be given by actions (explicit consent), or negative actions (implied consent). An example is provided that if an information subject is informed that they will be videotaped in certain areas and still remains in those areas, it will be deemed that they have given authorization for such recording. (Section 3.6)
2. Separate Consent for Multiple Functions
A new provision has been inserted which prohibits the data controller to force a personal information subject to accept all the functions provided by the product or service, and the corresponding request for collecting personal information, where the product or service provides various functions that requires the collection of personal information. Accordingly, the data controller is required to provide separate consent procedures for each of the multiple functions provided and to only collect the personal information directly related to the specific function consented to by the personal information subject. It further requires that the data controller provides convenient measures for the personal information subject to close or exit from the consented function, and halt the collection of personal information if the choice has been made by the personal information subject to close or exit such a function (Section 3.17, 5.3). In connection with such consent requirement, it is notable that TC260 published a specific national standard to solicit public comment in January this year.
3. Stricter Requirements on the Collection, Usage and Storage of Personal Biometric Information
In response to the wide concerns of adopting facial recognition technology in recent years, the PI Specification incorporates some specific requirements for data collectors if they are to collect such information, including:
-
Personal information subjects should be separately informed of the purpose, method, and scope of the collection and usage of personal biometric information and the relevant rules such as storage time;
-
Explicit consent from the personal information subject should be obtained before collecting any personal biometric information, and such consent should be specific, clear and obtained on a “fully informed” basis;
-
The personal biometric information should be stored separately from the personal identity information;
-
In principle, the raw data of personal biometric information (such as samples, images) should not be stored and some examples of measures to take include storing only summary information, or collecting only personal biometric information for identity confirmation purposes at a terminal, or deleting the relevant original image after identity recognition. (Section 5.4, 6.3)
4. Limitations on User Profiling
A specific section has been inserted that provides restrictions on user profiling, for example, the features used to describe a personal information subject should not contain any tags relating to obscenity, gambling or violence, and information relating to discrimination based on nationality, race, religion, disability or disease. When employing user profiling during operations or in commercial cooperation, the data controller should not infringe on the legitimate rights and interests of citizens, legal persons and other organizations, or carry out illegal actions. Furthermore, the use of profiling information should avoid correlating the identity of a personal information subject, except when strictly necessary. (Section 7.4)
5. Distinguishable and Controllable Personalized Displays
Provisions are included that require data controllers to make information subjects aware and provides an option to choose personalized and non-personalized displays. For example, data controllers are required to distinguish personalized displays and non-personalized displays by marking “customized content” or providing personalized and non-personalized content in different columns and pages. In the process of providing e-commerce services, data controllers need to provide an option for consumers to choose non-personalized displays. In the process of providing news information services, data controllers need to provide a straightforward option to opt-out of personalized displays. (Section 7.5)
6. Account De-Registration Procedures
Data controllers are required to provide a simple and convenient de-registration option for users. In particular, data controllers must avoid unreasonable conditions or procedures during the de-registration process and avoid collecting unnecessary information for the purpose of verifying the identity of users. Data controllers should also delete or anonymize information if the relevant individual chooses to deregister their accounts, and even if such information needs to be retained according to the law, it should not be used in the course of daily operations. (Section 8.5)
7. Data Processing Agreement
Under the new PI Specification, a data controller needs to enter into a comprehensive data processing agreement with its processor or other data sharing partners, so that when a processor/partner fails to properly process data, the data controller is entitled to require the processor/partner to stop the relevant activities, take remedial measures, and mitigate security risks and the data controller may terminate the cooperation when necessary. (Section 9.2)
8. Stringent Requirements regarding Co-controllers and other Third Parties with Plug-ins
In addition to the original requirement that if a data controller will share a user’s personal information with a co-controller, the data controller should enter into an agreement with the co-controller to specify the security obligations and liabilities of each party, the new PI Specification provides that in the case of failing to disclose the third party’ identify, the data controller will be liable for the activities of the co-controller. (Section 9.6)
The new PI Specification further separately provides that if a data controller embeds a third party product or service which will collect personal information into its own products or services, and the data controller and such a third party are not co-controllers, the data controller is required to establish a relevant administration mechanism, enter into an agreement with such third party, disclose to the information subjects that the relevant product or service is provided by a third party, maintain relevant records, and require that the third party fulfills its legal obligations. However, it is not entirely clear whether and how the data controller will be held responsible if it fails to follow such requirements. It is neither completely clear in what circumstance a third party will deemed as a controller. (Section 9.7)
9. Some Internal Administration Requirements
The new PI Specification sets out that personal information protection officer should have relevant work experience and expertise, and amends the following two criteria for the requirement of appointing a personal information protection officer and department: if an entity processes more than one million pieces of personal information, or estimates that it will process more than one million pieces of personal information in 12 months (which was half a million in previous version), or adds a new criteria for an entity processes more than 100,000 pieces of personal sensitive information. The responsibilities of the DPO is also further supplemented to include setting up a relevant working plan and urge its implementation, establishing and updating relevant policies, conducting personal information impact assessments, arranging relevant training, conducting security audits and communicating with the relevant authorities.
10. Our Observations
We believe that the amendment to the PI Specification may have an impact on the operation and privacy practices of enterprises in China. There are still a number of minor changes in the PI Specification that need to be taken into consideration when formulating internal rules and privacy policies. We believe the changes are in response to the challenges of the collection and usage of personal information in various channels and through different types of technologies currently in practice. It remains to be seen how much of the detailed requirements in the PI Specification will subsequently be included in laws and regulations and also be reflected in enforcement actions by government agencies, especially on online operations.
