China data privacy: New guidance to strengthen protection of personal data

China’s guidance on privacy of personal data is set to change in the near future, following the publication of a draft guideline in late 2016. Though a date has not yet been set for the guideline to be finalised, companies should take the opportunity to assess whether they will need to make changes to their systems and processes to bring them in line with the guidance as currently set out.

The draft guideline document, “Information Security Technology - Personal Data Security Specification”
(“Guideline”), issued by the National Information Security Standardisation Technical Committee, is the most comprehensive statement on the protection of personal data issued by the Chinese government to date.

Although the Guideline will not be mandatory or legally binding, once finalised and adopted it may serve as best practice in relation to the protection of personal data in China, and is likely to become a major reference document for Chinese authorities wishing to implement cyber security laws and regulations. It may also indicate the future direction of China’s legislation in this area.

In this briefing, we outline the key aspects of the draft Guideline and discuss the implications for businesses in China.

Scope of application

Unlike Chapter Four (Network Information Security) of the Cyber Security Law of China (which applies only to network operators), the draft Guideline applies to all types of entities in China using information systems to process personal data (including public institutions and companies, etc).

However, the draft Guideline does not apply to entities which have less than ten employees or less than RMB 1 million in revenue and process personal data of no more than 10,000 individuals in any consecutive twelve month period. In addition, the draft Guideline governs the entire life cycle of personal data, including the collection, storage, use, transfer, and disclosure of personal data.

Key defined terms

The definition of “Personal Data” in the draft Guideline is similar to that in the Cyber Security Law, except that it explicitly includes biological identification data, behavioral data and geological location. Examples of “Personal Data” generally include:

1. data which can be used to identify a natural person, such as name, address, personal ID number, back account number, fingerprints, iris, etc;
2. data which contains personal private information, such as health records, medical reports, text messages, emails, contact lists, etc; and
3. data which reflects personal use of services, such as access records, purchase records, operating records, software and hardware data, geological location, etc.

Crucially, the Guideline provides a definition of “Personal Sensitive Data” that has not been defined elsewhere in Chinese laws and regulations. “Personal Sensitive Data” is defined as “data that may lead to bodily harm, property damage, reputational harm, harm to personal heath, or discriminative treatment of an individual if such data is disclosed, leaked or abused.”

Examples of “Personal Sensitive Data” include:

• personal ID number;
• bank account information;
• medical records;
• biological identification data; and
• exact geological location and telephone records.

As the examples are not exhaustive, the Guideline provides detailed criteria for determining when data is “Personal Sensitive Data”. Such criteria mainly focus on the risk of harm should there be any disclosure, leak or abuse of personal data.

By providing general definitions, specific examples and detailed criteria, the Guideline helps data controllers (that is, entities or individuals who determine the purposes and methods of personal data processing) to identify “Personal Data” and “Personal Sensitive Data” with more certainty.

Key requirements for data controllers

The draft Guideline imposes various specific obligations on data controllers which are in line with the provisions of the Cyber Security Law.  Some of the significant obligations include the following:

1 | Risk management

The draft Guideline explicitly provides that data controllers shall be responsible for the security of the personal data they hold, regardless of how the data was obtained. Accordingly, the Guideline outlines a risk management framework that data controllers should follow. Under such framework, a data controller shall:

1. assign relevant departments and staff to take charge of the security of personal data, if the data controller has more than 200 employees and its business involves processing of personal data. If it processes (or expects to process) personal data of more than 500,000 people in twelve months, it shall set up a department and have staff specialising in the security of personal data;
2. conduct personal data security risk assessments regularly (at least once a year) based on the risk assessment framework outlined in Annex D of the draft Guideline, and prepare a risk assessment report;
3. adopt necessary security measures for personal data and personal sensitive data based on the risk assessment report (e.g. encryption, access control, anonymisation, pseudonymisation, etc.) to limit the security risks to an acceptable level;
4. conduct data security audits on data security strategies, procedures and security measures; and
5. disclose to the public relevant information relating to its personal data security measures.

2 | Emergency disposal and reporting

The draft Guideline also outlines an emergency disposal and reporting framework. It requires data controllers to develop emergency response plans for any personal data security incidents. Data controllers should provide regular training and exercises to the relevant staff (at least once a year). If a data security incident occurs, a data controller shall:

1. record and assess the data security incident;
2. handle the event based on the emergency response plan it develops;
3. report to China’s National Internet Emergency Center under certain circumstances;
4. adopt appropriate remedial measures for data subjects;
5. notify the data subjects of the data security incident in a timely manner; and
6. disclose to the public relevant information concerning the data security incident according to Chinese law.

3 | Specific requirements for collection, storage and processing of personal data

In addition to the general requirements in Chapter Four of the Cyber Security Law, the draft Guideline specifically requires that express consent (rather than implied consent) must be obtained from data subjects for the collection of personal sensitive data. It also provides that special reminders should be given for the collection of information relating to personal IDs, passports and driving licences. If a data controller intends to modify the purpose, method and scope of data processing, the Guideline provides that it shall first obtain the consent from data subjects in order to do so.

The draft Guideline requires personal data controllers to limit the amount of collected data to what is necessary to accomplish a purpose that has been specified to data subjects. Similarly, the storage period of personal data should be minimised. Upon expiration of the storage period, data controllers shall promptly delete or anonymise the personal data. Personal sensitive data shall be stored only after it has been encrypted. Subject to the purpose of data processing, anonymisation and pseudonymisation of personal data may be used in order to mitigate security risks. The Guideline recommends that data controllers should immediately pseudonymise any personal data they receive.

The Guideline requires data controllers to provide data subjects, in respect of the processing of their data, with methods to:

• access their personal data;
• correct or delete their personal data; or
• withdraw consent or cancel accounts.

If the data controller authorises a third party (e.g. a data processing service provider) to process personal data, the data controller should conduct a data security assessment or an audit on such third party, and request from it a data security risk assessment report and information concerning other necessary qualifications.

4 | Specific requirements for transfer and disclosure of personal data

The draft Guideline generally prohibits the transfer or disclosure of personal data unless certain pre-conditions are fulfilled.

For example:

• a data controller must obtain prior express consent (rather than implied consent) from relevant data subjects for the transfer or disclosure of personal data;
• prior to such transfer or disclosure, the data controller must conduct a risk assessment based on the process outlined in Annex D of the Guideline, and adopt effective security measures according to the risk assessment report; and
• the data controller must ensure that the data security standards of the transferee shall not be lower than those of the data controller itself.

If a data security incident in connection with a transferee (that is, the recipient of the personal data from the original data controller) occurs and causes damage to data subjects, the transferor (that is, the original data controller) shall assist data subjects in seeking compensation from the transferee (or itself provide proper compensation to data subjects).

However, it remains unclear whether the data subjects are entitled to sue either the transferor or the transferee in case of a data security incident of the transferee and to what extent the transferor should be liable for the damages and losses caused by such incident to the data subjects.

The Guideline has yet to address cross-border transfers of personal data, given the complexities of the issue. In general, this could present challenges for multi-national companies which routinely share personal data with their affiliated companies or third party data processors.

It is also important to note that, under the draft Guideline, if a data controller is merged with or is acquired by a third party, engages in reorganisation or undergoes a change of control, a transfer of personal data will be deemed to have occurred. In that case, the data controller must fulfill the relevant pre-conditions before such merger, acquisition, reorganisation or change of control takes effect.

Implications for businesses

The draft Guideline is one step further for the protection of personal data following the promulgation of the Cyber Security Law in November 2016. It is a strong indication of the Chinese government’s intention to strengthen the protection of personal data. Although the Guideline is marked as “GB/T” (which stands for “Recommended National Guideline” in Chinese), and may be adopted by businesses on a voluntary basis, the Guideline is likely to serve as “quasi-implementing rules” in respect of the Cyber Security Law in relation to the protection of personal data, and Chinese authorities may regard it as a major reference document to evaluate legal compliance of businesses.

Once finalised and adopted, the Guideline could present compliance challenges for businesses. For example:

• implementation of the risk management and emergency disposal and reporting framework outlined in the Guideline could be costly and time consuming; and
• conduct of businesses during the life cycle of personal data (that is, collection, storage, processing, use, transfer and disclosure, etc.) could be challenged if certain specific requirements are not met.

We therefore recommend that businesses should carefully study the requirements proposed by the Guideline and review their current data protection policies in order to ensure compliance with best practice for the protection of personal data in China.

As the draft Guideline is subject to further revision and adoption, we will continue to monitor the situation and provide updates on significant developments.