China’s ever-changing personal data regime

On February 1, 2019, the PRC State Administration for Market Regulation and the PRC Standardisation Administration jointly issued a draft Information Security Technology – Personal Information Security Specification (the Personal Information Security Specification or the Updated Version), along with a request for public comments.

The draft Personal Information Security Specification is an updated version of an earlier specification, which had become effective on May 1, 2018 (the Original Version). The Updated Version further implements requirements of personal data protection under the PRC Cyber Security Law, and is in line with relevant PRC laws issued recently – for example, the PRC E-Commerce Law (effective as of January 1, 2019).

Compared with the Original Version, the Updated Version includes the following major changes.

Collection of personal information

• Prohibit the forcible collection of personal data
  Specifically, where a product or service contains multiple business functions and each of the business functions requires the collection of personal data, the data collector shall not bundle the collection of personal data and require the personal data subject to give consent for personal data collection by one-time authorisation for all such functions.
• Exception scenarios for consent
  Similar to the requirement under the General Data Protection Regulation (GDPR), under the Original Version the data collector could be exempted from having to obtain consent on the ground that the personal data collection was necessary for the performance of a contract with the data subject. However, the Updated Version has deleted this exception, which implies that contract performance necessity may no longer be a ground upon which having to secure consent before data collection can be avoided.

Usage of personal information

The Updated Version adds a definition of “personalised display” and regulations relating to this new concept.

Under the Updated Version

• Using user preference data or cookies to promote or advertise products or services to the customers is defined as “personalised display”.
• The data controller must give clear notification to a personal data subject that “personalised display” will be used for promoting or advertising products or services.
• The data controller must provide the personal data subject with a simple opt-out option to enable that person to avoid receiving such promotions or advertising.

Collection of personal information by third party

The Updated Version provides for certain rules in situations where personal data is collected for a third party product or service that has been incorporated or inserted into the master product or service.

In such situation, the data controller of the master product or service must

• Notify the personal data subject of the source of the third party product or service.
• Establish a data security management mechanism for incorporating the third party product or service.
• Supervise and monitor the third party to strengthen the security and protection of personal data.
• Request that the third party obtains consent for collecting the personal data following the rules and requirements of the Personal Information Security Specification.

Risk management

The Updated Version enhances risk management requirements for data controllers by laying down obligations for setting up a personal information security committee or designated personnel in charge of personal data protection, and their respective responsibilities and liabilities for personal data protection matters.

Our Observations

It has been just nine months since the Original Version was implemented that an Updated Version is now subject to consultation. This reflects the efforts made by Chinese regulators to promulgate new rules to improve regulation of personal data matters, and is aligned with multiple enforcement activities undertaken by Chinese authorities in the past months.

Although the Updated Version is still in draft form, we expect that the Personal Information Security Specification will soon be finalised and take effect. Once that occurs, it ought to be regarded as an example of good practice and practical supplementation guidance for personal information protection under the framework and requirements of the PRC Cyber Security Law.

It is possible, however, that the Updated Version could still be subject to further change before it is finalised. We will monitor any changes in relation to the Updated Version and other Chinese data and cybersecurity regulatory requirements and provide corresponding updates where appropriate.