August 19, 2019

August 19, 2019

Subscribe to Latest Legal News and Analysis

China Formulating Standards for Personal Information Security and Data Protection

This month, China’s National Information Security Standardization Technical Committee (“NISSTC”) organized a meeting to launch a working group tasked with drafting a Personal Information Security Standard (“PIS Standard”). NISSTC is a government committee jointly supervised by the Standardization Administration of China and the Cyberspace Administration of China. In addition to the government agencies, several Chinese research institutions and Internet companies (including Tencent and Alibaba) will also participate in the working group.

According to one report, an NISSTC official explained that the PIS Standard would be a non-binding guideline serving as a bottom line for the data privacy and security practices of companies, including internet companies, operating in China. The official said that the PIS Standard would limit the kinds of information companies are permitted to collect, and that certain data protection-related conditions would be imposed on providers of information services and the design of relevant software. This official indicated that the PIS Standard would cover both data privacy and security; another official, according to a NISSTC press release, stated the hope that it would serve as the foundational standard for personal information protection practices in China. It is not currently clear whether the greater emphasis would be on data security or on privacy.

Although the contemplated PIS Standard would not be legally binding, its content may influence the future trajectory of data privacy and security-related legislation amid calls for a more comprehensive legal regime governing the protection of personal information. Further, as Chinese regulators generally wield significant discretion in the interpretation and application of often vaguely worded laws and regulations, such a standard could serve as a barometer for assessing legal compliance.

© 2019 Covington & Burling LLP


About this Author

Ashwin Kaja, Covington Burling, International trade lawyer

Ashwin Kaja is an associate in the firm’s Beijing office and is a member of the firm’s International Trade, Public Policy, Data Privacy & Cybersecurity, and Anti-Corruption practice groups. He has advised multinational companies, governments, and other clients on a range of matters related to international trade, public policy and government affairs, data privacy, foreign investment, anti-corruption compliance and investigations, corporate law, real estate, and the globalization of higher education. He also serves as the China and India editor for Covington’s ...

Eric Carlson, Litigation Attorney, Covington Law Firm

Eric Carlson advises clients operating in China and other jurisdictions in Asia on a range of anti-corruption laws, including the Foreign Corrupt Practices Act (FCPA). He has deep experience leading highly sensitive anti-corruption/FCPA investigations in China and other jurisdictions in Asia, including investigations presenting complex legal, political, and reputational risks.​​