China Releases New Personal Information Privacy Standards
Wednesday, February 21, 2018
China, Personal Information, Privacy, Standards

Related Practices & Jurisdictions
Print Mail Download i

On January 25, 2018, China released the final version of the Personal Information Security Specification, new voluntary standards on the protection of personal information.  The standards anticipate and address the “issues faced in personal information security during the rapid development of IT technology; with the protection of personal information as their core” and is meant to “regulate all phases of big data operations and related conduct, such as the collection, storage, processing, use and disclosure of personal information.”  The standards will go into effect on May 1, 2018.

The standards will apply to organizations using information systems to process personal information; specific departments that involve network security, third party assessment organizations; and other organizations that deal with the oversight, management, and assessment of personal information security.  Generally, they lay out the following 8 basic principles of personal information security.

  1. Responsibility Principle: Responsibility should be borne for the security of all personal information they possess, regardless of the path through which this information was obtained.

  2. Clear Purpose Principle: There should be a lawful, legitimate, and specific purpose for personal data processing, and the purpose for the personal data processing must not be changed without authorization from the personal data subject.

  3. Smallest Adequate Amount Principle: Except where it has been agreed otherwise with the personal data subject, only the smallest amount of information necessary to satisfy the purposes should be processed. After the purposes are achieved, the personal information should be promptly deleted in accordance with agreements.

  4. Principle of Consent and Choice: The personal data subject should be allowed to choose whether to consent to processing of their personal information, including the agreeing upon its purposes, methods, and scope, and when changes are made the personal data subject’s consent should be solicited again. The personal data subject’s not giving consent must not be the reason for refusals to provide them services or for reducing the quality of services, except where the services rely on users’ personal information.

  5. Quality Assurance Principle: In the course of processing personal information, the accuracy, veracity, validity, and usability of the personal information should be ensured.

  6. Security Assurance Principle: Appropriate management principles and technological measures should be employed to ensure security in all phases of processing personal information.

  7. Subject Participation Principle: Personal data subjects should be provided measures to access, correct, and delete their personal information, as well as to withdraw consent, deregister accounts, and so forth.

  8. Principle of Openness and Transparency: The scope, purpose, and rules for processing personal information should be disclosed in a clear, understandable, and reasonable fashion, and when necessary, accept outside supervision.

The standards also provide definitions for data privacy terms such as personal information, personal sensitive information, personal data subject, personal data controller, explicit and implied consent, disclosure, transfer, anonymization, and pseudonymization.

These new standards come on the heels of China’s new Cybersecurity Law, which took effect in June 2017, and add to China’s complex and evolving data protection regime.  The Cybersecurity Law regulates the construction, operation, maintenance and usage of networks, as well as network security supervision and management within mainland China, and mandates several forms of data-related regulation, including with respect to requiring that certain types of information be hosted within China, implementing incident management procedures and consent requirements when collecting personal data, and creating key operations security protections for critical information infrastructures.

Though the new privacy standards are completely voluntary, organizations should aim to comply by employing privacy-focused efforts such as reviewing data privacy policies, implementing stricter security practices, carrying out data protection impact assessments, employing and training privacy personnel, and maintaining detailed internal recordkeeping of data processing activities.

© 2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

Current Legal Analysis

More from Faegre Drinker

SCOTUS Denies Certiorari in Cases Concerning FCA Liability Requirement, Objective Falsity Circuit Split Remains Intact
by: Commercial Litigation Practice Group
Groundbreaking Fourth Circuit Decision Upholds Private Plaintiff’s Successful Effort to Unwind a Consummated Merger
by: Kathy L. Osborn , Emily E. Chow
Travel Bans and Quarantine Hotels: Traveling to the U.K. During COVID-19
by: Hodon Anastasi
TCPA Plaintiff Argues he wasn’t Injured in Attempt to Dodge Federal Jurisdiction
by: Marsha J. Indych , Renée M. Dudek
Silver Lining: COVID-19 Engagements Allow More Time for Premarital Financial Planning
by: Jaime A. Quick
Biden EPA Makes First Moves to Address PFAS in Drinking Water
by: Bonnie Allyn Barnett , Brandon W. Kirkham
Predicting the Enforcement Priorities of the Biden DOJ
by: Thomas J. Kelly , Daniel E. Pulliam
New York City Council Imposes Stricter Discipline Requirements on Fast Food Employers
by: Gerald T. Hathaway
Disclosure of Binding Arbitration Not Required In Consumer Warranties, Says Florida Supreme Court
by: Traci T. McKee , Lexi C. Fuson
FCC Order Causes Confusion Regarding Consent Required for Informational Calls to Residential Landlines
by: Matthew M. Morrissey

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins