China’s New Draft National Standards on Personal Information Protection
In our previous post, we discussed seven draft cybersecurity and data protection national standards released by China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), on December 21, 2016.
“Information Security Technology – Personal Information Security Specification” (“the Standard”) is the most significant standard being proposed. Although not legally binding and lacking the force of law, such a national standard, drafted by CAC, is likely to serve as a reference point for CAC and other regulators to judge corporate data protection practices in China. It may also reflect the direction in which China’s data protection regime is evolving.
In this post, we discuss the background of this draft Standard, its structure, and the general principles it proposes. In a follow-up post, we will discuss key requirements for data controllers and data processors, as well as rights and protections for data subjects.
Despite years of discussion and multiple rounds of drafting efforts, China lacks a unified data protection law. A large number of provisions governing the processing of personal information have emerged across a range of laws and regulations, particularly during the past five years.
One of the most high-profile developments in 2016 was the promulgation of the Cybersecurity Law. The new Law imposes certain data protection obligations on network operators, which are defined as “owners and managers of networks, as well as network service providers.” Network operators have to follow the principles of lawful processing, legitimacy, and necessity when collecting and using personal information. They may not disclose, tamper with, or damage citizens’ personal information that they have collected, and they are obligated to delete unlawfully collected information and to amend incorrect information. They may not provide citizens’ personal information to others without consent, except in cases where the personal information is irreversibly depersonalized such that the data does not identify particular individuals. Finally, the new Law imposes breach notification requirements that will apply to breaches involving personal information.
The Cybersecurity Law, however, did not set a comprehensive regulatory framework for data protection. The collection, use, and processing of personal information held by entities other than network operators is still under-regulated (if not unregulated) in China. National standards, such as the draft Standard, are intended to fill the vacuum and inform companies what the Chinese regulators consider to be best practices in protecting personal information.
In comparison with the previous version of the national standard in this area (i.e., Information Security Technology — Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems, 2012), the draft Standard is more comprehensive in scope and comparable to modern data protection rules and standards, such as the EU’s General Data Protection Regulation (“GDPR”), EU-U.S. Privacy Shield, as well as relevant ISO/IEC, NIST and CWA standards.
Structure of the draft Standard
The draft Standard is divided into nine chapters and five annexes.
The first three chapters set out the scope of the draft Standard, its reference documents, and defined terms. The draft Standard is not expected to apply to entities that have less than 10 employees (or less than 1 million RMB in revenue), and processed personal information of less than 10,000 individuals in the previous 12 months.
The rest of the six substantive chapters focus on the following aspects:
Principles of personal information protection
General requirements on personal information protection
Collection of personal information
Storage of personal information
Use of personal information
Transfer and disclosure of personal information
In addition to substantive provisions, the draft Standard also offer samples of personal information, sensitive personal information, privacy notices/policies, and a personal information security risk assessment framework in four annexes.
Key Defined Terms and Principles
The draft Standard defines “personal information” in a way that matches the term’s definition in the Cybersecurity Law, namely “various types of electronic or otherwise recorded information that can be used separately or in combination with other information to identify a natural person.” But the draft Standard explicitly includes a natural person’s biological identification data, geographical location data, and behavior data within the scope.
Like privacy laws in many other countries, “sensitive” personal information is treated differently under the draft Standard. Sensitive personal information is defined as “personal information that may lead to bodily harm, property damage, reputational harm, personal heath, or discriminative treatment of a person if such information is disclosed, leaked or abused.” Examples of sensitive personal information include a person’s National Identification Number, bank information, medical records and biological identification information.
The draft Standard also defines terms such as personal data controller, consent, disclosure, transfer, and anonymization/pseudoymisation.
Eight key substantive principles were outline in the draft Standard, which are meant to parallel international norms:
Liability: a personal data controller is liable for the security of the personal information it processes, regardless of how the information is collected;
Purpose: personal information must only be processed for a lawful, legitimate, and specific purpose. Further consent of the data subject is required if the personal information will be processed for other purposes;
Data minimization: unless otherwise agreed by the data subject, a personal data controller should limit the processing of personal information to what is necessary to accomplish a specified purpose and delete such information as soon as the purpose is fulfilled;
Consent and choice: a personal data controller must allow data subjects to choose whether they consent to the processing of personal information. Data controllers cannot refuse to provide service or lower the quality of service on the ground that the data subject refuses to consent, unless the service is relying on the personal information collected;
Information quality: a personal data controller must ensure that personal information it processes is accurate, authentic, up to date, and usable;
Data security: a personal data controller shall implement appropriate technical and organizational measures to ensure data security;
Data subject participation: a personal data controller shall provide data subjects with methods to access, correct or delete their personal information or to withdraw consents or cancel accounts; and
Transparency: data subjects must be informed about the scope, purpose and rules of the processing of their personal information in an explicit, comprehensible and reasonable manner. Such processing may be subject to outside supervision if necessary.