China’s long-awaited new National Standards on Information Security Technology – Personal Information Security Specification GB/T 35273-2017 (the “Regulations”) came into force on May 1, 2018. The Regulations are arguably China’s most important personal data protection rules, representing new standards for the handling of personal data.
The Regulations supplement rather than abrogate China’s existing patchwork of data protection laws and regulations. Although the Regulations themselves are not legally binding, they dovetail with China’s 2017 Cybersecurity Law and Consumer Protection Law which are binding. Furthermore, over the coming months, regulators will be pressing for compliance with the Regulations, so organisations operating in China are strongly advised to review and update their China data protection policies and practices to reflect the new standards.
Summary of Key Features
Clarification of key data protection conceapts and definitions.
Personal data is defined as either “personal information” or “sensitive personal information” with the latter subject to more stringent data protection (eg: all personal information of persons under 14 years of age is categorized as “sensitive personal information”).
Explicit consent is required for collection of sensitive personal information or use of personal information for any new purpose.
Inclusion of certain prescribed information in all privacy notices, including but not limited to (for business use) personal information collection and processing rules such as the collection method and frequency, place of storage, and frequency of collection; if data is shared, disclosed or transferred, the types of data involved, the types of the data recipients, and rights and obligations of each party; data subject rights, and complaint handling; security principles followed, and security measures implemented.
Personal information security impact assessments are required for: (i) outsourcing of data processing; (ii) sharing and transfer of personal information; or (iii) disclosing personal information to public.
All personal information collected/produced in China and transferred to or shared with offshore parties requires a security assessment and all such assessments must be conducted in accordance with yet-to-be-released official standards and procedures.
All requests for access to, correction of, copies and deletion of personal information, and withdrawal of consent must be responded to within 30 days, and there should be no charge for any reasonable request unless repeated requests are made within a certain period of time.
New standards and procedures for effective data protection that organisations need to comply with and include: (i) drafting, implementing and updating privacy policies and corresponding procedures; (ii) privacy training; (iii) security impact assessments and audits.
Organisations must appoint a data protection officer and a dedicated data security team to be directly responsible for the protection of personal information.
Data breach notifications: a specific incident response plan is required together with periodic reviews and rehearsals and organisations must keep a record of incidents detailing the scope of such breaches.
Periodic data protection impact assessments which must be carried out at least annually.
The Regulations do not bring China’s data protection framework as close to GDPR standards as some commentators have predicted but they are an unmistakable sign both that the PRC government takes data protection seriously and is moving towards adopting international best practices in this space. This will be welcomed by international businesses currently undertaking GDPR compliance reviews and who are now turning their attention to their China practices. Nevertheless, clear local distinctions (notably regarding data localisation, the requirement for consent, and restrictions on handling of non-personal data) remain in China and must be specifically addressed.
Over the course of the next year or so, we should see new and updated national standards promulgated to cover key areas such as data anonymisation, handling of big data, overseas data transfers, and diverse aspects of information security. Some of these implementing standards will simply adapt existing ISO standards.
We are continuing to monitor regulatory developments in this space and will report as and when they occur. In the meantime, organisations with data exposure to China need to appreciate that enforcement action in the data protection sphere is already a reality in China and as this regulatory and enforcement framework continues to evolve, they need to take steps now to review and update their compliance programmes to ensure these comply with the Regulations.