Until now the general rule of thumb about constructing your data privacy framework has been to start with GDPR then tweak for local conditions. It seems the Chinese are stepping up the requirements so worth thinking about using their definitions then retrofitting to your program…:
China’s State Administration for Market Regulation and the State Standardization Administration issued the recommended national standards named the Information Security Technology – Personal Information Security Specifications (GB/T 35273-2020) (the 2020 specifications) on March 6, 2020. The 2020 specifications replace the Information Security Technology – Personal Information Security Specifications (GB/T 35273-2017) (the 2017 specifications) issued on December 29, 2017, and will go into effect on October 1, 2020.
To safeguard personal information security, the 2020 specifications are designed to regulate personal information controllers’ actions in collecting, storing, using, sharing, transferring, or publicly disclosing information or other information-processing activities according to the Cybersecurity Lawand other related laws. They are aimed at curbing the illegal collection, abuse, or divulgence of personal information or other violations for the purpose of safeguarding individuals’ legal rights and interests. The 2020 specifications set out the principles and security requirements for activities conducted by many organizations to process personal information. The supervision, administration, and evaluation of these activities also shall be governed by the 2020 specifications. The key revisions of the 2020 specifications are described as follows:
Stricter Principle of Minimum Necessity (Art. 4d)
In the 2017 specifications, one of the basic principles for the personal information controller to process the personal information is the Principle of Minimum Sufficiency. “Except as otherwise agreed with the personal information subject, only the minimum categories and amount of personal information required to achieve the purposes authorized and consented to by the personal information subject can be processed. Once these purposes are achieved, the personal information should be deleted in a timely manner as agreed.”
However, the 2020 specifications replace the Principle of Minimum Sufficiency with the Principle of Minimum Necessity by deleting the description of “except as otherwise agreed with the personal information subject.” This subtle difference indicates stricter requirement on storing and using the personal information, which excludes the possibility that relevant business operators can avoid this principle by reaching agreements with individuals.
New Requirements for Independent Choice of Multiple Business Functions (Art. 5.3, Schedule C)
The 2020 specifications emphasize that the provision of multiple business functions for products or services requiring the collection of personal information should be based on the independent choice of the personal information subject. When a product or service provides multiple business functions that require the collection of personal information, the personal information controller should not force the personal information subject to accept the business functions provided by the product or service and the corresponding request for the collection of personal information against his/her will.
The new requirements are added to solve the problem of collection of personal information by means of bundling. Essentially, the personal information collectors need to split their business functions and must request authorization on a case-by-case basis. It is suggested that relevant business operators should separate various business functions in their information system provided to the public, classify the basic business functions and extended business functions of the product or service, and adjust the procedures of collecting and using personal information of each business function. For example, the business operators should not force the users to give authorizations to the extended business functions.
Change of Scope of Personal Sensitive Information (Schedule B)
Personal sensitive information means personal information, the release or misuse of which may cause harm to personal or property security, or is very likely to result in damage to an individual’s personal reputation, physical or mental health, or give rise to discriminatory treatment.
For example, the 2020 specifications delete “information generated from the personal physical conditions,” “system account numbers, email addresses, and codes, answers to questions asked to protect the codes and users’ personal digital certifications for the said accounts or addresses, etc.” and “personal telephone numbers.” However, it should be noted that the above information may still constitute personal sensitive information if its leak or use will cause harm to individuals.
Additionally, “friend lists, group lists” are also added as personal sensitive information in 2020 specifications. This change may have been made as a result of the development of network loans and increasing numbers of unfair competition cases.
Improvement of Provisions Regarding Personal Biometric Information (Arts. 5.4c, 6.3, and 9.2i)
In view of the concerns and discussions about the excessive collection and abuse of personal biometric information, especially facial data, in recent years, the 2020 specifications provide more detailed and stricter protection requirements for the collection, storage, sharing, and transfer of personal biometric information (e.g., personal genes, fingerprints, vocal prints, palm prints, auricle, iris, and facial features), which is a kind of personal sensitive information:
- Prior to the collection, the personal information subject should be separately informed of the purpose, method, and scope of collection and use of personal biometric information, as well as the storage time and other rules, and the explicit consent of the personal information subject should be obtained.
- The personal biometric information should be stored separately from the personal identity information, and the original personal biometric information (e.g., samples, images) should not be stored, though there may be exceptions to this principle. These exceptions have not been articulated.
- Sharing or transferring any personal biometric information is prohibited unless it is required to meet business needs. This need (e.g., purpose of the sharing or transfer, identity of the data recipient) must be provided to the personal information subject and the explicit consent from the personal information subject must be obtained.
Change of Definitions of Explicit Consent and Consent (by Authorization) (Arts. 3.6 and 3.7)
While the 2017 specifications state that explicit consent should be expressed through written statement or voluntary affirmative gesture (such as voluntarily selecting “agree” “register” or “send”, etc.), “verbal statement” is added into the 2020 specifications as another way to express explicit consent.
The concept of consent is also new in the 2020 specifications, referring to the express authorization from the personal information subject to allow the specific processing of his or her personal information. Such consent includes authorization through positive actions (i.e., explicit consent), and also authorization through negative inaction (e.g., the personal information subject does not leave the information collection area after being told of the information collection behavior).
New Provisions on Using Personal Information
In the era of big data, information personalization is a key requirement. Based on the collected personal information, the business operators conduct data analysis to form user profiling, and recommend appropriate products to the individual, which may cause concerns pertaining to personal information security. In this regard, the 2020 specifications add the requirements of user profiling, personalized display, and convergence of personal information to respond to such concerns.
User Profiling (Arts. 3.8 and 7.4)
User profiling means the process of conducting analysis or forecasting of a natural person’s personal characteristics in order to create a unique model of his or her personal characteristics. Characteristics used in this process include occupation, financial conditions, health, education, personal preferences, credit, behavior, etc.
The 2020 specifications prohibit the personal information controllers from describing the characteristics of the personal information subject through prohibited contents such as pornography and superstitions. They are also protected from discrimination due to nationality, race, etc. There are restrictions on utilizing user profiling in business operation or external business cooperation. For example, no infringement is allowed upon the legitimate rights or interests of citizens.
Personalized Display (Arts. 3.16 and 7.5)
Personalized display means that information contents are displayed to, and the search results of products or services are provided for, a personal information subject based on personal information such as web browsing history, hobbies, consumption records, and habits of the specific personal information subject.
When the personalized display is used in the provision of business functions to the personal information subject, the personal information controllers are required to significantly distinguish the content of personalized display and the content of non-personalized display. Significant distinguishing includes, but is not limited to, marking words such as “directed pushing” or display via different columns, sections, pages, etc. Especially, for e-commerce services, the personal information subject shall be provided with an option that is not targeted at his or her personal characteristics; when providing news or information services, the personal information controllers should fulfill the obligation of providing exit options and deleting or anonymizing relevant personal information after the exit.
Convergence of Personal Information (Art. 7.6)
For the convergence of personal information collection based on different business purposes, the personal information controllers should; (1) comply with the requirements of limits on the use of personal information; and (2) carry out personal information security impact assessment and take effective personal information protection measures according to the purpose for which the personal information is used after convergence.
New Provisions for Third-Party Access Management (Art. 9.7)
Currently, it is very common for third parties to process personal information for personal information collectors. Compared with personal information collectors, the collection of personal information by third parties is relatively hidden and users are generally unable to track the final flow of information and determine the purpose of use. The data processing activities of third parties may violate the users’ right with the risk of data leakage. Accordingly, provisions regarding third-party access management are added in the 2020 specifications to strengthen the supervision and examination responsibilities of personal information controllers, such as the following:
- The access management mechanism and workflow, and security assessment mechanism if necessary, should be established by personal information controllers for the third-party product or service.
- The security responsibilities of the parties and the personal information security measures to be implemented should be clarified through contracts or other agreements between personal information controllers and third-party product or service providers.
- Third parties are required to obtain the necessary authority and consent to collect personal information from the personal information subject, and when necessary, personal information controllers should verify the way in which the third parties fulfill the same.
Currently, more and more attention is being paid to cybersecurity and personal information protection in China. Although the 2020 specifications are not compulsory standards, as the most basic, important, and extensive national standards in the field of personal information security, the 2020 specifications provide significant reference for enterprises, personal information subjects, and law enforcement agencies. Accordingly, we strongly recommend that business operators review and update their current policies regarding personal information protection to comply with the 2020 specifications. Enterprises should also pay close attention to the release of relevant regulations and standards in the future, as well as law enforcement practices, and timely adjust their business practices and compliance policies.