China’s national standard on personal information protection, officially entitled GB/T 35273-2017 Information Technology – Personal Information Security Specification will come in to effect on May 1, 2018. Although the Standards are only recommendations for now, they could be deemed mandatory at a later date. The Standards are an important development as they explain critical data protection concepts introduced in China’s Cybersecurity Law (CSL) and set forth best practices for the collection, retention, use and sharing of personal information. What is clear is that China is moving forward with building out a national data regulatory regime with major implications for international interoperability of Chinese and foreign companies.
The Standard applies to “personal information controllers,” namely any private or public organization that has “the power to decide the purpose and method” of processing personal information. This is seemingly modelled on European law’s “data controller” concept. The Standard regulates the use of “personal information” by these controllers, a term largely aligned with strict conceptualizations of “personal data” under the EU’s General Data Protection Regulation (“GDPR”).
- Responsibilities of the data controllers-
The controllers are responsible for compliance with applicable laws and regulations in the collection, retention, use, sharing and transfer of personal information, as well as in handling data breaches. They are recommended to follow basic principles relating to the processing of personal data, including lawfulness, fairness, transparency, necessity, proportionality, data minimization and security, as well as risk assessment.
- What comes under personal information-
Under the Specification, sensitive personal information includes ID card numbers, biological identifying information, bank accounts, religious belief, and sexual orientation. In addition, personal information relating to minors under 14 years old is generally deemed to be sensitive personal information.
There are also 4 appendices attached to the PI Specification:
- Examples of personal information
- Determining sensitive personal information
- Method for obtaining explicit consent from data subject when (i) collecting sensitive personal information; or (ii) sharing, transferring or disclosing personal information
Businesses that collect or process personal information in China should check their current practices against this Specification to identify and minimize their potential risks. According to conversations with those in China involved with shaping the system, the data protection regime addresses three categories-
- Personal Information
- Data Transfer
- Data Management/Governance
If an individual refuses to consent to the ancillary uses of their data, the collector/controller may decline to provide the additional services, but may not cease or degrade the provision of core business products and services to that individual. Since the effectiveness of the Specification is subordinated to the Cyber Security Law, it is possible that the authorities and courts may take a strict approach to interpreting the exemptions under the Specification, making them available in only limited circumstances.