What impact the updated personal information protection standard has in China?

What impact the updated personal information protection standard has in China?

Overall the 2020 Specification will not lead to drastic changes on how companies process personal information in China, though it provides a good indication of where the authorities are looking at: a digital economy that is keener on protecting personal information and promoting trust through a more regulated personal information protection framework.

On 6 March 2020 the State Administration of Market Supervision and the State Standardization Administration released eight national standards, among which the long awaited update to the national standard on personal information protection: the Personal Information Security Specification GB/T 35273-2020 [信息安全技术个人信息安全规范] (the 2020 Specification). Meant to replace the 2017 version of the Specification, the 2020 Specification first draft saw the light in early 2019 with the objective to improve on its previous version by supplementing it with additional recommendation.

An important note to take is that the 2020 Specification, similar to its 2017 iteration, is a recommended standard. This recommended status means for companies that they are welcomed to comply with the Specification, however only a legislative text can make the Specification mandatory, or when a company claims publicly to comply with it. Changes to the 2017 Specification are numerous and while some are listed in the introduction of the 2020 Specification, those are mostly indication on elements that have been updated or added without further details.

In this short review we will go through three main changes brought by the 2020 Specification, detail them and explain how it can impact companies interested to comply with the Specification.

Breaking down processing activities for specific consent

The first major addition of the 2020 Specification over its 2017 counterpart is a complete sub-section recommending network operators to provide personal information subjects with the possibility to choose between processing purposes when the collection and use of personal information is done for multiple business objectives. Article 5.3 of the 2020 Specification lists recommendation on what personal information controller should do when processing personal information for multiple purposes:

• Personal information controllers should not require consent from the personal information subject to auxiliary processing when such processing has not been used once nor applied for by the personal information subject

• Auxiliary processing should only be performed after collecting the explicit consent of the personal information subject

• Personal information controller should provide an easy way to withdraw consent to any specific processing when multiple processing is involved

• Personal information controller should not constantly remind the personal information subject of the auxiliary processing when consent has been previously refused

• Personal information controller should not be allowed to stop the main processing of personal information when auxiliary processing is refused by the personal information subject

• Personal information controller should not be allowed to force the personal information subject to consent to auxiliary processing for the purpose of improving service quality or user experience

This update to the 2017 Specification would mostly impact personal information controller providing versatile technical solutions such as software as a service or mobile application where the user can use one software for multiple purposes. In such case to comply with the Specification, the personal information controller should make sure in advance that all processing is properly classified, and that the user has proper control over what processing is requested. This update seems mostly in line with user concerns regarding over-collection of personal information, mostly by mobile apps provider that for a type of application (such as a map service) would request multiple information for auxiliary processing that are not necessary for the main purpose of the software.

New framework for tailored content and how it is served

A notable addition to the 2017 Specification is a new sub-section dedicated on tailored content, in particular recommendation on how such content should be served to users and how to provide users with relevant rights for such content. Article 7.5 starts by tackling the question of visibility of tailored content. It clearly recommends that tailored content should be distinctively recognizable from non-tailored content, though it provides personal information controller with flexible means to achieve this goal. It then provides specificities for two type of industries that heavily rely on tailored content by analyzing user’s behavior for profiling and targeted services:

• For e-commerce, it is recommended that they provide users the option to disable tailored content when items are recommended to the user based on their preference. A user that has been browsing watches and who is in Shanghai would do so by selecting such options as stop seeing shops selling watches near their locations.

• For personal information controllers providing news information services, they should provide personal information subject with the possibility to easily exit or disable any tailored content. Also, when such service is exited relevant personal information on which the tailored content is provided should be duly deleted. This would allow users to enjoy an incognito mode when browsing the news, allowing for more diversity.

Finally, the 2020 Specification also recommends that tailored content should be properly integrated to the provided service for the personal information subject to easy control of the level of tailoring that can be achieved. For example, on a website, tailored content could be disabled in a click, or on an app with a toogle button.

Altogether this addition to the 2017 Specification provides for strong pro-privacy vibes by recommending personal information providers to allow personal information subject to recognize and avoid tailored content, in particular for e-commerce and news outlet. This could be linked to the rising concerns that tailored content, in particular for news outlet, can bias what is perceived by the user through the creation of an opinion echo-chamber. For online shop, this could be meant to provide more diversity and a let-intrusive feeling for users.

The addition of a new type of processor relationship: third party access management

Another milestone reached by the 2020 Specification is to provide a new catch for all types of entity processing personal information in addition to personal information controllers, entrusted parties and personal information joint-controllers: Third parties accessing personal information. By adding this new type of processing entity, the 2020 Specification pushes forward specific conditions to put in place for the personal information controller in Article 9.7 when they are dealing with this category of business partners.

For those entities that would process personal information collected by the personal information controller without being requested to do so on their behalf (entrusted parties) and without deciding on the means of processing of the personal information (joint-controller), a strict framework is recommended to be put in place including the following:

• A third-party access management mechanism and workflow in addition to a security assessment

• The responsibility of both parties should be clarified through contract

• When consenting to the processing, personal information subject should be clearly informed of the existence of the third party and the product or service they provide

• All relevant contracts and records should be properly kept to allow consultation from the relevant parties

• If separate, the third party should obtain the authorization and consent from the personal information subject prior to processing their personal information

• The third party should establish a personal information request procedure to deal with request and compliant from personal information subjects

• The personal information control should supervise and invite the third party to improve on their personal information security management

• If the product or service provided by the third party is connected to the third party information systems through scripts, interfaces or anything else, relevant technical testing should be undertaken to ensure that the personal information collection and use meets agreed requirements between the parties, and the third party processing should be audited and potentially shut-down in case of deviation from the agreement

This addition to the 2020 Specification means a lot for users as it would push on personal information controller stronger requirements on vetting their business partners while requiring them to perform some level of due diligence when allowing access to the personal information they provide. It is a welcomed addition since if followed, it would create more privacy-friendly procurement processes. It is likely this addition is related to the increased level of interactions services have with others, in particular social media, thus requiring a dedicated means of protection to protect personal information subjects.

Overall the 2020 Specification will not lead to drastic changes on how companies process personal information in China, though it provides a good indication of where the authorities are looking at: a digital economy that is keener on protecting personal information and promoting trust through a more regulated personal information protection framework.

If you want to know more about the Specification, the Cybersecurity Law and how they fare compared to the General Data Protection Regulation, we can recommend you the latest GDPR v. CSL and Specification that provide a comparison between the legal regimes.

For more information, please contact:

For more information, please contact us:

Dr. Zhong Lin

Partner

Chen & Co. Law Firm

Direct: + 86 21 2228 8358

Email: [email protected]

Galaad Delval

Data protection officer, CIPP/E

Chen & Co. Law Firm

Direct: + 86 21 2228 8330

Email: [email protected]