On April 11, 2019, the People’s Republic of China’s Network Security Bureau of the Ministry of Public Security, the Beijing Network Industry Association and the Third Research Institution of the Ministry of Public Security jointly released a “Guide to Protection of Security of Internet Personal Information (the “Guide”). The Guide presents itself as a reference, rather than a legally-enforceable regulation, but how it will interact with cybersecurity-related law, regulations and standards in practice remains to be seen.
Scope of Application
The Guide applies to both information controllers and processors, and explicitly states that it is relevant for Internet service providers and for organizations and individuals controlling or processing personal information through a private network or an offline environment. It also defines “use of personal information” expansively, as referring to any operation of personal information through automatic or unautomated means, such as recording, organizing, storing, re-editing/alteration, search, consultation, disclosure, spread/providing in other means, adjustment/combination, restriction or deletion.
The Guide has three main focuses: (1) the management regime, (2) technology measures for security, and (3) business procedures to regulate protection of personal information.
Collection of Personal Information
The Guide prohibits the large-scale collection or processing of Chinese citizens’ sensitive personal information, such as race, nationality, political view and religious belief, and specifies that covered entities may only collect and use the summary information of personal biometric information (rather than collecting the original information). Additionally, it obligates covered entities to scrutinize the collected information and prevent illegal contents from submission. This is a new requirement; covered entities were not required to screen personal information in this way under either the Cybersecurity Law of China which became effective on June 1, 2017 (the “Cybersecurity Law”) or Information Security Technology – Personal Information Security Specification (GT/T 35273 – 2017) which became effective on May 1, 2018 (the “Specification”).
In cases where user-profiling technology is based on automatic processing and used for precision marketing, search result ranking, personalized news feed, targeted advertising or relevant value-added applications, users’ opt-in authorization is not required but users are entitled to reject or object to such use of their information. In contrast, in cases where the same technology is used for credit rating services, administrative judicial decisions or other value-added applications which may result in legal consequences, or use by different network operators, individuals must grant consent for such use of their relevant personal information. The Guide’s application of distinct standards of consent for particular uses of automatically processed user-profiling technology is a first for China.
Entrustment of Processing
The Guide provides that, after completing necessary processing of personal information, the data processor who is entrusted to process the relevant personal information shall delete the personal information it stores. Such a deletion requirement was never clearly required by either the Cybersecurity Law or the Specification.
Disclosure of Personal Information
The Guide prohibits publicly disclosing physiological information (e.g., biometric information and information concerning genes and diseases) and the analyses of sensitive information (e.g., a Chinese citizen’s race, nationality, political view or religious belief), without exception.
If there is a security incident, the Guide requires that personal data holders promptly report the incident to the Ministry of Public Security. The draft Regulation on Cybersecurity Classification Protection, earlier released by the Ministry of Public Security, stipulates that network operators must report security incidents to the local public bureau within 24 hours. The Guide’s use of “promptly” suggests that the 24-hour reporting requirement might be deleted in the final version of the Regulation on Cybersecurity Classification Protection.