On October 22, 2019, the drafting group of China’s National Information Security Standardization Technology Committee (“NISSTC”) released a third set of draft amendments to the Information Security Technology – Personal Information Security Specification (GB/T 35273 – 2017) (the “Updated Draft Specification”). The original Specification, first issued on December 29, 2017, became effective May 1, 2018, and saw earlier draft amendments on February 1, 2019 and June 25, 2019. The NISSTC received more than 400 public comments on the proposed June amendments. The latest draft amendment was issued without a public comment period.
Though not legally binding, the Specification is considered best practice for private companies when formulating compliance programs. Furthermore, government enforcement authorities may, in practice, look to the Specification as a reference point for all companies when conducting enforcement.
In general, the structure of this Updated Draft Specification is the same as previous versions. The main changes relate to consent (Section 3.7), the prohibition against compelling users to consent to multiple business functions (Section 5.3), personalized display (Section 7.5), account cancellation (Section 7.12), data processing by a third party (Section 8.1), sharing and transferring personal information (Section 8.2), and co-controllers of personal information (Section 8.6).
The Updated Draft Specification clarifies appropriate formats for obtaining consent and provides that both expressed and implied consent are acceptable. In addition, oral as well as written statements are considered valid forms of consent.
Prohibition against Compelling Users to Consent to Multiple Business Functions
Under the Updated Draft Specification, data controllers are prohibited from requesting that data subjects consent to the collection of personal information for the purposes of improving service, upgrading data subjects’ personal experience, developing new products and enhancing security.
When displaying business functions to data subjects, data controllers shall make an explicit distinction between personalized display and non-personalized display. Personalized display refers to activities that present information, such as search results, to the data subject based on the data subject’s personal information – such as the subject’s browsing history, interests and preferences, consumption records and habits.
For e-commerce services that display search results for products and services in a personalized format, the data controller shall also provide the option of displaying results based on non-personal factors.
If data controllers send news via push notification through personalized displays, they are no longer required to indicate “personalized display” or “targeted push” on the notification itself. However, data controllers shall provide a simple and straightforward way to withdraw from or close personalized display mode. If the data subject chooses to withdraw from or close personalized display mode, the data controller shall provide the option of deleting or anonymizing personal information used for targeted push activities.
The Updated Draft Specification provides more detailed requirements for facilitating account cancellation.
- Data controllers shall set up a convenient interactive page for account cancellation and respond to cancellation requests from the data subject in a timely manner.
- If the account cancellation needs to be processed manually, processing shall be completed within 15 days.
- Personal information required to verify identity for account cancellation shall not be more than that collected for registration and use of the service.
- Data controllers shall not place unreasonable conditions on, or make extra requests for, account cancellation.
- Data controllers shall clearly state how they handle the sensitive personal information collected for account cancellation (e.g., deletion or anonymization of sensitive personal information upon cancellation).
Processing by a Third Party
If the data controller is aware of or finds that the third party does not conduct data processing or protect personal information as required, the data controller shall stop the third-party processing of data and take effective remedial measures. Where necessary, data controllers shall terminate the business relationship with such a third party and request that the third party delete personal information obtained from the data controller.
Sharing and Transfer of Personal Information
Data controllers shall execute relevant agreements with data recipients specifying the data recipients’ rights and obligations. In cases where data controllers find that a data recipient has violated the law or the agreement, the data controller shall stop the data recipients’ processing of data and take effective remedial measures. Where necessary, data controllers shall terminate the business relationship with such data recipients and request that the data recipients delete personal information obtained from the data controller.
Co-controllers of Personal Information
In the event that the data controller and the third party are co-controllers of personal information, the data controller and the third party shall execute a relevant agreement specifying the respective obligations of the data controller and the third party regarding personal information protection. Data subjects shall be informed of these obligations. If the data controller fails to inform data subjects of the third party’s identity and the obligations of the data controller and the third party, the data controller shall be liable for the third party’s actions.