China Releases National Standard for Personal Information Collected Over Information Systems; Industry Self-Regulatory Organization Established
China’s Standardization Administration recently released a long-awaited national standard related to personal information. Entitled Information Security Technology -- Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems (信息安全技术公共及商用服务信息系统个人信息保护指南) (“Guidelines”), the new standard will take effect February 1, 2013. The Guidelines are voluntary and lack the force of law. They nevertheless clarify key expectations for relevant actors collecting personal information (“PI”) and outline how PI is to be handled in four phases: collection, processing, transfer, and deletion, with voluntary requirements for each phase. The Guidelines also set out eight “basic principles” for handling of PI within China.
China has two types of standards: mandatory and voluntary. As a voluntary standard, the Guidelines may impact companies operating in China in two principal ways. First, while the Guidelines lack the force of law, they might serve as a regulatory baseline for PRC judicial and law enforcement authorities to judge a company’s data privacy efforts in criminal or civil litigation or in administrative proceedings. The Guidelines also may reflect an evolving consensus by China’s policy-makers regarding data privacy that may be further extended in subsequent binding legislation. In particular, the voluntary nature of the Guidelines, along with the creation of the industry self-regulatory group discussed below, may indicate that China intends to place greater emphasis on self-regulatory efforts in its emerging data privacy protection framework.
Further Guidance Provided on “Personal Information” and Notice Requirements
The Guidelines contain a number of provisions significant to companies assessing the current patchwork of PRC data privacy regulation. Most notably, “personal information,” a term long used but never defined in PRC regulation, is defined in the Guidelines as “computer data that may be processed by an information system, relevant to a certain natural person, and that may be used solely or along with other information to identify such natural person.” This definition in the Guidelines follows a similar definition of “users’ personal information” (“information that is relevant to users and can serve to identify users solely or in combination with other information”) contained in the recently promulgated Several Provisions on Regulating the Market Order of Internet Information Services (“Market Order Provisions”). The similarity of the two definitions suggests that China’s regulators have coalesced around an official definition for this previously ambiguous term.
The Guidelines divide personal information into “personal sensitive information” and “personal general information,” similar to the distinction in the EU data privacy regime. “Personal sensitive information” is defined as information that would have an adverse impact on the subject if disclosed or altered, while “personal general information” is defined as all personal information other than personal sensitive information. The Guidelines instruct that the specific contents of “sensitive” PI “shall be determined in accordance with the industry’s unique characteristics and the desires of the data subject,” although how this will work in practice, or where final authority rests for this determination, remains unclear. The Guidelines note, however, that sensitive PI may include such items as identity card numbers, race, political viewpoint, religion, or biometric information.
Under the Guidelines, PI may be collected only if the user is notified of the following before collection:
- the purpose of collection;
- the means of collection, specific information collected, and time of retention;
- the scope of use of the collected personal information, including the scope of disclosure or provision of personal information to other organizations and institutions;
- measures for protection of personal information;
- the name, address, and contact information of the collectors;
- risks the user may encounter after providing personal information;
- the consequences if the user is not willing to provide personal information;
- the channel that a user should take when filing a complaint; and
- in circumstances where personal information must be transmitted or entrusted to another organization:
- the purpose for transmission or entrustment;
- the specific personal information and scope of use of the transmitted or entrusted personal information; and
- the name, address, and contact information of the recipient of the entrusted personal information.
If the PI is “sensitive,” then the data subject must clearly give their consent prior to collection and keep evidence of their consent. If “general,” tacit consent is assumed unless expressly objected to. The Guidelines give no further guidance on how consent is to be obtained.
Previously, notice requirements have been included in regulations targeting internet information service providers, such as the Market Order Provisions, and laws targeting entities handling “personal electronic information,” such as the recent Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection. (See our blog posts here and here.) While these provisions mandate a notice requirement, they fail to describe what specific information should be contained in the notice, which has complicated compliance efforts for companies handling PI in China. The more detailed description of notice content outlined in the Guidelines may therefore be helpful to guide organizations in designing notices and policies.
Significantly, the Guidelines also prohibit overseas transfers of any PI to an entity absent express user consent, government permission, or other explicit legal or regulatory permission. The Guidelines do not explicitly carve out intra-company transfers from this prohibition. This final formulation adds an exception for user consent that was not found in an earlier published draft, although it remains unclear at what time (i.e., prior to transfer or in the original notice) this consent must be obtained.
Self-Regulatory Group Created
As part of the roll-out of the Guidelines, the China Software Evaluation and Test Center (“CSTC”) under the Ministry of Industry and Information Technology held a “Personal Information Protection National Standards Conference” on January 21, 2013, bringing together government officials and representatives of some of China’s largest internet companies such as Baidu and Sina. Following the conference, CSTC announced that it was uniting a coalition of major internet companies, industry associations, and standards testing and evaluation centers to form the “Personal Information Protection Alliance” (个人信息保护推进联盟), an industry self-regulatory group (albeit with some government influence via CSTC) which may, among its several duties, play a consultative role in future legislation. (Many of the companies attending the conference had also played a consultative role during the drafting of the Guidelines.)
The CSTC is also developing, in conjunction with domestic security vendors and research institutions, the “China Personal Information Protection Website” (中国个人信息保护网) to serve as a platform for disseminating information regarding policies, standards, and domestic regulatory efforts relating to PI.
Original news story (Chinese): http://miit.ccidnet.com/art/32561/20130122/4670935_1.html