On July 26, four Chinese agencies, the Cyberspace Administration of China (“CAC”), the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security (“MoPS”), and the National Standards Committee, announced their plan to begin the government’s campaign to improve the protection of personal information, according to Xinhua News Agency (link is in Chinese). The campaign, called “Action Plan to Improve Personal Information Protection,” will start with the audit of privacy policies of the ten most popular online services in China.
This development signals the government agencies’ increased focus on companies’ data protection practices. Companies operating in China should consider reviewing their privacy policies and data practices in country to conform with legal requirements and best practices.
Background: Draft Personal Information Standard
As discussed in our previous post, CAC is leading the effort to develop a comprehensive data protection national standard, namely Information Security Technology – Personal Information Security Specification (the draft “Personal Information Standard”). The CAC issued and received public comment on the draft Personal Information Standard in January 2017, and the draft Standard is expected to be finalized soon.
The Xinhua article notes that, at first, ten popular Chinese online services will be audited, including: WeChat, Sina Weibo, Taobao, JD.com, Alipay, AMAP, Baidu Maps, DiDi, Umetrip and Ctrip. These services cover sectors where personal information is actively collected, such as social media, e-commerce, online payment, digital mapping, and ticket booking sites.
The audits will examine “how personal information is collected and the types of personal information involved,” “how users are informed about the usage of their data (e.g. whether it would be used for user-profiling purposes or whether commercial advertisements will be delivered using personal information,” and “how clearly users are informed of their rights to access or delete their personal information, and whether there are any restrictions on these rights,” and so on.
Regulators aim to summarize and publicly release the results of the audit in mid-to-late September, hoping that doing so will encourage an industry-wide push to increase protections for personal information.