On July 26, four Chinese agencies, the Cyberspace Administration of China (“CAC”), the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security (“MoPS”), and the National Standards Committee, announced their plan to begin the government’s campaign to improve the protection of personal information, according to Xinhua News Agency (link is in Chinese). The campaign, called “Action Plan to Improve Personal Information Protection,” will start with the audit of privacy policies of the ten most popular online services in China.
Officials from CAC’s Cybersecurity Coordination Bureau indicated that the privacy policy audit is an important step to implement China’s new Cybersecurity Law, which took effect on June 1, 2017. Through this process, the regulators will balance the protection of personal information with the use of data to improve services for Chinese users.
This development signals the government agencies’ increased focus on companies’ data protection practices. Companies operating in China should consider reviewing their privacy policies and data practices in country to conform with legal requirements and best practices.
Background: Draft Personal Information Standard
As discussed in our previous post, CAC is leading the effort to develop a comprehensive data protection national standard, namely Information Security Technology – Personal Information Security Specification (the draft “Personal Information Standard”). The CAC issued and received public comment on the draft Personal Information Standard in January 2017, and the draft Standard is expected to be finalized soon.
With a scope comparable to other modern data protection standards such as the General Data Protection Regulation, the draft Personal Information Standard regulates the collection, use, storage, and processing of personal information. Personal information controllers and processors are expected to abide by the principles, protocols, and security requirements specified therein. Among other things, the draft Personal Information Standard require personal data controllers to formulate and publish their privacy policies and provides a privacy policy template that is likely to be used in this audit to assess companies’ privacy policies.
Privacy Policy Audits
The Xinhua article notes that, at first, ten popular Chinese online services will be audited, including: WeChat, Sina Weibo, Taobao, JD.com, Alipay, AMAP, Baidu Maps, DiDi, Umetrip and Ctrip. These services cover sectors where personal information is actively collected, such as social media, e-commerce, online payment, digital mapping, and ticket booking sites.
The audits will examine “how personal information is collected and the types of personal information involved,” “how users are informed about the usage of their data (e.g. whether it would be used for user-profiling purposes or whether commercial advertisements will be delivered using personal information,” and “how clearly users are informed of their rights to access or delete their personal information, and whether there are any restrictions on these rights,” and so on.
Regulators aim to summarize and publicly release the results of the audit in mid-to-late September, hoping that doing so will encourage an industry-wide push to increase protections for personal information.
While no penalties for unsatisfactory privacy policies are currently expected, large Chinese companies providing online services appear to be paying more attention to their privacy policies. For example, AMAP, the largest digital map provider in China, released a new version of its privacy policy on July 28 in accordance with the latest version of the draft Personal Information Standard.