On July 26, four Chinese agencies, the Cyberspace Administration of China (“CAC”), the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security (“MoPS”), and the National Standards Committee, announced their plan to begin the government’s campaign to improve the protection of personal information, according to Xinhua News Agency (link is in Chinese).  The campaign, called “Action Plan to Improve Personal Information Protection,” will start with the audit of privacy policies of the ten most popular online services in China.

Officials from CAC’s Cybersecurity Coordination Bureau indicated that the privacy policy audit is an important step to implement China’s new Cybersecurity Law, which took effect on June 1, 2017.  Through this process, the regulators will balance the protection of personal information with the use of data to improve services for Chinese users.

This development signals the government agencies’ increased focus on companies’ data protection practices.  Companies operating in China should consider reviewing their privacy policies and data practices in country to conform with legal requirements and best practices.

Background: Draft Personal Information Standard

As discussed in our previous post, CAC is leading the effort to develop a comprehensive data protection national standard, namely Information Security Technology – Personal Information Security Specification (the draft “Personal Information Standard”).  The CAC issued and received public comment on the draft Personal Information Standard in January 2017, and the draft Standard is expected to be finalized soon.

With a scope comparable to other modern data protection standards such as the General Data Protection Regulation, the draft Personal Information Standard regulates the collection, use, storage, and processing of personal information.  Personal information controllers and processors are expected to abide by the principles, protocols, and security requirements specified therein.  Among other things, the draft Personal Information Standard require personal data controllers to formulate and publish their privacy policies and provides a privacy policy template that is likely to be used in this audit to assess companies’ privacy policies.

Privacy Policy Audits

The Xinhua article notes that, at first, ten popular Chinese online services will be audited, including: WeChat, Sina Weibo, Taobao, JD.com, Alipay, AMAP, Baidu Maps, DiDi, Umetrip and Ctrip.  These services cover sectors where personal information is actively collected, such as social media, e-commerce, online payment, digital mapping, and ticket booking sites.

The audits will examine “how personal information is collected and the types of personal information involved,” “how users are informed about the usage of their data (e.g. whether it would be used for user-profiling purposes or whether commercial advertisements will be delivered using personal information,” and “how clearly users are informed of their rights to access or delete their personal information, and whether there are any restrictions on these rights,” and so on.

Regulators aim to summarize and publicly release the results of the audit in mid-to-late September, hoping that doing so will encourage an industry-wide push to increase protections for personal information.

While no penalties for unsatisfactory privacy policies are currently expected, large Chinese companies providing online services appear to be paying more attention to their privacy policies.  For example, AMAP, the largest digital map provider in China, released a new version of its privacy policy on July 28 in accordance with the latest version of the draft Personal Information Standard.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.