China’s Standardization Administration recently released a long-awaited national standard related to personal information.  Entitled Information Security Technology — Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems (信息安全技术公共及商用服务信息系统个人信息保护指南) (“Guidelines”), the new standard will take effect February 1, 2013.  The Guidelines are voluntary and lack the force of law.  They nevertheless clarify key expectations for relevant actors collecting personal information (“PI”) and outline how PI is to be handled in four phases: collection, processing, transfer, and deletion, with voluntary requirements for each phase.  The Guidelines also set out eight “basic principles” for handling of PI within China.

China has two types of standards: mandatory and voluntary.  As a voluntary standard, the Guidelines may impact companies operating in China in two principal ways.  First, while the Guidelines lack the force of law, they might serve as a regulatory baseline for PRC judicial and law enforcement authorities to judge a company’s data privacy efforts in criminal or civil litigation or in administrative proceedings. The Guidelines also may reflect an evolving consensus by China’s policy-makers regarding data privacy that may be further extended in subsequent binding legislation.  In particular, the voluntary nature of the Guidelines, along with the creation of the industry self-regulatory group discussed below, may indicate that China intends to place greater emphasis on self-regulatory efforts in its emerging data privacy protection framework.

Continue Reading China Releases National Standard for Personal Information Collected Over Information Systems; Industry Self-Regulatory Organization Established

At the Wired for Change conference earlier this week, FTC Chairman Jon Leibowitz noted that the FTC is developing a “nutrition label” for data collection and use, modeled after the nutrition facts label for food and beverages.  Leibowitz reportedly said that the agency’s chief technologist and the Bureau of Consumer Protection are working to identify “five essential terms” that should be included in these standardized privacy policies.  California Attorney General Kamala Harris, who spoke on the same panel as Leibowitz, supported the idea of food labels for mobile apps, according to reporters’ tweets

The concept of a nutrition label for privacy has been under discussion in the privacy community for some time.  In July 2001, FTC Commissioner Sheila Anthony suggested that nutrition labels and EnergyGuide labels could serve as models for standardized privacy policies.  Several academics have developed standardized table formats for privacy policies, and research from Carnegie Mellon’s CyLab has found that standardized privacy policy formats allow readers to find information more accurately and quickly. 

Continue Reading FTC Working on Privacy “Nutrition Label”; Industry Focusing on Icons

China’s internet regulator, the Ministry of Industry and Information Technology (“MIIT”), has released two draft regulations that could significantly impact how mobile smart device manufacturers (such as smartphones) and internet information service providers (“IISPs”) handle users’ personal information in China.

Continue Reading Draft Chinese Rules Target Mobile Smart Devices and Online Content Providers