China’s Standardization Administration recently released a long-awaited national standard related to personal information. Entitled Information Security Technology — Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems (信息安全技术公共及商用服务信息系统个人信息保护指南) (“Guidelines”), the new standard will take effect February 1, 2013. The Guidelines are voluntary and lack the force of law. They nevertheless clarify key expectations for relevant actors collecting personal information (“PI”) and outline how PI is to be handled in four phases: collection, processing, transfer, and deletion, with voluntary requirements for each phase. The Guidelines also set out eight “basic principles” for handling of PI within China.
China has two types of standards: mandatory and voluntary. As a voluntary standard, the Guidelines may impact companies operating in China in two principal ways. First, while the Guidelines lack the force of law, they might serve as a regulatory baseline for PRC judicial and law enforcement authorities to judge a company’s data privacy efforts in criminal or civil litigation or in administrative proceedings. The Guidelines also may reflect an evolving consensus by China’s policy-makers regarding data privacy that may be further extended in subsequent binding legislation. In particular, the voluntary nature of the Guidelines, along with the creation of the industry self-regulatory group discussed below, may indicate that China intends to place greater emphasis on self-regulatory efforts in its emerging data privacy protection framework.