China’s Personal Information Specifications: Revised

On March 6th, the Standardization Administration of China (SAC) joined with the State Administration for Market Regulation (SAMR) to issue GB/T 35273-2020 《信息安全技术 个人信息安全规范》 , or “Information Security Technology – Personal Information Security Specification,” which will come into effect on October 1, 2020. This 2020 Specification will replace GB/T 35273-2017, which has been in effect since 2017. We wrote about this previous Personal Information Security Specification here.

The 2020 Specification will update and refine the guidelines outlined in the 2017 Personal Information Security Specification. The 2020 Specification is a national standard, referred to as “GB.” Some national standards, like the 2020 Specification, are not mandatory but are recommended guidelines that reinforce the law, and are referred to as GB/T. In this case, the 2020 Specification explains and reinforces China’s 2017 Cybersecurity Law. Though the 2020 Specification is not enforceable by law, the Chinese government uses these standards to evaluate an entity’s compliance with China’s legal guidelines and regulations. The Center for Strategic & International Studies wrote about the previous specification and the ambiguity surrounding how national standards are enforced in China, stating that “the written standard leaves space for interpretation by enforcement authorities whose interests and objectives may not align with the intent of the drafters.” Though the 2020 Specification clarifies issues such as biometric data, multiple business functions, and explicit consent, it is still unclear to what extent the new standard will be enforced in China.

The 2020 Specification outlines that “controllers” are those who collect personal information for providing a product or service. The “subject” is the individual or entity that provides the personal information to the controller. The 2020 Specification seeks to provide the subject with more autonomy in how and when they provide personal information to controllers.

Multiple Business Functions

Article 5.3 of the 2020 Specification states that the controller providing a product or service that requires personal information cannot bundle a subject’s personal information into multiple business functions. If the subject does not specifically authorize the consent to use personal information for a specific business function, the controller may not incentivize the subject by guaranteeing better quality service or increased security in return for authorized consent. If the subject ceases to use a specific business function, the controller cannot continue to use the personal information previously collected.

Explicit Consent

Article 5.4 states that controllers of personal information are required to inform subjects about the scope and purpose of their data collection. When gathering sensitive data (defined as any information that, if leaked or misused, may harm one’s physical or economic security, affect one’s reputation or mental health, or cause deferential treatment), controllers must obtain “explicit consent.” Explicit consent means the subject must provide an authorized statement on either paper or an electronic format affirming the collector the right to process their personal information. A new addition to the 2020 Specification is regulations on the collection and retention of biometric data. In addition to securing the subject’s explicit consent, controllers of biometric data must inform subjects on their intended purposes, method of collection, scope, and storage time. Biometric data includes genetic information, fingerprints, voiceprints, palmprints, auricle scans, iris scans, face scans, etc. When a collector receives biometric data indirectly, they must confirm that the third-party from whom they obtained the data has already received explicit consent from the subjects.

Storage of Personal Information

Article 6 concerns storage periods, anonymization, and de-identification of personal information. Controllers are asked to minimize the storage period of personal information necessary to accomplish their purposes, after which personal information must be anonymized. De-identification must be done as quickly as possible and precautionary measures must be taken to ensure that personal information data will not be re-identified with its subject. When the controller ceases to use the product or service that collected personal information, they must anonymize the data and send a notice to all subjects informing them that their information is no longer being used.

Rights of Personal Information Subjects

The 2020 Specification theoretically guarantees more autonomy for personal information subjects than the previous specification. Article 8 states that controllers shall provide the subject with a method to query a) the type of personal information the controller holds about the subject, b) the purpose of obtaining the personal information, and c) the identity of any third-parties who may be involved with the collection of the subject’s data. If the controller violates any law or any agreement held with a subject, the controller is required to immediately delete all personal information. Controllers must also provide a method for subjects to revoke their authorized consent to access their personal information.

Sharing and Transferring Personal Information

To share and transfer personal information, controllers must a) conduct security impact assessments in advance, b) inform the subject about the purpose of sharing and transferring their personal information, and c) receive the subject’s explicit consent. The 2020 Specification states that, in general, personal information should not be publicly disclosed, unless the controller has conducted necessary security impact assessments in advance, informed the subjects of their intent, received the subjects’ explicit consent, and keeps a detailed record of the public disclosure. However, there are no exceptions to publicly disclosing biometric data, or the analysis results of personal sensitive data, such as race, ethnicity, political views, and religious beliefs.

Cross-Border Transfer of Personal Information

Article 9.8 states that personal information collected and generated in China can be transferred overseas, but the controller must comply with all relevant national regulations and standards.

Personal Information Security Incidents

Controllers must develop a specific and detailed protocol for handling and reporting any personal information security incidents, including regular trainings for any workers who handle personal information. Subjects must be notified immediately if their personal information has been leaked or breached. Controllers should develop security impact assessments, which evaluates what impact the controller’s standards of personal information security have on the legal rights and interests of the subjects.

Though this national standard is “advisory” and does not carry the force of law, foreign companies operating in China should strive to comply fully with this Specification as a “best practices” measure. There have been many questions in the past concerning data transfer overseas and to what extent the Chinese government would allow the sharing of data accrued in China with foreign entities and governments. The Cybersecurity Law, in effect since 2017, states that all information collected in China should remain in China and can only be transferred outside China if absolutely necessary for the needs of the business, according to Article 37. China discourages transferring data out of the country by creating required conditions, also found in Article 37 of the Cybersecurity Law, which requires an entity to conduct security assessments and obtain approval from local cybersecurity authorities before it can transfer data out of the country. The language of the article lacks any detail as to what might qualify as a “necessity” for a foreign entity to transfer data outside in China. One bonus of the 2020 Specification is that it provides a little clarity concerning data localization: Article 9.8 states that personal information collected in China may be transferred overseas, so long as the collector operates in compliance with all relevant national standards. It is important to note that this standard concerns only personal information, and not generalized data.

Though the 2020 Specification clarifies much of what is left unspecified in the Cybersecurity Law, there is still ambiguity surrounding specific procedures such as storage, anonymization, third-party sharing/transferring, etc. For this reason, our China cybersecurity/data privacy lawyers will continue working with Chinese local governmental authorities to confirm that our clients’ business operations are compliant with this new standard.