China: Important Clarifications and Changes to China’s Data Privacy Standards

Important updates to China’s de facto data privacy regulations will come into force on 1 October 2020. The amendments to the Personal Information Security Specification (“PIS Specification”) comprise important clarifications rather than substantial changes to the existing regulations. This additional guidance on the practical steps needed to comply with China’s data privacy framework is good news for organisations operating in China. Helpfully the final version also more closely aligns with other recent laws (such as the PRC E-Commerce Law and the PRC Encryption Law), and does not change significantly from earlier drafts.

Key points to note:

  • Personal information: important clarifications on the definitions of “personal information” and “sensitive personal information”, focusing on topics that are very attuned to local China trends:
    • Businesses will be relieved to see that mobile phone numbers and network ID information are no longer considered sensitive personal information;
    • More generally, the appendix to the existing PIS Specification that previously “defined” sensitive personal information by reference to a list of types of data should now be treated as more illustrative. As such, certain specific types of data – a notable example being contact lists on mobile devices – will now be considered “sensitive personal information”. Therefore, organisations should review their sensitive personal information classifications with reference to the “risk of harm” test to individuals rather than relying on a definitive list;
    • There is now also helpful clarification as to what specific types of situations do and do not constitute collection of personal information when tracking device locations. Additional guidance on this is expected via the draft TC260 standards mentioned below;
    • There is also a particular focus on the handling of biometric data, and there is new, useful guidance provided on defining and handling such data; and
    • Separately the de-identification guidelines (e., Information Security Technology – Guidelines for De-Identifying Personal Information) have also been finalized. They came into force on 1 March 2020. This means that the practical steps for organisations to “de-identify” (i.e., anonymize) personal information have been set. That said, there remains uncertainty around the handling of anonymised data in China.
  • Consent:
    • Concerns had been expressed that the amendments to the PIS Specification would impose more stringent consent requirements. However, in the end, the amendments simply clarify how to obtain consent and specify when bundled consent is not acceptable;
    • International businesses should also note the recent draft TC260 standards (Information Security Technology – Guidelines for Personal Information Notices and Consent) which issues practical guidelines on drafting compliant personal information protection notices and consent language in addition to guidance on how to obtain consent; and
    • The amendments also give a helpful explanation of how and when the (albeit) limited statutory exemptions to obtaining consent may be applied.
  • Governance: some key changes have been introduced, specifically:
    • The thresholds for appointing a data protection officer (“DPO”) has changed as follows:
      • 200 employees or actual/anticipated handling of 1,000,000 (rather than 500,000) pieces of personal information;
      • or handling over 100,000 pieces of sensitive personal information.

However, we have seen international businesses increasingly appointing a local DPO as matter of course anyway (for effective communication with regulators) regardless of the thresholds;

    • The amendments emphasise and clarify record-keeping obligations around establishing, maintaining, and renewing records of personal information processing and their content. In practice, international businesses can use their GDPR record-keeping processes as a good base point for China compliance; and
    • There has been an interesting terminology change: the amended PIS Specification refers to “personal information protection” policy/notice etc. rather than “privacy”. This reflect broader data management obligations instead of a focus solely on individual privacy concerns.

 

  • Data processors: the amendments provide much clearer guidance on contractual and operational steps that personal information controllers must take when engaging and managing third party personal information processors. In particular (and similar to international best practices), due diligence, appropriate contractual standards, and ongoing monitoring should be undertaken.

 

  • Data subject rights: detailed practical guidelines are provided on how to manage data subject requests, notably requests to de-register accounts (which is a fairly unique right in China).

 

  • Monitoring: ongoing monitoring by organisations of their compliance is further encouraged. Separately recently-published content regulations also require additional content monitoring, so organisations should focus in the coming months on their internal and third party monitoring and oversight functions.

Unfortunately the amendments to the PIS Specification do not provide much-sought-after clarification on overseas transfer, or localisation, of personal information. Organisations should review and update their China privacy compliance programmes in light of the above, and continue to monitor changes as the China privacy landscape continues to evolve.

To discuss any questions or what this could mean for your organization, please contact Carolyn Bigg (partner, Hong Kong), a member of our Data Protection, Privacy and Security team, or your usual DLA Piper contact.