Takeaways

The New Specifications address many hot-spot issues with respect to the collection and use of personal information by business operators in China, such as personal biometric information, excessive collection of personal information, third-party access and personalized display. They provide detailed requirements on practices adopted by business operators and rights and remedies available to individuals.
The New Specifications are not a law or regulation that requires mandatory compliance. However, Chinese government agencies rely on it as a standard to determine whether companies are following China’s data protection rules. Business operators (both foreign-invested and Chinese-invested companies) that collect or process personal information in China should check their current practices against the New Specifications to identify and minimize their potential risks.
The New Specifications were officially published after three rounds of public comment in 2019 and have addressed many hot-spot issues and concerns faced by individuals on the one hand, and business operators on the other hand. While both the 2017 Version and the New Specifications are recommended national standards in nature and therefore not mandatory, they are considered best practices in the PRC, and the Chinese governmental authorities rely on this as a standard to determine whether companies are following China’s data protection rules during enforcement actions. In fact, the 2017 Version has been an important reference for national and local government authorities in formulating regulations involving protection of personal information.

Both foreign-invested and PRC-invested business operators that collect and use personal information in the course of business should take the New Specifications seriously. This alert covers major updates the New Specifications have made to the 2017 Version.

1.  Highlights of the New Specifications

The New Specifications consist of 11 sections and 4 appendices. The key sections set forth rules and standards concerning (i) the collection, storage and use of personal information, (ii) the rights of personal information subjects (i.e. individuals whose personal information is collected), (iii) third-party involvement, (iv) response to security incidents, and (iv) security administration of personal information controllers (e.g. business operators that collect personal information).

The New Specifications and the 2017 Version apply to “personal information controllers” (i.e. any private or public organization that has the authority to determine the purposes, means or method of processing personal information). 

The highlights of the New Specifications include (but are not limited to) the following:

  • Separate notice and explicit consent are required for the collection of personal biometric information. As a principle, raw personal biometric information should not be stored.
  • Personal information controllers should divide their business functions into basic and extended functions and allow individuals to select functions at will. Separate consent from the owner of the personal information must be obtained for the selection of each basic function and extended function.
  • Personal information controllers should take necessary measures (e.g. security assessment on third parties, disclosure to and consent from individuals, and contractual agreement on allocation of responsibilities) to ensure that personal information is well protected in case of access by third parties.
  • Personal information controllers should distinguish between personalized display and non-personalized display and allow individuals to control the degree and extent to which their personal information can be used to generate a personalized display.

The following sections will discuss in more details these highlights of the New Specifications.

2.  New Requirements on Personal Biometric Information

There has been a growing concern with respect to possible over-collection and misuse of facial recognition information and other biometric information. The New Specifications set forth special requirements during the full life cycle of personal biometric information (which is defined under the New Specifications to include gene, fingerprint, voiceprint, auricle, iris, recognizable facial features, etc.).

1.  Collection: A personal information controller should separately inform the individual of the purpose, manner and scope of the personal biometric information to be collected and used, as well as storage period and other rules, and should obtain explicit consent from the individual.

2.  Transmission: A personal information controller should adopt necessary security measures (e.g. encryption) to transfer personal biometric information as required by the applicable laws and regulations.

3.  Storage: Personal biometric information should be stored separately from personal identification information. As a principle, raw personal biometric information (e.g. samples and images) should not be stored, and measures that can be taken by personal information controllers include:

a.  only storing summaries of personal biometric information that cannot be used to trace back to or re-generate raw personal biometric information;

b.  using personal biometric information directly on terminals where such information is collected to realize the relevant business functions (e.g. ID recognition and/or verification);

c.  deleting raw personal biometric information after that information is used to realize the relevant business functions (e.g. ID recognition or verification).

4.  Share and Transfer: As a principle, personal biometric information should not be shared or transferred to any third party. In case it is necessary to do so, the personal information controller will separately inform the individual of the purpose, types of information concerned, identity and capabilities of the third party, and obtain explicit consent.

5.  Disclosure: Personal biometric information should not be disclosed.

3.  Different Business Functions to be Distinguished to Prevent Excessive Collection

Some websites and apps ask users to grant an overall authorization to collect and use personal information for using the websites and apps. If the individual refuses to grant such an authorization, he/she will not be able to use the website or the app. This practice may result in excessive collection of personal information, since an individual may only need to have access to partial services for which only part of the personal information requested by the website/app is necessary.

The New Specifications require a personal information controller to distinguish between basic business functions and expanded business functions and not to bundle these functions together. A personal information controller should inform each extended business function to the individuals and should obtain explicit consent from individuals to collect necessary personal information for the use of each extended business function.

In addition, a personal information controller should provide easy ways for individuals to opt out of certain business functions, and opting out should be made as convenient as opting in to those business functions. If the individual chooses to opt out of a certain business function, the personal information controller should stop collecting personal information for that function. An individual’s refusal to grant consent or his/her withdrawal of consent for the extended functions should not affect his/her use of the basic functions.

The New Specifications particularly provide that a personal information controller is not allowed to force an individual to grant consent for the collection of personal information solely for the purpose of improving service quality, improving user experience, developing new products or enhancing security.

4.  More Detailed Requirements on Third-party Access to Personal Information

The New Specifications set forth detailed requirements on personal information controllers under various scenarios where a third party has access to personal information collected by a personal information controller, which include (i) designation of third parties to process personal information, (ii) sharing or transfering personal information to third parties (including in case of mergers, acquisitions, restructuring and bankruptcy), and (iii) third-party plug-ins.

A personal information controller is required to take necessary measures to monitor third parties and ensure that personal information is duly protected:

  • conduct security assessment on the capabilities of the third party and its proposed work plan with respect to the personal information;
  • disclose to individuals that a third party will have access and process their information;
  • obtain, or require the third party to obtain, explicit consent from the individuals;
  • clearly set forth responsibilities of the personal information controller and the third party in contract or other forms;
  • require third party to establish a mechanism for responding to user request and complaint and make it available to individuals;
  • monitor third party practices and require timely correction in case of any breach by the third party.

5.  More Power for Individuals to Control Personalized Display

Personalized display is defined by the New Specifications to refer to display of information or search results to an individual based on the internet browsing history, hobbies and interest, consumption history, habits and other personal information of that specific individual. While personalized display has been widely used in internet advertising and news feed, it is also considered to infringe upon an individual’s freedom of choice. The New Specifications contain requirements that provide individuals with more power to control personalized display.

First, a personal information controller should distinguish between personalized display and non-personalized display by using “personalized display” or similar notation.

Second, when a business operator provides personalized display of products, services or other search results to a customer based on his/her hobbies and interest or consumption habit, the business operate shall also provide a non-personalized display to the customer at the same time.

Third, an individual should be provided with easy ways to opt out or close personalized display, and after the individual chooses to do so, the business operator should provide a display that is generated after deleting or anonymizing the personal information of the individual.

Fourth, a personal information controller should allow individuals to control the degree and extent to which their personal information can be used to generate a personalized display.

6.  Conclusions

As compared to the broad and vague terms under the PRC Cybersecurity Law, the New Specifications provide business operators with detailed and practical guidelines for the collection and use of personal information. As noted above, while the New Specifications are not mandatory, they are the most comprehensive and practical standards under the PRC legal regime to govern the personal information practice by business operators and are viewed by legislators and enforcement authorities as an important reference.

Both foreign-invested and PRC-invested business operators should review their current practices in connection with the New Specifications and determine whether any improvement needs to be made.

Pillsbury’s experienced crisis management professionals are closely monitoring the global threat of COVID-19, drawing on the firm's capabilities in supply chain management, insurance law, cybersecurity, employment law, corporate law and other areas to provide critical guidance to clients in an urgent and quickly evolving situation. For more thought leadership on this rapidly developing topic, please visit our COVID-19 resources page.