Both foreign-invested and PRC-invested business operators that collect and use personal information in the course of business should take the New Specifications seriously. This alert covers major updates the New Specifications have made to the 2017 Version.
1. Highlights of the New Specifications
The New Specifications consist of 11 sections and 4 appendices. The key sections set forth rules and standards concerning (i) the collection, storage and use of personal information, (ii) the rights of personal information subjects (i.e. individuals whose personal information is collected), (iii) third-party involvement, (iv) response to security incidents, and (iv) security administration of personal information controllers (e.g. business operators that collect personal information).
The New Specifications and the 2017 Version apply to “personal information controllers” (i.e. any private or public organization that has the authority to determine the purposes, means or method of processing personal information).
The highlights of the New Specifications include (but are not limited to) the following:
The following sections will discuss in more details these highlights of the New Specifications.
2. New Requirements on Personal Biometric Information
There has been a growing concern with respect to possible over-collection and misuse of facial recognition information and other biometric information. The New Specifications set forth special requirements during the full life cycle of personal biometric information (which is defined under the New Specifications to include gene, fingerprint, voiceprint, auricle, iris, recognizable facial features, etc.).
1. Collection: A personal information controller should separately inform the individual of the purpose, manner and scope of the personal biometric information to be collected and used, as well as storage period and other rules, and should obtain explicit consent from the individual.
2. Transmission: A personal information controller should adopt necessary security measures (e.g. encryption) to transfer personal biometric information as required by the applicable laws and regulations.
3. Storage: Personal biometric information should be stored separately from personal identification information. As a principle, raw personal biometric information (e.g. samples and images) should not be stored, and measures that can be taken by personal information controllers include:
a. only storing summaries of personal biometric information that cannot be used to trace back to or re-generate raw personal biometric information;
b. using personal biometric information directly on terminals where such information is collected to realize the relevant business functions (e.g. ID recognition and/or verification);
c. deleting raw personal biometric information after that information is used to realize the relevant business functions (e.g. ID recognition or verification).
4. Share and Transfer: As a principle, personal biometric information should not be shared or transferred to any third party. In case it is necessary to do so, the personal information controller will separately inform the individual of the purpose, types of information concerned, identity and capabilities of the third party, and obtain explicit consent.
5. Disclosure: Personal biometric information should not be disclosed.
3. Different Business Functions to be Distinguished to Prevent Excessive Collection
Some websites and apps ask users to grant an overall authorization to collect and use personal information for using the websites and apps. If the individual refuses to grant such an authorization, he/she will not be able to use the website or the app. This practice may result in excessive collection of personal information, since an individual may only need to have access to partial services for which only part of the personal information requested by the website/app is necessary.
The New Specifications require a personal information controller to distinguish between basic business functions and expanded business functions and not to bundle these functions together. A personal information controller should inform each extended business function to the individuals and should obtain explicit consent from individuals to collect necessary personal information for the use of each extended business function.
In addition, a personal information controller should provide easy ways for individuals to opt out of certain business functions, and opting out should be made as convenient as opting in to those business functions. If the individual chooses to opt out of a certain business function, the personal information controller should stop collecting personal information for that function. An individual’s refusal to grant consent or his/her withdrawal of consent for the extended functions should not affect his/her use of the basic functions.
The New Specifications particularly provide that a personal information controller is not allowed to force an individual to grant consent for the collection of personal information solely for the purpose of improving service quality, improving user experience, developing new products or enhancing security.
4. More Detailed Requirements on Third-party Access to Personal Information
The New Specifications set forth detailed requirements on personal information controllers under various scenarios where a third party has access to personal information collected by a personal information controller, which include (i) designation of third parties to process personal information, (ii) sharing or transfering personal information to third parties (including in case of mergers, acquisitions, restructuring and bankruptcy), and (iii) third-party plug-ins.
A personal information controller is required to take necessary measures to monitor third parties and ensure that personal information is duly protected:
5. More Power for Individuals to Control Personalized Display
Personalized display is defined by the New Specifications to refer to display of information or search results to an individual based on the internet browsing history, hobbies and interest, consumption history, habits and other personal information of that specific individual. While personalized display has been widely used in internet advertising and news feed, it is also considered to infringe upon an individual’s freedom of choice. The New Specifications contain requirements that provide individuals with more power to control personalized display.
First, a personal information controller should distinguish between personalized display and non-personalized display by using “personalized display” or similar notation.
Second, when a business operator provides personalized display of products, services or other search results to a customer based on his/her hobbies and interest or consumption habit, the business operate shall also provide a non-personalized display to the customer at the same time.
Third, an individual should be provided with easy ways to opt out or close personalized display, and after the individual chooses to do so, the business operator should provide a display that is generated after deleting or anonymizing the personal information of the individual.
Fourth, a personal information controller should allow individuals to control the degree and extent to which their personal information can be used to generate a personalized display.
As compared to the broad and vague terms under the PRC Cybersecurity Law, the New Specifications provide business operators with detailed and practical guidelines for the collection and use of personal information. As noted above, while the New Specifications are not mandatory, they are the most comprehensive and practical standards under the PRC legal regime to govern the personal information practice by business operators and are viewed by legislators and enforcement authorities as an important reference.
Both foreign-invested and PRC-invested business operators should review their current practices in connection with the New Specifications and determine whether any improvement needs to be made.
Pillsbury’s experienced crisis management professionals are closely monitoring the global threat of COVID-19, drawing on the firm's capabilities in supply chain management, insurance law, cybersecurity, employment law, corporate law and other areas to provide critical guidance to clients in an urgent and quickly evolving situation. For more thought leadership on this rapidly developing topic, please visit our COVID-19 resources page.