On Feb. 1, China’s National Information Security Standardization Technical Committee introduced proposed revisions to the national standard Personal Information Security Specification (ref. GB/T 35273–2017) for public consultation. On Feb. 2, the China Cyber Security Review Technology and Certification Center announced that the personal data protection compliance program of some companies, including Alipay, Tencent Cloud and others, have passed certification based on the National Standard. In this article, we look at the proposed revision to the National Standard and the development of a certification scheme in China. These two developments would be looked at together with the joint announcement made by four ministries of China that intends to curb certain privacy practices such as bundled consent throughout 2019.
Proposed revision to China's National Standard
Effective May 1, 2018, the National Standard was applauded for providing clarity on what is expected for data protection compliance programs in China. Although the National Standard is a recommended standard and is not mandatory for companies to adopt, Chinese authorities have been using the National Standard in various law enforcement actions to assess whether a company has met the requirement of “implementing technical and other necessary measures to protect personal data” as required under the Cybersecurity Law. The National Standard has been functioning as China’s de facto “soft law” for some time, making it critical for companies to evaluate personal data protection program benchmarking against the National Standard. The revisions to the National Standard indicate the regulators’ expectation on companies’ compliance with the CSL.
Consent requirement and the lawful basis for processing of personal data
Coerced, bundled or "take-it-or-leave-it" consent is explicitly discouraged. The consent requirement is clear to have at least affirmative action such as opt-in and shall also provide an opt-out mechanism. Where the data subject refused to give consent, the controller shall refrain from frequently seeking consent, suspending its function, or lowering the service level.
Other than the general requirement on consent, there is a specific requirement on consent to processing the activities of core and extended function. The core function refers to meeting the requirements of consumers from the consumers’ perspective. In the proposed revision, there are some factors that have been proposed to help identify core function and extended function. Improvement of product or services, enhancement of user experience or R&D would not be classified as core functions. Consent for data processing necessitated by core function requires affirmative action after the data subject has been provided with a privacy policy, and the controller can refuse to provide services if the data subject refuses to give consent. This is essentially the current requirement for consent. However, for extended function, the consent to these processing activities requires just-in-time notice and opt-in for each of the processing activities under such extended function. A privacy dashboard may be one option where the consumers are given a genuine choice to consent.
The revised draft of the National Standard proposed to remove “performance of contract” from the existing exceptions to consent requirement. The purpose of the proposed revision is to avoid the misuse of the “performance of contract.” As in practice, it is not uncommon that companies might draft a contract that bundles the consent to various data-processing activities, which is exactly what the regulators try to address. If the processing of personal data is truly necessary for the performance of a contract or necessary for concluding a contract with the data subject, the processing of personal data would still be permissible provided that the data subject has been provided with sufficient privacy notice. This is because the data subject as the party to such contract is not likely to withhold the consent to such processing of personal data when signing or agreeing to such contract if they wants to enjoy the benefits of the contract.
For data protection practitioners, it is common to look at the different lawful basis for processing activities under the EU General Data Protection Regulation or any GDPR-influenced laws. There is no other choice of lawful basis other than consent in China. The predominant consent-based regime has faced various challenges, so it is innovative that China has chosen a different path to resolve the issue of bundled consent or coerced consent.
Opt out of personalized display or personalized advertisement
Having seen the Joint Announcement, it is not surprising to see that the proposed revision to the National Standard also includes the same requirements that the controller provides opt-out mechanisms for personalized display or listing or personalized advertisement. In addition to the opt-out mechanism, the controller shall clearly mark the personalized advertisement or personalized display.
Accountability and documentation requirement
This draft of the revised National Standard introduced a documentation requirement similar to Article 30 of the GDPR. The documentation shall include processing activities by following the lifecycle of the data.
The National Standard has not yet fully incorporated accountability requirements. Having said that, we have seen in various law enforcement actions related to data protection, that companies under investigation oftentimes were first asked by Chinese authorities to provide proof of compliance.
Due diligence and control over third-party API
In the proposed revisions, the National Standard also shed light on the expectation on control over third-party application programming interface when it is neither processor nor joint controller. Such expected controls include a contract with a third party, risk assessment, requirement that a third party obtain valid consent from data subjects and comply with data subject requests, and monitoring the compliance with the law by the third-party API. The potentially contentious requirement is that the controller is encouraged to do testing and regular audit over the third-party code, script, or any other third-party tool. The proposal of revision does not make this a requirement but only something to encourage.
In the first draft of the National Standard, the controller is required to conduct certain due diligence on the data protection compliance but not to the same extent as required in a controller-to-processor data sharing under the GDPR. The extent of due diligence for the controller to conduct on a processor remains substantially unchanged in the proposed revised draft of the National Standard.
Appointment of a responsible person or office for data protection
The proposed revision includes further clarification on the circumstances where the appointment of a responsible person or office for data protection is required: 1.) where the principal business involves processing of personal data and there are more than 200 people involved in such processing activities; or 2.) processing of more than 1 million people’s personal data or the processing of personal data of 1 million people accumulative over a period of 12 months. The revision goes on to spell out the responsibilities and requirements.
Data breach reporting threshold
Article 42 of China’s CSL provides data breach reporting requirement to both Chinese authorities and the affected data subject. In the revised draft of the National Standard, the threshold for reportable data breach to the Cyberspace Administration of China is where the breach involves more than 1 million people’s personal data or if it involves sensitive personal data that may impact public interest or society as a whole, such as genetic information or biometric data. Notice to affected subjects is necessary when the data breach may have a significant impact on the data subject.
Certification scheme – China’s “privacy seal”
Although the Information Security Certification Centre set up its website and advertised the certification services in June 2018, no companies have been reported certified until recently, and not much has been shared with the public detailing the methodology of certification. It is not clear whether the companies that have been certified would be immune from regular inspections by the Ministry of Public Security or other authorities. The ISCCC’s website provides a channel to receive complaints against the certified companies, and this would place these companies under public monitoring. It is too early to say that this certification scheme would eventually become a “privacy seal of China” before we know the consumers’ perception of these companies that have been certified. As mentioned earlier, the Chinese regulators are promoting the self-regulatory model on data protection; hence, the certification scheme would be one ideal approach to demonstrate a company’s compliance with the CSL.
What else to expect in 2019
Personal data protection law has been on the legislators’ agenda in 2018, along with the data security law. We will see if we can get the first draft of personal data protection law in 2019 considering there was a draft of China data protection law a decade ago. The previous draft of personal data protection law proposed by academia modeled the 95 EU directive on data protection. It is also worth the wait to see the focus of data security law and how much is different from the personal data protection law. The concept and scope of important data that is in the China CSL have not yet been clarified. The data security law might be the answer to this question.
While it might be some time before we get to see the draft of a data protection law, we might see some implementation rules on China CSL in 2019, including regulations on data security and a cybersecurity multiple-level protection system, and more. It has been almost two years since the first draft of regulations on cross-border data transfer was released in April 2017; we shall see if we also get to see this draft in 2019.
Data protection compliance agenda of 2019
After we have witnessed various critical events on personal data protection, we would suggest companies that operate in China to prepare for the following in 2019.
Data mapping is now necessary
With the newly introduced documentation requirement in the National Standard, it is foreseeable that the regulators would request the inventory of processing activities as a start of investigation or law enforcement.
Legitimate interest does not work in China
If the balancing test has been conducted for the same processing activity in the EU or other countries, there is no harm to bring along the safeguards that have been identified but consent is still required. Multinational corporations’ global privacy policies need tailoring and translation into Chinese. English privacy policies would not be considered “intelligible” for consumers in general in China.
Vendor management is the common pitfall of compliance and could lead to criminal investigation
Oftentimes, many companies rely on the categorization of a controller or processor in the EU to determine the responsibilities toward third parties. Personal data from third-party sources should be one of the key compliance focus in China. We have seen many multinational corporations that intend to use personal data from third-party source dealt with their own paranoia on the safety and legality of data. It is challenging to go through the third party’s compliance with data protection laws in China only for the sake of using certain personal data, but how many extra miles should multinationals go on top of a mere contractual covenant?
“China-specific” add-on is necessary for multinationals’ data protection program in China
We can easily name many of these unusual names or mechanisms that are used in China, e.g., a multiple-level protection system, personal information security impact assessment, security assessment, network contents compliance, etcetera. Multiple-level protection system refers to a set of technical, security and management measures that is mandatory for companies in China to adapt according to the grade of its information system. Each company’s information system will be graded according to the importance to the public interest or society as a whole, and each grade corresponds to a level of protection that is required under a multiple-level protection system. Importing the global data protection compliance program to China would not work to meet various legal requirements, but it would be a good start.
Cross-border data transfer security assessment should be prepared well in advance
Many multinationals would have an information system that is used globally but managed by its headquarters. Based on our experience in representing multinationals in criminal enforcement by the bureau of public security, cross-border data transfer was often a trigger. The critical information infrastructure operator is subject to a general data localization requirement that covers the personal data and important data that is either generated or collected in China. While the CSL and its implementation measures do not require data localization, nor restrict cross-border data transfer for non-critical information infrastructure operator so far, such cross-border data transfer may require prior security assessment according to one draft of the National Standard that was released by TC260 in 2017. In light of the government’s focus on cross-border data transfer,multinationals are recommended to review its cross-border data transfer practices in China (such as remote access to information system located in China or rollout of a global information system to China) and implement appropriate policies and protocols as a safeguard.
Stay tuned on China’s data protection scene in 2019. We will continue to bring you updates.
Comments
If you want to comment on this post, you need to login.