With the Cybersecurity Law closing its first year of enforcement, supporting regulations and standards are continuously being drafted and published. Whether it be to further regulate cross-border transfer of personal information and important data or to provide a clear guide on how companies should comply with the new data protection framework set by the CSL. One of those standards is the Information Security Technology — Personal Information Security Specification. Published Jan. 24 on the website of the National Information Security Standardization Technical Committee (the TC260), the specification became effective May 1.
What legal value for the specification
To understand the importance of the specification, we must first define its normative value within the Chinese data protection and cybersecurity legal ecosystem. On Nov. 4, 2017, the Standing Committee of the National People’s Congress issued the 2017 revision of the Standardization Law. This revision, effective Jan. 1, 2018, renewed the national ecosystem of standards. Regarding national standards, Article 2 of the Standardization Law makes a distinction between mandatory national standards annotated GB and recommended national standards annotated GB/T. In principle, recommended national standards should not be directly binding, as conformity with them is only encouraged. The specification’s standard number is GB/T 35273-2017, which is therefore a recommended national standard and, in principle, voluntary. As such, it should be understood as a guidance.
An interesting point for legal specialists is that the specification is a theoretical successor to the GB/Z 28828-2012, a National Guiding Technical Documents titled the Information Security Information Guidance on Protection of Personal Information of Public and Commercial Service Information System. It was published Nov. 15, 2012, by the TC260, the same committee that published the specification. We can conclude from this that the specification is drawing its principles and contents from concepts examined and put into standards at least five years ago.
Understanding the enforcement mechanisms of the specification
If the specification is meant to be a recommended national standard, why is it considered to be a major development in data protection in mainland China? The reason is that the specification is meant to be a supporting element to enforceable and binding regulatory texts.
First, the specification should be used to more precisely interpret provisions of the CSL, especially from its Chapter 4. If Article 41 of the CSL provides that consent should be gathered prior to the collection and use of personal information, Article 5.3 of the specification provides further details on the form of the consent, while Article 5.4 of the specification provides details on exclusion of consent. Article 42 of the CSL provides that network operators (close to the definition of data controllers) should notify data subject following the discovery of a personal information leak. This obligation is further documented in Article 9.1 and Article 9.2 of the specification on assessing when such notification should be provided, as well as its content.
Beyond the CSL, the specification is also meant to support administrative regulations issued by the relevant competent authorities, such as the Cyberspace Administration of China, which published for comment the Administrative Measures on the Security Assessment of the Cross-Border Transfer of Personal Information and Important Data April 11, 2017. While it is not directly linked to the specification, it is bound to another standard providing a framework to perform a security self-assessment required prior to cross-border transfer of personal information and important data that the measures requires. This standard, the Information Security Technology — Guidelines for Data Cross-Border Transfer Security Assessment, was published for comments Aug. 25, 2017 by the TC260. The standard itself uses the specification to quantify personal sensitive information transfer among cross-border transfer to provide a risk assessment, core component of the security self-assessment. Without complying with the specification, the quantification of personal sensitive information cannot be properly assessed. In turn, the completion of the security self-assessment is made impossible, which would prevent compliance with the measures. By serving as a supporting interpretation to a standard supporting an administrative regulation, the specification is gaining indirect binding effects.
A more detailed classification of personal information
If one piece of key information should be taken from the specification, it is the extension of the concept of personal information from the CSL through a non-exhaustive list of every type of information that can be considered as personal information in Annex A of the specification. There is in total 12 categories of personal information, with a supplementary 13th “other” category:
- Basic personal information, such as a first name.
- Personal identity information, such as a passport number.
- Biometric information, such as fingerprints.
- Personal healthy and physiology information, such as medical records.
- Personal academic information, such as highest degree held.
- Personal asset information, such as bank account number.
- Personal communication information, such as mail address.
- Personal contact information, such as data subject’s list of friends.
- Personal online information, such as user’s operations recorded in a network log.
- Personal equipment information, such as a device MAC address.
- Personal location information, such as a person’s GPD coordinates.
This extended and non-exhaustive definition of personal information should be understood as a major warning for compliance officers that the scope of personal information in mainland China is to be understood as wide, with a protective general regime for personal information.
Another critical concept to be taken from the specification is the definition of personal sensitive information in Article 3.2 as personal information that, would it be leaked, illegally disclosed or misused, could endanger a person and property safety, and could as well damage a person’s reputation, physical or mental health, or be a source of discrimination. The definition is supported by a vast list of personal information deemed as personal sensitive information in Annex B. The list includes five main categories, which all exist in Annex A:
- Personal asset information, such as bank account number or credit information.
- Personal healthy and physiology information, such as the disease of a person or medical record.
- Biometric information, such as fingerprint or iris information.
- Personal identity information, such as the national identity number or a passport number.
- Network identity identification information, such as the mail address supplemented by the relevant password or a person digital signature.
It is important to note that not only is this list non-exhaustive, but it's also followed by a sixth “other” category, which includes information recognized as sensitive personal data in the EU, such as a person’s sexual orientation, but also includes information that can be considered common, such as a personal phone number.
More important elements from the specification
Beyond a more developed concept of personal information, the specification provides further guidance on multiple data protection areas, including the following four notable ones:
- It officially creates a specific consent framework for the collection and use of personal sensitive information in Article 5.5, which is supported in Annex C by an explanation on the methods to collect consent.
- It provides in Article 5.6 a clear list of the required information to be present in the privacy notice to form an informed consent, which is a core component of consent collection in mainland China.
- Article 7.7 provides data subjects with a right to withdraw consent and reaffirm the obligation to obtain prior and explicit consent from data subject when personal information is used in direct marketing.
- Annex D provides companies with a sample privacy notice supplemented with explanations to support companies into creating their own based on the elements given in the sample.
While examining the specification may be difficult for companies without a specialist in data protection and cybersecurity fluent in Chinese, its importance cannot be undervalued in any compliance program targeting mainland China. Any attempt by companies to comply with the Chinese data protection and cybersecurity legal framework cannot be achieved by omitting the specification, or any other recommended national standards that is leveraged by a law such as the CSL, or an administrative regulation like the measures. It is highly recommended for any foreign companies doing business in mainland China to include into their legal update the specification, as well as other draft standards to be finalized to support their compliance effort.
If you want to comment on this post, you need to login.