It will be a happening year for the personal data protection scene in China. In the very first month of 2019, China has indicated its determination to protect personal data by making various positive moves under its current legal framework.

First, on Jan. 25, four Chinese ministries — the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation — released a joint announcement that intends to curb certain privacy practices, such as bundled consent, for example, throughout 2019 and promotes a certification scheme. Second, on Feb. 1, China's National Information Security Standardization Technical Committee released the revised proposals to recommended a national standard Personal Information Security Specification (ref. GB/T 35273–2017) for public consultation. Third, on Feb. 2, China's Cybersecurity Review Technology and Certification Center announced that the personal data protection compliance program of some companies, including, among others, Alipay and Tencent Cloud, have passed certification based on the national standard. 

These coordinated efforts showcase Chinese authorities’ determination to strengthen personal data protection with both carrots and sticks, encouraging companies to self-regulate by improving and certifying their data compliance programs, and in the meantime, engaging in more proactive law enforcement on personal data protection.

Now, these four ministries are ready to showcase their "combo." Part two of this update, featured in tomorrow's edition of the Daily Dashboard, will provide you with a summary of proposals of major revisions to the national standard as well as the development of the certification scheme in China. 

Joint announcement

The joint announcement by the ministries was made under the existing legal requirements on data protection — including but not limited to — China's cybersecurity law, China's consumer protection law, and other laws and regulations.

Discouragement against bundled consent
The joint announcement adds more flavor to the consent requirement for the processing of personal data. Under China's cybersecurity law, the only lawful basis for the processing of personal data is consent, but the law does not further specify the requirement of consent nor how the consent shall be obtained. The joint announcement requires the controller to provide privacy notice in intelligible, clear and concise wording and to obtain freely given consent from data subjects. The bundled consent, or “take-it-or-leave-it” approach, is outright discouraged.

Core function vs. extended function national standard
 TC260, China Consumers Association, Internet Society of China, and the Cybersecurity Association of China are called out in the joint announcement to prepare a new national standard on core function and extended function. These four organizations will provide guidelines to clarify the key focus of law enforcement against app operators that are not in compliance with China's cybersecurity law. The differentiation of core function and extended function would be a very innovative attempt by China to address data subject consent in different processing activities. The core function refers to the core function that meets the requirements of consumers from the consumers’ perspective. Other functions are extended functions. Different requirements are expected (e.g., consent) for core function and extended function.

These four associations are also expected to continue the testing of apps to see if they comply with China's cybersecurity law. CCA did a sweep of privacy policies of 100 apps with the national standard as the benchmark and tested whether their privacy practices conform to their privacy policies in November 2018. There was extensive media coverage of the CCA’s testing. Companies that do not comply with cybersecurity law or collect personal data excessively run a significant reputational risk and may draw the attention of the regulators. There were many enforcement actions in 2018 to investigate the privacy lapses of companies that do not comply with the law.   

Encouragement for providing opt-out mechanism for online behavioral advertising
In the joint announcement, app operators are encouraged to provide an opt-out mechanism for online behavioral advertisement or personalized recommendations, as well as displays for news, feeds or advertisement.

Promotion of certification scheme
The joint announcement notes one of the benefits of getting the certification is that the app that these companies operate would be able to list ahead of competing apps in the same category on app stores or enjoy preferential listing in a search engine. (More on this in part two.) 

The four ministries reiterated in the joint announcement the legal ramification of violating China's cybersecurity law include rectification orders, fines (up to 10 times of the illegal gain or up to RMB 1 million if absence of illegal gain), suspension of business, and/or revocation of relevant permits or business licenses. The Ministry of Public Security will continue to enforce the law and combat the crime against the infringement of rights to data protection. If the personal data has not been obtained lawfully, according to Chinese laws and regulations, and the number of data subjects whose personal data have been collected illegally reaches the threshold of criminality (i.e., 50, 500 or 5,000 depending on the sensitivity of each category of personal data), such illegal obtainment of personal data is criminalized, and companies that violate this law may face corporate liability (i.e., fines), and its directly responsible management personnel may face up to three to seven years imprisonment. 

The criminal investigation is not exclusive to Chinese companies that engage in the sale or misuse of illegally obtained personal data; there have been examples of multinational companies' Chinese subsidiaries that were investigated by local bureaus of public security.