Personal information security specification

On 29 December 2017 the Standardization Administration of China issued an Information Security Technology – Personal Information Security Specification （GB/T 35273-2017）(the “Specification”), which will come into effect on 1 May 2018. Although the Specification is not a mandatory regulation, it nonetheless has a key implementing role in relation to China’s Cyber Security Law (“Cyber Security Law”) in respect of protecting personal information in China. In this client update we address the key requirements of the Specification in relation to collecting personal data from either employees or third parties. Such requirements give rise to significant compliance issues for business operations in China. We set out some guidance in relation to such issues.

Comparing the definition of “personal information” under the Cyber Security Law with that under the Specification, the latter expressly expands the scope of personal information to cover (in addition to the personal identity information) information reflecting the activities of certain individuals, including the personal location, personal correspondence records, online browsing history and so forth.

The expanded definition is consistent with the definition of “personal information” used in several newly-drafted regulations, such as the draft Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (which remains in draft as at the date of this client update). The expanded scope reflects a trend among the relevant authorities of providing more comprehensive criteria as to what constitutes personal information, casting the net more widely.An appendix attached to the Specification sets out typical examples of what constitutes personal information as a practical guidance in relation to screening personal data.

The Specification introduces a concept of “sensitive personal information”, distinguishing such information from other personal information. Sensitive personal information is any personal information which, if lost or misused, may endanger personal security or property, cause damage to personal reputation, mental health and physical health, or lead to discriminatory treatment.

Under the Specification, sensitive personal information includes ID card numbers, biological identifying information, bank accounts, religious belief, sexual orientation (other typical sensitive personal information is listed in the appendix to the Specification). In addition, personal information relating to minors under 14 years old is generally deemed to be sensitive personal information.

The Specification sets out different rules regarding the collection and use of personal sensitive information. We set the details out below.

Minimization principle

The minimization principle requires that the type of personal information to be collected should be directly related to carrying out a relevant business activity or service; and the frequency and amount of personal information should be limited to the minimum standard necessary for performing the business activity or service. In practice, whether the minimization principle has been properly complied with in collecting the personal information shall be determined on case-by-case basis.

Prior consent from individuals

Similar to the Cyber Security Law, the Specification confirms that the basic principle for legally collecting personal information consists of the following: (i) the collecting entity needs to explicitly notify relevant individuals of the rules regarding collecting personal information; and (ii) the collecting entity shall obtain consent from relevant individuals.

As a supplement to the general principle under the Cyber Security Law, the Specification sets out different types of requirements for respective categories of collecting personal information. These are set out as follows:

1. directly collect personal information
   
   Prior to collecting personal information from individuals directly, the collecting entity shall keep the individuals informed of the rule for collection and use of personal information, which includes, among others, type of personal information collected by respective function of the business/service, the purpose of collecting and using personal information, the method and frequency of collection, the time and place of storage of personal information and so forth. The entity is also obligated to get individuals’ prior consent on the collection of personal information.
   
   
2. indirectly collect personal information
   
   It is not uncommonly seen in practice that personal information from individual employees or consumers has been collected by and transferred/shared by a third party agent. The Specification expressly defines such business arrangements as being indirect collection of personal information, in respect of which the collecting entity shall request the supplier to provide the original source of such personal information and to verify the legitimacy of such personal information.
   
   Under the Specification the obligation to get consent from individuals is imposed on the third party supplier as a direct information collector, but the indirect collecting entity has to determine the scope of such consent by individuals and ensure that the use of such information does not exceed the authorized scope. With the Specification becoming effective soon, businesses ought to be revisiting their contractual arrangements with third party agents now, especially focusing on the compliance obligation clauses.
   
   
3. collect sensitive personal information
   
   Collecting sensitive personal information results in the application of more strict criteria from a compliance aspect. For instance, explicit consent from certain individuals is a must for collecting personal information, which is required to be given on a voluntary, detailed and explicit basis. The Specification also contains template function interfaces to illustrate how to obtain explicit and voluntary consent from individuals when collecting their sensitive personal information.
   
   We strongly recommend that businesses review the notification of collecting personal information they currently use in order to make sure that their protection standards at least equal or are higher than those required under the Specification.

The Specification provides a few exceptions to the consent requirement. In the following circumstances the collection and use of personal information can be carried out without prior consent by individuals:

• collecting personal information directly related to national security, public interest, judicial procedures and so forth;
• collecting personal information for protecting the personal interests, property rights and other significant legal interests of certain individuals where such consent is difficult to obtain;
• collecting personal information from public information disclosed by the individuals voluntarily or from legitimate public news;
• personal information collected for purpose of signing and performing a contract as requested by an individual;
• collecting personal information necessary for maintaining a product or service (for instance, fixing the bugs of software products);
• collecting personal information necessary for legal news reporting;
• collecting personal information for academic research; such personal information shall be de-identified before published; and
• other situations to be specified by laws and regulations

The exempted circumstances set out above are relatively broad and vaguely drafted. The Specification is silent on any detailed mechanism on how to determine whether an exemption might apply - for instance, it does not say whether businesses are obligated or entitled to consult with any authority when intending to rely on an exemption.

In addition, given the Cyber Security Law does not provide for any exemption for mandatory consent in relation to personal information collection, the Specification appears to be inconsistent with the Cyber Security Law. Since the effectiveness of the Specification is subordinated to the Cyber Security Law, it is possible that the authorities and courts may take a strict approach to interpreting the exemptions under the Specification, making them available in only limited circumstances.

If a business proposes to rely on such exemptions to avoid having to obtain consent from individuals, we suggest great care should be taken by the business to determine whether the specific circumstances it seeks to rely on fall squarely within the relevant exemption. A comprehensive review of the details of each case, and consulting with the relevant authorities and legal counsel in advance, is recommended in order to reduce the risk of non-compliance.

Although the Specification is not a mandatory regulation, because it was enacted by the National Information Security Standardization Technical Committee under the lead of the Cyberspace Administration of China, we consider that the Specification could be deemed to be an example of good practice and practical supplementation guidance under the framework envisaged by the Cyber Security Law. Upon the Specification becoming effective, we will continue to monitor any practical cases under the Specification and provide updates on any significant developments.