China's Personal Information Standard: The Long March to a Privacy Law
(2017) 150 Privacy Laws & Business International Report 25-28
8 Pages Posted: 4 Mar 2018
Date Written: December 1, 2017
A recommended standard entitled ‘Information Security Techniques - Personal Information Security Specification’ (the ‘Standard’), was circulated by China’s National Standardization Committee in late 2017, and provides the most detailed specifications yet for how Chinese authorities will interpret and apply existing data privacy laws to private and public-sector entities. [Authors’ Note: The Standard was officially released on 29 December 2017, after publication of this article, and will become effective on 1 May 2018.]
We have assessed the data privacy provisions of the 2016 Cybersecurity Law as ‘China’s most comprehensive and broadly applicable set of data privacy principles to date’, going beyond the five main laws and regulations dealing with data privacy enacted from 2011-14, but that it is still missing several common elements found in other jurisdictions’ data privacy laws, such as explicit user access rights, requirements on data quality and special provisions for sensitive data, as well as no specialist data protection authority (DPA). The omission of the first of these -- explicit subject access rights -- means that China’s law does not yet include one of the most fundamental elements of a data privacy law.
In this article, we examine the additional elements the Standard brings to our understanding of the 2016 Cybersecurity Law, and whether it advances China on its long march towards a national data privacy law. Our overall conclusion is that the Standard is an important step forward in the evolution of China’s data privacy protections because of its comprehensive scope; the potential breadth of its definition of ‘personal information’; inclusion for the first time of extra protections for ‘personal sensitive information’; explicit inclusion of a right access; collection minimization, and appeals against automated processing. This article discusses a draft Standard, from which the final Standard may diverge.
The most significant implications of this Standard for businesses operating in China are:
● Its application to all private sector organisations involved in ‘personal information processing’, whether customers, employees or others.
● The definition of ‘personal information’ could potentially be interpreted more broadly than under some European or similar laws, even if it is not intended to be broader that the full scope of EU definitions. Therefore, considerable care must be taken in any use of any data relating to a person, at least until the approach of Chinese authorities is clear.
● The definition of ‘personal sensitive information’ is both open-ended, but also with named categories much broader than in many other laws, thus requiring great care.
● The suggested obligations in relation to subject access, minimum collection of data, and restrictions on automated processing, because these are not found in other laws.
Keywords: privacy, data protection, cybersceurity, China, standard
Suggested Citation: Suggested Citation