What is the national standard for personal data
China’s National Standards on Information
Security Technology-Personal Information Security Specification
came into force May 1 2018. They stipulate that explicit
consent is required for collection of sensitive personal
Personal information security impact assessments are also
required for outsourcing of data processing, sharing and
transfer of personal information and the disclosure of personal
information to the public. Any requests to access, collect and
delete personal information must be responded to within 30
days. For data breach notification, a specific incident
response plan is required together with regular review of the
How does the national standard for personal data
protection relate to the Cybersecurity Law?
The new standard refers to the Cybersecurity Law as a
Clarice Yue, counsel at Bird & Bird observes that in
2018, the Cyberspace Administration of China specifically
expressed concern over a potential violation of the new
standards when enforcing the Cybersecurity Law and considering
the manner in which Alipay and Sesame Credit Management
collected personal information in China. While the
Cybersecurity Law sets out broad principles of data protection,
the national standard for personal data protection contains
detailed explanations of many relevant requirements and
provides practical guidance to data controllers.
"Corporations whose business
does not involve or necessitate frequent collection and
processing of personal information could find it
cumbersome to adopt the recommended practices contained
in the standard"
How does it relate to the GDPR?
The new standard’s principles and concepts are
very similar to the General Data Protection Regulation
Michelle Chan, partner at Bird & Bird, observes that
for instance, the new standards include references to
accountability, requirements to appoint data protection
officers in certain circumstances, requirements to conduct data
protection impact assessments, and concepts such as
anonymisation, de-identification or pseudonymisation.
On the other hand, there are some aspects of the new
standard which embody requirements that are quite unique for
China. Chan explained that for example, consent of data
subjects is a key legal basis for collection and processing of
personal data and there are very little other legal bases
available. The definition and scope of sensitive personal
information is also very broad in China, and includes items of
data such as email address, personal phone number and
residential information. There are some very specific and
detailed requirements on consent that needs to be obtained for
collection and processing of sensitive personal
Although the standard incorporates and contains a
considerable number of provisions of the OECD privacy framework
and the EU’s GDPR, it generally follows and
incorporates the principles set forth in the Cybersecurity
"Compared to the GDPR, it places more emphasis on the
obtaining of data subjects’ express consent on
collection, use and processing of personal information," said
Zhenyu Ruan, partner at Baker McKenzie.
The standard recommends that the privacy notice and the
obtaining of consent from data subjects by data controller/data
processor should be differentiated based on the intended
purpose of collection and use of personal information whether
personal information collected will be used for provision of
core services or non-core or add-on services.
"This is rather innovative, as proper use of this service
function or purpose specific approach could help data
controllers/data processors to better control the potential
risk of non-compliance with the data privacy protection
requirements," said Ruan.
What are businesses finding most
There are a number of areas that businesses find challenging
under the new standards. "In particular, the standards contain
some very intricate requirements on consent that needs to be
obtained for collection and processing of sensitive personal
information," said Yue.
The definition of sensitive personal information includes
some items of information which are not generally expected to
be sensitive such as email address, personal phone number and
"Many businesses find the requirements on collection and
processing of sensitive personal information unduly complicated
and burdensome to implement," said Chan.
For instance, businesses need to identify the core purposes
and ancillary purposes for collection of sensitive personal
information and obtain separate consent for each item of
sensitive personal information that is collected for ancillary
Other complex areas include what
needs to be included in privacy statements, which businesses in
China will now need to provide to data subjects under the
"The standard contains a list of such content but when read
in conjunction with the model privacy statement included in the
annex, some businesses have expressed concern that the privacy
statements may become an unduly complex and long document which
when presented to consumers and may not be an easy document to
digest," said Yue.
Some businesses are finding that while the provisions
contained in the standard are detailed and specific, these
provisions may not be sufficiently relevant to their daily
"Corporations whose business does not involve or necessitate
frequent collection and processing of personal information
could find it administratively cumbersome to adopt the
recommended practices contained in the standard," said
A commonly-asked question by businesses is whether the
provisions are practically feasible and meaningful for their
handling of their employees’ personal information
either in the course of HR management or daily business
Which areas lack clarity?
The area that is least clear to businesses is how the new
standards will be enforced.
"Given that some of the requirements are indeed quite
onerous, businesses are quite concerned as to the extent to
which they should comply with the requirements and the risks of
enforcement for not fully complying," said Chan.
Although there are no specific penal provisions under the
new standards, its close relationship with the Cybersecurity
Law means that the requirements should not be taken lightly.
This uncertainty would only be addressed when actual
enforcement actions are taken referencing non-compliance with
the new standards.
Ruan notes that the brief section 8.3 concerning transfer of
personal information in the context of M&A or restructuring
requires further and more practical guidance. Additionally,
Ruan observes that the details concerning cross-border transfer
of personal information are left to the pending guidelines for
security assessment of provision of personal information and
important data to overseas.
Are Asian firms ready for GDPR?
China’s new cyber law could impede data