PRIMER: China’s new personal information security specification
IFLR’s explainer series looks at how firms are preparing for the new rules and what's still unclear
China has changed its personal information security standards to better protect personal data and to bring its guidelines more in line with international standards, such as the GDPR [EU General Data Protection Regulation]. The introduction of personal biometric data is of particular significance.
IFLR’s latest primer looks at how the changes, which will come into effect on October 1 2020, are affecting firms.
What’s new about the personal information security specification?
China’s State Administration for Market Regulation and the Standardization Administration released the personal information security specification on March 6. It covers a wide range of data issues, including collection, storage, use, sharing, transfer, public disclosure and deletion of data. What’s different about the specification from its 2017 version is that it places more emphasis on the will of individuals in deciding whether and when to share their own personal information.
According to Lim May-Ann, executive director of the Asia Cloud Computing Association, one positive of the update is that it still includes international concepts such as consent, data use limitations, ability and the right of users to correct data, and requests for data removal.
“These are legal concepts which find resonance and equivalents in other data privacy laws, such as the GDPR, APEC Privacy Principles, ASEAN Data Privacy Framework, and other country laws,” says Lim.
The specification also introduces the idea of personal biometric information, which is treated as a new data category by the law.
What aspects lack clarity?
Lim says that there are subjective areas where the guidelines will require further discussion and clarification, such as what would constitute major public interest, national security, and national defence security. These justifications for bypassing certain data privacy safeguards, such as authorised consent to collect data, will probably still cause government surveillance concerns, as the exceptions are broadly defined.
Samuel Yang, partner at Anjie Law Firm, says that for the localisation/cross-border transfer of personal information, the specification only stipulates that data controllers should comply with ‘relevant provisions and standards’ when transferring personal information abroad. It is unclear whether this is referring to the 2017 cybersecurity law.
What aspects are businesses finding most challenging?
International businesses would not find these regulations out of step with international norms but there are some unique concepts which are introduced, such as biometric data. However, these are an extension of the existing personally identifiable information data which companies collect. Businesses are advised to conduct comparative studies with markets in which they are already compliant.
“Businesses, especially micro, small and medium-sized entreprises that are struggling with business uncertainty, will find that getting up to speed on the compliance with the specification would be challenging, as there probably will be a tightening of budgets to address the likely recession caused by Covid-19,” says Lim. “Some companies may be reluctant to spend money on compliance to protect personal information.”
Yang adds: “As personal information compliance requirements are relatively new in China, many enterprises will first need to figure out what personal information processing activities they have and establish a comprehensive personal information protection system from scratch.
Rules on the cross-border transfer of personal information are still ambiguous. The ambiguity on this issue brings uncertainty to compliance. Businesses will need to closely monitor the legislation trend and get prepared.
What will new requirements on biometric data mean for businesses?
“The new specification provides welcome clarity for companies as to how to handle biometric information,” says Stacy Baird, a data privacy consultant based in Hong Kong SAR. “However, there may be compliance challenges with the consent requirements. As is true with other personal information, express permission, as required by the new law, could be difficult to obtain in the context of some collection.”
With the use of an app or website, consent is quite straightforward, but in the case of smart or interactive devices – those with non-traditional user interfaces – it may be harder.
Kevin Duan, partner at Han Kun Law Offices, says that there are uncertainties surrounding how strictly the authorities intend to enforce rules for the collection and use of biometric data, such as the requirement that raw facial data not be stored. It will be particularly challenging for AI [artificial intelligence] companies to make the necessary changes before October.
Duan adds: “It gets onerous for businesses to keep track of the software development kits that collect personal identifiable information in their apps, especially when developers are constantly adding and changing them in their daily development work. The relevant privacy policies also need to be updated.”