Data compliance challenges from new personal information security rules

The national standards titled Personal Information Security Specifications (GB/T 35273-2017) (the Specifications), released on 29 December 2017, are due to take effect on 1 May 2018. Being recommended national standards, the Specifications are not mandatory. However, as fundamental supporting standards under the Cybersecurity Law effective from 1 June 2017, the Specifications highlight operability by giving further guidelines on compliance with personal data protection principles under the Cybersecurity Law.

Q: What are the focuses of the Specifications?

A: The Specifications focus on all steps involved in personal information processing, including collection, preservation, use, entrusted processing, sharing, transfer and public disclosure of personal information, all subject to the personal information owner’s “consent”, which is one of the most important highlights of the Specifications.

Q: How is personal information categorized under the Specifications?

A: Categorization of personal information under the Specifications reflects data categorization requirements under Article 21 of the Cybersecurity Law. According to the Specifications, personal information includes general personal information and sensitive personal information. General personal information refers to any information identifying a specific natural person or reflecting the activities of a specific natural person. Sensitive personal information refers to any information which, if used improperly, may threaten personal or property safety or lead to discriminatory treatments or damage of personal reputation or physical or mental health.

The Specifications impose more stringent requirements on the processing of sensitive personal information. For example, when collecting any personal information, the personal information controller must obtain explicit consent from the owner of the personal information and ensure that the consent is given on a voluntary and fully-informed basis, representing the specific and clear intentions of the owner.

Besides, before collection of any personal information, whether through an active collection process or by way of automatic collection, the information controller shall be obliged to inform the owner. Where personal information is provided to support any additional features, the personal information controller shall give explanations about the features one by one and allow the owner of personal information to choose also one by one. The personal information controller shall not refuse to provide a core feature because the personal information owner fails to provide information for a supporting feature.

Especially, the Specifications impose additional requirements on protecting personal information of minors. Before personal information is collected from a minor, explicit consent of the minor or his/her custodian must be obtained.

Q: What requirements do the Specifications impose on “controllers of personal information”?

A: The Specifications pose requirements of various degrees on “controllers of personal information” throughout the process of personal information processing.

First of all, collection of personal information must reflect legal compliance and minimization. Where any personal information is collected directly or received indirectly, authorization or explicit consent of the personal information owner must be obtained. Collection of sensitive personal information is subject to explicit consent.

Secondly, preservation of personal information shall satisfy the requirements of minimum time and de-identification. Sensitive personal information shall be preserved with encryption measures. Personal biometric information must not be stored until it is processed with technical means. When an operation is stopped, collection activities should also stop and the information must be deleted or anonymized.

Thirdly, in connection with use of personal information, measures shall be taken to restrict access to the data and ensure compliance with restrictions on display and use. Meanwhile, owners of personal information shall be explicitly allowed to access, revise or delete their data, withhold consent and cancel their account, and receive copies of their personal information. Controllers of personal information must be capable to respond to requests of personal information owners and have a complaint management mechanism in place.

Finally, in connection with entrusted processing, sharing, transfer and public disclosure of personal information, the Specifications prohibit entrusting beyond scope of authorization and highlight that as a general principle personal information controllers shall not share, transfer or publicly disclose any personal information.

Q: What legal liabilities will arise if an enterprise violates the Specifications?

A: Despite being recommended national standards, the Specifications are formulated under the framework of the Cybersecurity Law. Therefore, there is a probability that a violator of the Specifications may be held civilly, criminally or administratively liable according to relevant provisions of the Cybersecurity Law.

Q: What strategy can an enterprise take to prevent violation risks?

A: In addition to providing better operability for data compliance activities, the Specifications make it possible to quantify data compliance work of companies, thereby posing new challenges to their data compliance. It will be advisable for relevant companies to take the following actions as soon as practicably possible:

First, they need to establish a management system complying with regulatory requirements that comprises a personal data security incident response mechanism, a personal data security impact assessment and reporting system and data security capabilities. The management system also needs to cover security auditing as well as management and training of employees responsible for personal data processing.

Second, they should seek advice from legal and technical professionals with the aim of balancing compliance and technical solutions.

Third, process records about how compliance measures are taken as well as relevant documents should be properly kept so that companies will be able to prove they have taken compliance measures when necessary.

Fourth, data processing activities must be monitored on an ongoing basis so that risk points of violation can be identified and improved in a timely manner.

Last but not least, a dispute and complaint resolution process relating to data processing must be in place to ensure prompt settlement of any conflicts.

Stephanie Wu Yuanyuan and Song Ying are partners at AnJie Law Firm