China Targets Data Collectors With New GDPR-Aligned National Standards

The Standardization Administration of China (SAC) and the PRC General Administration of Quality Supervision, Inspection and Quarantine (AQSIQ, now under the State Administration for Market Regulation (SAMR)) published the 2017 "draft" (the 2017 Specification). The document, which came into effect in May 2018, was significant not only for expanding the scope of personal information protection but also providing regulators a clear framework for scrutinizing businesses' compliance of general laws such as the PRC Cybersecurity Law (中华人民共和国网络安全法), which came into effect a year prior.

A customer consenting once to sharing their sensitive personal information does not entitle the data collector to use that personal information for multiple purposes

A high-profile example of this involved Alibaba affiliate Ant Financial, which was reprimanded by the CAC over its collection of users' personal information. The CAC determined that Ant Financial's online payment platform Alipay had contravened the "spirit" of the 2017 Specification, and recommended that they conduct a "comprehensive investigation" to prevent similar incidents happening in the future.

Published on Mar. 6 by SAC and SAMR, the updated 2020 Specification coming into effect on Oct. 1 will be used in the same way, Gong says. What has changed is various standards that have been tightened to reflect the regulators' growing concerns about personal information collection methods.

First, the 2020 Specification builds on the concept of "unbundled consent" introduced in the 2017 Specification. This is the requirement that data collectors such as mobile apps should obtain consent from data subjects separately every time sensitive personal information is needed for a different business function. In other words, a customer consenting once to sharing their sensitive personal information does not entitle the data collector to use that personal information for multiple purposes.

The 2020 Specification removes the "sensitive" threshold to cover all personal information. It also makes the distinction between "basic" and "extended" business functions, the consent for which must also be "unbundled." It cites services such as map navigation, ride-hailing, instant messaging, social networking, online shopping and transport ticketing as typical basic functions, while extended functions can be understood to mean ancillary functions such as profiling and targeted advertising, Gong says.

"If the data subjects refuse to give consent for the collection and processing of their personal data, the operator can suspend the basic functions. However for other functions like profiling, targeted advertising, upgraded services and enhancing users' experience… the [data collector] cannot bundle those kinds of functions into the basic functions and just collect one consent under the new Specification," she said.

The fundamental question is how data can be monetized… the Specification really shifts that, even beyond what we see in Europe with the GDPR

Second, the 2020 Specification introduces specific standards surrounding extended functions such as personalized displays. Tailored search results on an e-commerce website is one example, where products listed on the website not only reflect the search terms used by the customer but also the customer's web browsing history, previous purchases and other relevant information. The 2020 Specification recommends that data collectors clearly differentiate between personalized and non-personalized displays as well as provide an easy "opt-out" option for users.

"This is a very interesting area to watch develop in the Specification because, in a way, it goes to the heart of the commercial internet," said Mark Parsons, head of Hogan Lovells' corporate practice in Hong Kong. He highlighted the potential impact these new standards may have on how online platforms drive advertising revenues through their customers' personal information – of particular relevance in China where so-called "super-apps" such as WeChat accumulate tremendous amounts of user data for many different purposes.

"The fundamental question is how data can be monetized… the Specification really shifts that, even beyond what we see in Europe with the GDPR (General Data Protection Regulation). If literally every separate purpose of [data] processing needs to be unbundled and separately consented to, I can see how platform operators and others active in cyberspace will see that as a potential challenge to their commercial models," he said.

Third, the 2020 Specification finalizes new standards surrounding biometric personal information collection, subjecting it to stricter requirements than for other forms of personal information. For example, data controllers must provide separate notifications to data subjects when biometric personal information is being collected or used. They must also obtain explicit consent from data subjects if their biometric information is to be transferred, which can only happen after the data subject is informed about the purpose and scope of the transfer – a requirement unique to biometric personal information.

Businesses would do well to pay close attention to ensuring their internal governance structures are positioned to best meet the expectations of Chinese regulators

The development follows the release of a separate draft in June 2019 specifically addressing biometric personal information protection. The 2020 Specification incorporates elements of that document following a consultation process that ended in August 2019, marking the first time that any version of the Specification, including the 2017 Specification as well as earlier drafts of the 2020 Specification, tackles the collection and storage of biometric personal information such as fingerprint and facial recognition data.

"Because those kinds of data are very special, they must have better protection," Sherry Gong said. "If they are misused, the consequences can be very serious."

In light of these new standards, businesses would do well to pay close attention to ensuring their internal governance structures are positioned to best meet the expectations of Chinese regulators, Gong says. Under the 2017 Specification, data controllers above a certain data processing threshold were required to appoint a head of personal information protection dedicated to the role, similar to the data protection officer (DPO) role under the GDPR regime. The 2020 Specification lowers the threshold to require more businesses appoint such a person.

"Some clients have discussed with us whether their Hong Kong DPO can also assume China's role. We think if they can be dedicated to this role, that's fine," Gong said.

She also recommends businesses work out the role of their data protection departments in decision-making and its relationship with the wider legal and compliance departments. This is crucial especially for a Chinese small or medium-sized enterprise that may now have dedicated personnel working on personal information protection compliance for the first time.

"The sort of data governance structure and accountability models that you see under the GDPR are becoming more relevant [in China]," Parsons said.

Click here to listen to the full interview with Sherry Gong and Mark Parsons in the latest episode of our weekly podcast, the China Law Podcast.