Strengthening the Protection of Personal Information in China - National Standard Overhaul

Unbundled consent and autonomous will

Article 5.3 of the 2020 Specification is a newly added rule to regulate the methods of obtaining consent from a "personal information subject (user)"(see Article 3.3 of the 2020 Specification). According to Article 5.3, when a product or service provides multiple business functions that require the collection of personal information, the "personal information controller"(see Article 3.4 of 2020 Specification) must not violate the autonomous will of the user and force the user to accept the business function provided by the product or service, and corresponding personal information collection request. Specifically, the personal information controller should consider the following:

(1) avoid bundling the consent i.e. consent must not be obtained from the user only once for collection of personal information for all business functions including those the user does not want to share;

(2) having regard for the user's positive actions (such as a click or checking a box) as the premise for allowing functions;

(3) setting easier ways for the user to close or cancel functions;

(4) not repeatedly asking for user's consent when the user closes certain functions;

(5) not closing other functions or reducing service quality when the user closes certain functions; and

(6) not compelling the user to accept the collection of personal information in the name of improvement of service.

This newly added provision is quite meaningful since it may resolve the bundled consent issue. In 2019, the Ministry of Industry and Information Technology (MIIT) published a notice on the ratification measures of apps by forbidding app operators from obtaining bundled consent from users. However, at the time, there was no regulation or standard to control bundled consent outside of the apps industry.

New methods of obtaining consent from the user

In Article 3.6 of the 2017 Specification, the definition of the explicit consent is limited to the written form or certain positive acts.The 2020 Specification expands the form of the consent allowing the user to:

(1) give oral authorization and consent;

(2) give consent by a statement in an electronic form; or

(3) check a box or click "accept" or do other positive actions.

The 2020 Specification reduces the burden on the personal information controller and refers to best practices in everyday life

Moreover, the 2020 Specification also introduces a new type of consent, namely, default consent. It may help personal information controllers who need to collect personal information from numerous subjects for the same purpose. For example, under the 2017 Specification, if a university needed to collect students' personal data for a particular purpose, the university could collect the data after obtaining written consent separately from each student, which would have been a great burden for the university. This scenario is less burdensome under the new rule in the 2020 Specification. The university can now designate a specific area at the university, such as a study room, and alert students about the collection of personal information in a notice. For example, students leaving the study area could mean those students that do not give permission for collection of personal information while students remaining in the area give their default consent and accept the collection of their personal information.

The 2020 Specification reduces the burden on the personal information controller and refers to best practices in everyday life.

Strengthening the protection of biometric information

In recent years, the general public has paid close attention to the leakage of biometric information (Bioinformation) following the emergence of biometric identity authentication. Further, Bioinformation will gain even more prominence this year as COVID-19 has spread globally and Bioinformation may be collected to help control the spread of the virus. These events have impacted on changes in laws and regulations, and therefore the 2020 Specification included a new rule protecting Bioinformation, which subsequently led to the second draft of the Biosecurity Law (生物安全法) published on April 26, 2020.

"Bioinformation" is still defined as personal sensitive information in the 2020 Specification, including facial features, personal genes, fingerprint, palmprint and voiceprint.

The 2020 Specification has strengthened the protection of Bioinformation. According to Article 6.3, the personal information controller should separate Bioinformation from other personal information and take special measures to protect Bioinformation. For example, (i) unlike general personal information, Bioinformation is generally not be transferred and shared and the personal information controller is obligated not to disclose Bioinformation; (ii) Bioinformation should be stored and transferred with encryption; and (iii) Bioinformation should be stored separately.

Deregistration of user's account

The deregistration of a user's account was regulated in Article 7.8 of the 2017 Specification, which only required that the personal information controller provide simple ways for the user to deregister his/her account and delete his/her personal information or anonymize the user's personal information. Compared with 2017 version, the requirements for the deregistration of a user's account are more detailed and practical in the 2020 Specification, such as a fixed period (no more than 15 days) for the personal information controller to review the request of a user regarding account deregistration (see Article 8.5 of the 2020 Specification).

Data fusion and management of a user's profile

The fast development of big data technology has enabled companies to collect a user's information and fuse such data and information to create a user's profile. Using such profiles, companies can precisely deliver advertisements or design targeted marketing campaigns for each user. Therefore, the management of data fusion and restrictions on the use of user profiles are extremely significant.

The 2020 Specification sets out a rule to regulate the fusion of data and a user's profile. According to Article 7.4, a user's profile should not contain illegal information, such as gambling, violence, supervision, pornography and discrimination. Furthermore, a user's profile may not be used to infringe the interest of other parties. As to the fused data, according to Article 7.6, the personal information controller should assess the security of the use of fused data and take appropriate measures to protect the data.

Also, the concept of an "indirect user's profile" has been introduced for the first time in the 2020 Specification. According to Article 3.8 of the Specification, an "indirect user's profile" means a user's profile that is not directly generated from the user's personal information but rather from other information such as group data. It also recommends that an indirect user's profile be used for delivering advertisements to the user.

Cross-border transfer

In the 2017 Specification, the cross-border transfer of the personal information was regulated in Article 8.7. It required an assessment before transferring. Two years after the release of the 2017 Specification, the Measures for Security Assessment for Cross-Border Transfer of Personal Information (Draft for Comments) (个人信息出境安全评估办法（征求意见稿）) (the Measures) were published, which regulated the specific requirements of security assessment for the cross-border transfer of personal information. Therefore, the 2020 Specification only provides that the cross-border transfer of personal information should be in compliance with relevant regulations which means that the 2020 Specification offers a general guide to the public allowing other regulations to manage the details of cross-border transfer of personal information.

Legal risks in daily business operations

The Weibo case

Weibo is one of the largest social media platforms in China, which controls and possesses a mass of users' personal information. In March 2020, it was reported that over 538 million pieces of Weibo user's personal information were sold on the dark web. Over one fifth of the personal information sold include basic account information including name, username, account ID, gender, the number of followers and locations, etc. On March 21, 2020, the MIIT summoned a Weibo employee and required Weibo to conduct an internal compliance check in accordance with the Cybersecurity Law (网络安全法) and relevant laws and regulations, and take effective measures to protect personal information.

Recommended actions businesses should consider

As the Weibo case highlights, companies should prioritize the protection of personal information when operating their businesses. Even though the leak of users' personal information may be due to technical vulnerability or the target of a hack, companies may still be penalized by the regulator and a company's credibility and business reputation may also be damaged.

The personal information controller should collect, process and commercialize the user's profile and fuse personal data with caution

In light of the tougher regulations, FIEs and multinational enterprises should focus on the following:

1)  Use and commercialize personal information

The personal information controller should collect, process and commercialize the user's profile and fuse personal data with caution. According to Article 7.4 of the 2020 Specification, when personal information is frequently used in daily business operations, the personal information controller should adopt technical measures to delete particular personal information from users and avoid collecting information that will reveal a user's identity.

In addition, a company should ensure the user's profile and data will not:

a) infringe the interest of another person and entities; and

b) endanger national security and national unity or promote terrorism and spread violence and ethnic hatred or other illegal information.

2)  Separate treatment and measures regarding biometric information

Since Bioinformation is regarded as special personal information and enjoys specific protective measures under the 2020 Specification, the operator who collects and processes Bioinformation should:

a) separately notify users of the purpose, scope and other details regarding the collection of personal biometric information;

b) obtain explicit consent from users;

c) independently store biometric information;

d) store the abstract of biometric information rather than detailed information; and

e) fully notify users of the sharing and transferring of biometric information and not arbitrarily transferring and sharing biometric information with other third parties.

The 2020 Specification requires the operator to provide easier methods for users to deregister accounts and avoid setting premises or complex conditions for users

3)  Set easier ways for users to close certain functions and deregistering accounts

In practice, many apps or websites do not offer clear methods for users to submit applications to change or delete their personal information or the ability to delete accounts if the app has been uninstalled. To resolve this issue, the 2020 Specification requires the operator to provide easier methods for users to deregister accounts and avoid setting premises or complex conditions for users.

Additionally, the personal information controller should meet following new requirements:

a) check and address users' deregistration application within a fixed period (no more than 15 days);

b) if the deregistration process requires users to provide personal information for identification authentication, the personal information controller should not collect more categories of personal information than required for the users' registration process; and

c) avoid setting unreasonable premise for users to deregister accounts.

4)  Management of TPA

According to Article 9.7 of the 2020 Specification, the personal information controller should manage the TPA that collects the personal information by:

a) establishing necessary conditions and security assessment for the TPA;

b) entering into agreements with the TPA provider and specifying their liability;

c) notifying users of the existence of the TPA and ensuring the TPA obtains consent from users;

d) supervising the personal information protection mechanism of the TPA and require the TPA

to provide a report channel for the users; and

e) if automated tools are embedded in the product and service, the operator should audit and pay close attention to the actions of the tools and restrict access when incompliance occurs.

5)  Cross-border transfer

According to the Measures, the network operator (see Article 21 of the Measures) should conduct a security assessment before transferring personal information out of mainland China. Since the measures have yet to become effective, it is recommended that companies communicate with local cybersecurity regulators about how to make the assessment.

Personal information is becoming a new form of intangible asset and its regulation in China is increasingly becoming stringent. Entities, especially FIEs in telecommunications, media and technology industry should strictly comply with relevant laws and regulations to collect and process users' personal information in the future business operations.