On January 25, 2018, China released the final version of the Personal Information Security Specification, new voluntary standards on the protection of personal information.  The standards anticipate and address the “issues faced in personal information security during the rapid development of IT technology; with the protection of personal information as their core” and is meant to “regulate all phases of big data operations and related conduct, such as the collection, storage, processing, use and disclosure of personal information.”  The standards will go into effect on May 1, 2018.

The standards will apply to organizations using information systems to process personal information; specific departments that involve network security, third party assessment organizations; and other organizations that deal with the oversight, management, and assessment of personal information security.  Generally, they lay out the following 8 basic principles of personal information security.

  1. Responsibility Principle: Responsibility should be borne for the security of all personal information they possess, regardless of the path through which this information was obtained.
  2. Clear Purpose Principle: There should be a lawful, legitimate, and specific purpose for personal data processing, and the purpose for the personal data processing must not be changed without authorization from the personal data subject.
  3. Smallest Adequate Amount Principle: Except where it has been agreed otherwise with the personal data subject, only the smallest amount of information necessary to satisfy the purposes should be processed. After the purposes are achieved, the personal information should be promptly deleted in accordance with agreements.
  4. Principle of Consent and Choice: The personal data subject should be allowed to choose whether to consent to processing of their personal information, including the agreeing upon its purposes, methods, and scope, and when changes are made the personal data subject’s consent should be solicited again. The personal data subject’s not giving consent must not be the reason for refusals to provide them services or for reducing the quality of services, except where the services rely on users’ personal information.
  5. Quality Assurance Principle: In the course of processing personal information, the accuracy, veracity, validity, and usability of the personal information should be ensured.
  6. Security Assurance Principle: Appropriate management principles and technological measures should be employed to ensure security in all phases of processing personal information.
  7. Subject Participation Principle: Personal data subjects should be provided measures to access, correct, and delete their personal information, as well as to withdraw consent, deregister accounts, and so forth.
  8. Principle of Openness and Transparency: The scope, purpose, and rules for processing personal information should be disclosed in a clear, understandable, and reasonable fashion, and when necessary, accept outside supervision.

The standards also provide definitions for data privacy terms such as personal information, personal sensitive information, personal data subject, personal data controller, explicit and implied consent, disclosure, transfer, anonymization, and pseudonymization.

These new standards come on the heels of China’s new Cybersecurity Law, which took effect in June 2017, and add to China’s complex and evolving data protection regime.  The Cybersecurity Law regulates the construction, operation, maintenance and usage of networks, as well as network security supervision and management within mainland China, and mandates several forms of data-related regulation, including with respect to requiring that certain types of information be hosted within China, implementing incident management procedures and consent requirements when collecting personal data, and creating key operations security protections for critical information infrastructures.

Though the new privacy standards are completely voluntary, organizations should aim to comply by employing privacy-focused efforts such as reviewing data privacy policies, implementing stricter security practices, carrying out data protection impact assessments, employing and training privacy personnel, and maintaining detailed internal recordkeeping of data processing activities.