On 1 May 2018, the "Information Security Technology – Personal Information Security Specification" (PI-Specification) by China's National Information Security Standardization Technical Committee (NISSTC) will come into effect. The PI-Specification, inter alia, provides guidance on the collection, storage, use, transfer and disclosure of personal information. While the PI Specification is voluntary and not legally binding, it is likely that Chinese regulators will take into account breaches of the PI Specification when enforcing cybersecurity obligations.

The requirements for the collection, use, and storage of personal information are briefly outlined below.

Collection, Use and Storage of Personal Information

The requirements for the collection, use, and storage of personal information under the PI-Specification are very similar to those adopted in other jurisdictions. For example, the PI Specification requires the personal data controller to notify personal data subjects of the type of personal information being collected and the rules of collection, and to obtain the personal data subject's consent prior to collecting the personal information. The collection of sensitive personal information can only be made with explicit consent. Sensitive personal information, such as information, relating to a person's reputation or physical and mental health, is subject to increased protection under the PI Specification.

When storing personal information, personal data controllers are required to perform de-identification of all personal information immediately after collection and to store the de-identified information separately from information that can be used to re-identify the information. Storing sensitive personal information requires additional security measures such as encryption.

Moreover, data controllers are required to provide data subjects access to their personal information and provide a way for the personal data subjects to correct or complete their personal information.

Other Requirements

The PI-Specification also sets out guidance on expected data breach incident responses and enterprise standards for safeguarding and processing of data. Among other things, data controllers are required to devise and publish a privacy policy.

For further information, click here to read the full legal update in our "Asia IP & TMT: Quarterly Review" of Q1 2018.

Originally published April 30, 2018

Visit us at www.mayerbrown.com

Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.