On February 1, 2019, the National Information Security Standardization Technical Committee (the "Committee") issued an amended version of the GB/T 35372-2017 Information Technology – Personal Information Security Specification (the "Specification") for public comment, with the period for making comments having closed on March 3, 2019.

In common with the version currently in force (which was officially issued on December 29, 2017 and took effect from May 1, 2018 which we discussed in our earlier briefing here), the amended draft Specification (the "Draft Specification") would still be a "GB/T" national standard, i.e., recommended (but nonbinding) national standard. However, given that the Draft Specification is the most comprehensive embodiment of China's personal information protection regime, its significance is its ability to influence Chinese regulators in terms of setting personal information protection benchmarks.

The fact that the Specification is being reviewed and amended so soon after its promulgation demonstrates the extent to which organizations have turned to it for detailed data protection compliance guidance and its high profile within the business community. Most Chinese laws of general application which address data protection, such as the Cyber Security Law and the Protection of Consumer Rights Law, only do so in very general terms. The more detailed requirements set out in the Specification serve an important role in bridging the gap between principles and practice.

China moves a step closer to GDPR

The introduction to the Draft Specification states that the proposals are developments of the Specification based on observations of industry practice, the aim of which is to provide more comprehensive and practical guidance.

However, the most striking feature of the Draft Specification is how China's data protection landscape is tracking requirements under the European Union's General Data Protection Regulation (the "GDPR") and moving towards a forced "unbundling" of consents, requiring separate, explicit "opt-in" consent to each purpose for which personal data is being processed, with a specific focus on advertisement personalization and other forms of digital marketing, which are clearly areas of particular concern.

Stricter consent requirements

Consent to the collection and processing of personal data is the fundamental concept underpinning the Specification.

Clause 5.3 of the Specification requires that information controllers who intend to collect personal information must obtain consent after having expressly notified information subjects of the types of personal information being collected in relation to each business function of the product or service in question, and the purpose and rules of collection and use.

Clause 5.5 requires that information controllers who intend to collect sensitive personal information must obtain voluntary, specific and unambiguous consent from information subjects after informing them of how the information will be processed as part of:

(i) the core functions of its product or service; and

(ii) ancillary processing purposes, as well as explaining the consequences of the information subject withholding consent.

The Specification goes on to provide that where information subjects have opted out of providing their sensitive personal information for ancillary purposes, information controllers must not suspend or degrade the performance of core functions.

As it stands then, the Specification already requires unbundling of consents in respect of the processing of sensitive personal information.

Move to require unbundled consent in all contexts

It is important to note that the scope of "sensitive personal information" under the Specification is broader than the concept typically seen in comparable international jurisdictions, and is defined as "information that may cause harm to personal or property security or is very likely to result in damage to an individual's personal reputation, physical or mental health or give rise to discriminatory treatment if it were misused." Examples given in the Specification include identification card numbers, biometric information, bank account details, communications records, property details, credit reference information, location data, health and medical information, transaction data and personal data of children under the age of fourteen. Those familiar with other jurisdictions with similar legislation will recognise that this is a broader definition of "sensitive personal data" than is typically seen in the international context.

The Draft Specification further develops consent requirements by extending unbundling to all types of personal information, not just sensitive personal information, and re-orienting the scope of unbundling around "basic" and "extended" processing purposes. A single consent is sufficient for processing for "basic" purposes; however processing for "extended" purposes would need to be unbundled and separate consent obtained for each use case. "Basic" processing purposes are defined based on the data subject's primary needs and expectations of using the products or services .

Information controllers may refuse to provide their products and services to information subjects that refuse to consent to the collection of personal information for "basic" purposes.

In order to restrict information controllers from unreasonably expanding the scope of "basic" purposes, the Draft Specification clarifies that what determines the data subjects' primary needs and expectations is not what the information controllers deem those needs and expectations to be. As such, upgrading services, enhancing the user experience and the research and development of new products are not "basic" processing purposes. Instead, such needs and expectations should be determined with reference to the data controller's promotional materials and the name, type and descriptions of its products and services (for example, the content found in an app store in the case of mobile apps).

Consents for "extended" processing purposes must be unbundled by informing the personal information subject, on a case-by-case basis, of the "extended" business functions offered, the personal information which needs to be collected, and permitting the personal information subject to grant or withhold consent for each "extended" business function on a case-by-case basis.

It is recommended that prior to the initial use of both the "basic" business functions and "extended" business functions, consent is obtained by way of interactive interfaces or designs (such as pop-up windows, text-based instructions, filling in boxes, tooltips, audiobased alerts and other such forms).

In additional to the unbundling requirement, the Draft Specification sets out further requirements on consent:

  • Consent must be based on the information subject's positive action (such as proactively filling in personal information, ticking or clicking on a checkbox), and controllers must provide an easy-to-follow opt-out mechanism to allow information subjects to opt-out at any time;
  • Where information subjects refuse to opt-in or decide to opt-out from a specific processing purpose, information controllers must not disturb information subjects by sending consent requests on a frequent basis. Annex C of the Draft Specification provides that in the event that an information subject refuses to consent to certain extended business functions, no repeat consent request can be sent within 24 hours; and
  • Where information subjects refuse to opt in or decide to opt out from a specific processing purpose, information controllers must not suspend or downgrade business functions that information subjects have consented to. In particular, if an information subject refuses to opt in or chooses to opt out from "extended" purposes, the information controller must not cease or downgrade basic business functions.

Removal of the exemption for contractual necessity

Clause 5.4 of the Specification sets out circumstances in which the processing of personal information may be carried out without obtaining consent from information subjects.

Critically, Clause 5.7 of the Draft Specification removes the exception previously made for processing required for the performance of a contract. By removing the exemption for processing required by contract (which was, in practice, by far the most commonly relied upon exception), the Draft Specification exponentially expands the impact of the move to greater unbundling of transactions, as the scope of processing transactions requiring use-case-byuse-case unbundled consent will become much broader.

To read the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.