Since the implementation of the Cyber Security Law and the Personal Information Security Specification (PIS), Chinese regulators have intensified their efforts to tackle unacceptable practices in the collection and use of personal data. In November 2018, the China Consumers’ Association published a report (CCA Report) identifying some common malpractices by a wide range of mobile applications in China. These include excessive collection of personal data through general or bundled consent targeted mainly at geographical locations, mobile numbers and contact lists, and businesses having non-compliant privacy policies.
In order to address such malpractices, China’s National Information Security Standardisation Technical Committee (TC260) published a draft amendment to the PIS (Draft Amended PIS) in February 2019 for public consultation, which proposes stricter obligations on data controllers. According to discussions during TC260’s first working meeting on 22 April 2019, the Draft Amended PIS has been revised after the public consultation, but the finalised version has not been officially released yet. This article highlights some key proposed changes which may impact your business in China. Whilst it is not compulsory to adopt the PIS / Draft Amended PIS, compliance is highly recommended as they will be considered by the regulators when taking enforcement actions and should be regarded as best practice.
Purpose-orientated personal data collection
To address the problem of “general or bundled consent”, the Draft Amended PIS prohibits data controllers from forcing data subjects to consent to bundled services and functions. Data controllers are required to clearly identify the business functions offered and to categorise them as “core” or “extended” business functions, and to inform data subjects of the type of information that will be collected for each function.
The concepts of core and extended business functions are not new. Under the current PIS, when seeking to collect sensitive personal data, data controllers are required to indicate whether such data will be collected or used for the purpose of performing a core business function or an extended business function. The rationale is to ensure that data controllers collect no more data than necessary. If an item of sensitive personal data is required only for performing an extended, rather than a core, business function, and the data subject does not actually require such extended business function, the data subject can opt out of such function and does not have to provide the relevant sensitive personal data.
The Draft Amended PIS seeks to expand the requirement to distinguish between core and extended business functions to the collection of, not only sensitive personal information, but all types of personal information. A data controller may obtain a combined consent to data processing in relation to core business functions but, in relation to extended business functions, data subjects must be allowed to give separate consent in relation to each individual extended function. Data controllers are prohibited to send repeated consent requests to the data subjects and cannot refuse to provide core business functions, or offer substandard core business functions, if the subject refuses to consent in relation to extended functions.
The Draft Amended PIS proposes some factors to help determine whether a business function is core or extended according to the expectations of the data subjects based on considerations such as the name, description and category of the product/service, as well as the way the product/service is promoted. A core business function refers to the main function or service which a data controller provides, while extended business functions are commonly understood as any functions other than the core business function. For example, for a search engine, searching will be considered the core business function. If the business also offers a payment service to support its search function, the payment service will be deemed as an extended business function. To provide more clarity, the recent revisions to the Draft Amended PIS also lists some non-exhaustive examples of business functions, such as mapping, navigation, ride hailing, instant messaging, social media, news and information, online shopping, express courier and transportation ticketing which are more relevant to mobile applications and other activities conducted by electronic means.
Consents should be sought before the initial configuration or installation of an application, or setting up the user accounts by the data subjects. Affirmative acts such as completing a form, clicking or checking a box is required to indicate consent. Data controllers must also provide a user-friendly mechanism for data subjects to partially or completely unsubscribe.
Personalised displays and targeted advertising
Offering personalised displays of content such as news feeds, search results, or targeted advertising, has been subject to the scrutiny of regulators, even though it is not regulated by the PIS. The Draft Amended PIS requires data controllers to prominently mark the material as “personalised display” or “targeted delivery”, to provide a simple mechanism for data subjects to opt out of news or other information delivered by way of personalised recommendations, and also recommends data controllers to put in place mechanisms to allow data subjects to manage their preferences for receiving targeted advertising. Data controllers should delete or anonymise personal information once a data subject has opted out.
According to the CCA report, nearly half of the mobile applications reviewed had problems with their privacy policies, including:-
To address these common problems, the Draft Amended PIS specifically requires:-
Other major changes
The proposed amendments to the PIS is clearly in line with the trend of China’s continued efforts to strengthen its personal data protection regime, particularly targeting major malpractices identified in recent enforcement actions. In the absence of a comprehensive law on personal data protection, the latest version of the Draft Amended PIS will be an important guideline as to the requirements of the Chinese regulators and could form the blueprint for the upcoming data protection law which has been on legislators’ agenda since 2018.