Proper data protection guidelines finally arrived in China!

By Clarice Yue, John Shi, Sven-Michael Werner


On 29 December 2017, the National Information Security Standardization Technical Committee released, arguably, one of the most important national standards concerning protection of personal information/data in China, entitled "Information Security Technology – Personal Information Security Specification" (Personal Information National Standards).  The Personal Information National Standards will become effective on 1 May 2018.  The formal text of the new standards will be available to the public shortly.

The consultation for the promulgation of the standards started way back in September 2016.  A number of revised drafts have since been circulated cumulating into its formal promulgation before the arrival of the New Year.  The new standards are pivotal as they set out key data protection concepts and principles which until now remain elusive and have not been properly developed or explained in key laws and regulations, including the China Cybersecurity Law.  

Based on the consultation draft released in 2016, we expect the Personal Information National Standards to include:

  1. the data protection principles applicable in China;
  2. key data protection concepts, such as "personal sensitive information" and "explicit consent";
  3. examples of personal information and personal sensitive information; and
  4. model privacy policy.      

The new standards do not replace the "Information Security Technology – Guideline for Personal Information Protection within Information System for Public and Commercial Services" released in November 2012.  We expect that unlike the previous guidelines which lack the backing of any significant regulations or laws, the new Personal Information National Standards are likely to attract more attention from the business community and will serve as an important guideline as businesses navigate their way through the various provisions in the China Cybersecurity Law on protection of personal data to ensure their compliance.  

To understand more you are invited to attend our seminar: New China Data Protection Guidelines 101 on Tuesday 23 January.