China Cybersecurity Law Update: Picking up the pace (quick!) : Further revision to the National Standards on Protection of Personal Information in China

By Michelle Chan, John Shi, Clarice Yue


China's National Information Security Standardization Technical Committee released a further revision draft of national standard on protection of personal information protection.

On 25 June 2019, hot on the heels of the release of the draft measures on export of personal data, China's National Information Security Standardization Technical Committee released a further revision draft of national standard on protection of personal information protection entitled "Information Security Technology – Personal Information Security Protection" (the Draft Standard). This revised draft is a follow up to the previous consultation draft released earlier this year on 1 February 2019. The consultation period for the Draft Standard ends on 8 August 2019.

The current National Standard on Personal Information Security Protection only came into force on 1 May 2018. The pace at which the National Standard is in need of updating reflects not only the speed at which technologies on big data are evolving, but also the determination of the Chinese Government to keep up with such development by imposing specific requirements and restrictions on how personal information may be processed and used with such technologies.

We highlight below some of the key proposed changes as they are set out in the Draft Standard (and certain "change of heart" following the previous consultation):

1. Requirements on Consent

• Authorised consent vs. explicit consent:

Consistent with the current National Standard, a distinction is made between authorised consent and explicit consent, the latter being required in specific circumstances e.g. processing of sensitive personal information. Whilst "explicit consent" is clearly defined as written or other positive action indicating consent, there remains no separate definition for "authorised consent", and the question of whether implied consent could be taken as authorised consent continues to be unclear.

In addition, Appendix 3 of the Draft Standard, which is intended to set out practical guidance on obtaining consent for processing of personal information for "basic business functions" vs. "supporting/ancillary business functions" contains confusing references to explicit consent being required more generally in relation to any processing of personal information (not just in relation to sensitive personal information). Given the lack of clarity, if the Draft Standard is finalised in its current form, it appears that the prudent approach would be to obtain explicit consent for any processing of personal information.

• Bundled consent:

The Draft Standard stresses the importance of voluntary consent and, consistent with the previous draft, prohibits data controllers from "forcing" data subjects to give consent to processing of personal information as part of an acceptance to receiving products and services. In particular, the Draft Standard provides that if a product or service contains multiple functions that collect and process personal information, data controllers should not bundle consent for the different functions but rather, should provide users with a voluntary choice of affirmative action to express their choice to any form of personal information collection.

• Exceptions to consent:

As consent is the only legal basis for processing of personal information in China, it is important to note the exceptions to consent that are set out in the National Standard. In the National Standard, one key exception is that consent would not be required in cases where processing of personal information is necessary for the execution and implementation of a contract requested by the data subject (the "contractual necessity exception"). Whilst the contractual necessity exception was somewhat worryingly removed from the previous draft, it is perhaps reassuring that it is now reinstated in the Draft Standard. Nevertheless, it should be noted that, in contrast with the GDPR, the contractual necessity exception is crafted as an exception to the consent requirement, as opposed to being a legal basis of processing in its own right.

In addition, as in the previous draft, a new exception is available to data controllers who are required to process personal information relating to complying with obligations under laws and regulations.

2. New restrictions on user profiling and personalised display

The previous draft already contains proposals on certain restrictions and requirements to be imposed on data controller if it wishes to use personalised display (e.g. e-commerce platforms displaying products and services following a user's search based on his preferences and purchasing habits). For instance, data controllers are required to provide opt out mechanisms if data subjects wish to withdraw their consent to user profiling and receiving personalised information.

In the Draft Standard, there is a further proposal on the content or information which user profiling can be used to create. For example, no content concerning a data subject's ethnic origin, religion, disability or other illness should be included. If user profile is to be used for direct marketing purposes, a data controller can only use "indirect user profiling", i.e. through analysing information not specific to a particular individual, such as user profiling on all members that belong to a particular interest group.

3. Requirements on data aggregation

Data controllers that wish to conduct data aggregation will be required to conduct personal information security impact assessment on the purposes for which the newly aggregated data is created. This requirement is in addition to the general requirement that a data subject must have agreed to the purposes for which his personal data (and any aggregated data created based on his personal data) will be collected and used.

4. Requirement on data access by third parties

With the emergence of "superapps", the Draft Standard also proposes a set of requirements that aim to protect user privacy when data controllers allow third parties, who are not acting as joint data controllers or data processors, to access and process personal information through their products and services. For instance, data controllers are required to (i) verify, monitor and inspect the consent collection practices adopted by third parties; and (ii) if certain products and services are provided by third parties, a data controller must so specify.

5. Data breach notification

In the previous draft, there is a requirement on the data controllers to report to the Cyberspace Administration of China data breaches which involve (i) personal information of more than 1,000,000 data subjects, or (ii) personal sensitive information relating to the economy or population of the state, or of public interest (e.g. genetic information or biometric data). This requirement has now been removed from the Draft Standard.

6. Professional requirements of the DPO

As with the previous draft, the Draft Standard provides that the persons responsible for the protection of personal information within an organisation must have related management experience and professional knowledge of protection of personal information.

7. Privacy by design

The Draft Standard also now contains a general requirement that if a product or service facilitates the collection and processing of personal information, the data controller is required to take into account all data protection requirements in the product or service's design, development and trial.

8. Personal sensitive information

One of the key problematic areas created by the current National Standard is the types of personal information which have been classified as personal sensitive information. For example, it is difficult to understand why a personal phone number is personal sensitive information.

In the Draft Standard, personal phone numbers, network email addresses and related password are no longer regarded as personal sensitive information.
Replacing them are three new types of information which will now be regarded as personal sensitive information:

• Contacts lists
• Friends lists
• Groups lists


One of the key criticisms of the National Standard is that it tends to provide limited assistance to (i) non-internet/online based companies; or (ii) aspects of the business which are not online/internet based, when these companies are striving to comply with the data protection requirements in China. Whether the non-online/internet based business will now find the Draft Standard more user friendly will remain to be seen.