China Cybersecurity Law Update: Two New National and Industry Standards: Personal Information Specification and Personal Financial Information Specification, officially published!

By Michelle Chan, Clarice Yue, Tiantian Ke

04-2020

Two New National and Industry Standards: Personal Information Specification and Personal Financial Information Specification, officially published!

The long-awaited finalised revision of National Standards on Information Security Technology – Personal Information Security Specification GB/T 35273-2020 (the “PI Specification”) was officially published on 6 March 2020, and will come into force on 1 October 2020.

On the other hand, China’s central bank, the People’s Bank of China (the “PBOC”) released its new Personal Financial Information Protection Technical Specification (the “PFI Specification”) on 13 February 2020, which took effect immediately. This industry standard sets forth additional privacy and cybersecurity requirements on the life cycle of PFI collected and processed by Financial Industry Institutions.

PI Specification Update

The current GB/T 35273-2017 PI Specification (the "2017 version") came into force on 1 May 2018 (see our analysis here) and is a set of national standards that provides guidance on personal information protection in China. There were a number of draft proposals to amend the 2017 version in February, June, and October 2019 (see our analysis here) before the revised version was released in March 2020. We highlight below key takeaways of the changes.

1. Requirements on consent

Consent vs. explicit consent:

Obtaining consent from data subjects is one of the key requirements for processing of personal information in China. As with the current PI Specification, the new PI Specification distinguishes between "consent" (which is a general requirement for processing of personal information) vs. "explicit consent" (which is required in specific circumstances e.g. processing of personal sensitive information). However, the distinction between the two is not very clear under the current PI Specification – whereas "explicit consent" is clearly defined as written or other positive action indicating consent, there is no separate definition for "consent".

The new PI Specification clarifies that "consent" includes both positive action (i.e. explicit consent) and passive inaction (e.g. remaining on website even after being informed of data collection during use of a website). This helps clarify that in certain circumstances when explicit consent is not required, consent implied from conduct would be acceptable.

Exceptions to consent:

There have been certain uncertainties around the exceptions to consent under the draft revisions to the PI Specification, in particular, the question of whether "contractual necessity" would be regarded as an exception. The new PI Specification confirms that this would remain as an exception where processing of personal information would be necessary for the execution or implementation of a contract as requested by the data subject.

Seeking consent for multiple business functions:

Specific consent requirements are introduced when service providers provide products or services with multiple business functions (the concept of "business function" is introduced to describe different services that meet user requirements e.g. map navigation, instant messaging, online payment, etc). In particular, data controllers with products or services that provide multiple business functions should:

  • Not collect bundled consent;
  • Obtain explicit consent by requiring users to provide affirmative action by voluntary choice;
  • Provide easy withdrawal option;
  • Not repeatedly seek consent from data subjects who do not give consent, or who have withdrawn from a business function;
  • Not suspend or reduce the quality of other business functions if data subject chooses refuses to give consent for one business function;
  • Not "force" consent from data subjects by reason of improving service quality or user experience, improvement of security, etc.

2. Personal sensitive information and personal biometric information

Under the PI Specification, more onerous requirements apply to the processing of personal sensitive information. In this regard, it is noteworthy that the scope of "personal sensitive information" has been updated. In particular, the new PI Specification removed "network identification information" such as system account, email address, passwords etc. from the definition. Personal mobile phone number has also been removed. New items of information included are: contact lists, friends lists and group lists.

The new PI Specification also incorporates new provisions addressing the protection of biometric information (e.g. an individual's genes, fingerprint, iris, facial recognition feature, etc.). In addition to the requirement to obtain explicit consent, additional requirements must be satisfied prior to sharing or transferring such information to third parties. There is also guidance on retention of biometric information e.g. retaining only abstract information, deleting the raw data etc.

3. Restrictions on user profiling and personalised display, data aggregation and automatic decision-making mechanism

Under the previous draft revisions to the PI Specification, a number of restrictions and requirements have been proposed around the adoption of user profiling, personalised display and data aggregation. The new PI Specification adopts the proposed changes e.g. limiting the types of information that may be used for profiling and the requirement to conduct DPIA before conducting data aggregation (see our analysis here).

The new PI Specification also included a requirement to conduct DPIA before adopting automatic decision making, and mechanisms to be set up for manual verification of the results.

4. Data Subject Rights

Under the current PI Specification, data subjects have a specific right to cancel his/her account with the data controller. The new PI Specification sets out additional requirements for data controllers in relation to responding to data subject's request to cancel his or her account., e.g. to respond within 15 days.

As with the data protection laws of many jurisdictions, data controllers have the right to refuse to respond to data subject requests under certain circumstances. The new PI Specification introduced some new grounds for refusal e.g. if a data controller has sufficient evidence to show that a data subject's request is based on malicious intent or abuse.

5. Data breach notification

In addition to data breach notification to relevant authorities where required (as set out under separate regulations depending on the severity of the breach), a data controller is required to notify data subjects. The new PI Specification clarifies that notification to data subjects should be made when a data breach might cause significant harm to the data subjects (e.g. if a breach involves unauthorised disclosure of personal sensitive information). This would mean that notification to data subjects would not be required for all types of data breach.

6. Organisational measures on data protection

New/revised measures are introduced under the new PI Specification relating to data protection governance, some of which are very similar to requirements under the GDPR, including:

  • DPO: additional professional requirements are introduced and the threshold criteria for dedicated persons in charge and departments for data protection have been increased;
  • Privacy by design: data controller is required to take into account all data protection requirements in the design, development and trial of any product or service that facilitates the collection and processing of personal information; and
  • Data processing record: a new requirement is introduced for data controllers to maintain and update a data processing record. 

The PFI Specification

The PFI Specification sets out additional privacy and cybersecurity requirements on the life cycle of PFI collected and processed by Financial Industry Institutions. It came into force on 13 February 2020.

1. PFI: Definition and Classification

"PFI" is defined as personal information collected, processed and stored by a Financial Industry Institution (i.e. licensed financial institutions in China and other relevant organisations that process PFI) through the provision of financial products and services or any other means.
PFI is further classified into three categories as summarized below in accordance with its level of sensitivity, and will be subject to different levels of regulation:

 Categories
(from high to low sensitivity)
 Scope Description  Examples
 C3 User authentication information    Bank card information: e.g. track data, card verification number (CVN)
 Passwords for payment, security and insurance accounts
 Biometric information for user authorisation
 C2 User identity and financial status information, key information related to the use of financial product and service   Payment account number
 Account usernames
 Ancillary information: e.g. dynamic password
 Personal financial information: e.g. account balance
 Transactional information
 Photos and video for KYC purpose 
 C1  PFI for internal use by Financial Industry Institution  Account opening time, opening institution, etc.


2. PFI Lifecycle: Security Technology and Management Requirements

The PFI Specification outlines some general technical and operational security requirements for all categories of PFI and advanced requirements for C2 and/or C3 categories during their data processing lifecycle. For example:

  • Collection: Explicit consent is required.
  • Transmission: Data localisation requirements apply to PFI processing activities. In case of data export for business purposes, specific obligations (e.g. consent, security assessment) should be complied with.
  • Storage: C3 information is generally prohibited to be stored unless authorised by data subjects. Storage of C3 information requires adoption of encryption measures.
  • Usage: Filtered messages and desensitisation are recommended before display or sharing of PFI; entrusted processing of C2 and C3 categories of information to third parties is subject to specific restrictions e.g. maintaining and keeping records of processing by third party processors.
  • Delete and destruction: Clear management policy on data destruction should be adopted and PFI destruction record should be maintained. 

Observations

Both specifications are sets of recommended national/industry standards that do not have the force of law, but the compliance of which is influential when determining compliance with the data protection obligations under the Cyber Security Law in China.

The new PI Specification is considered an instrumental step towards the implementation of dedicated data protection and security laws in China. In particular, the Personal Information Protection Law and Data Security Law are both listed on the 2020 legislative agenda. Organisations in China should keep pace with the fast developing data protection and cybersecurity regulations.

Given the sensitivity of PFI, most of which are deemed as personal sensitive information, the collection and processing activities of PFI are subject to more stringent regulations and enforcement in China. Enforcement actions taken in the past year has seen a particular focus in the financial sector and the PFI Specification provides the much-needed further guidance to Financial Industry Institutions.