Hogan Lovells highlights how the Mainland’s new Personal Information Security Specification, which will come into force on 1 October 2020, raises the stakes for data protection in the Mainland.
Less than two years after the implementation of the ‘GB/T 35273-2017 Information Security Technology – Personal Information Security Specification’ (2017 Specification), the Mainland’s National Information Security Standardization Technical Committee (commonly known as TC260) released the final amended version on 6 March 2020 (2020 Specification), after issuing several drafts of amendments, which will come into force on 1 October 2020.
Although the 2017 Specification is not a mandatory standard, it is highly influential as a compliance tool for businesses active in the Mainland, as the authorities appear to be using it as a compliance yardstick in practice. Most laws in the Mainland, such as the Cybersecurity Law, only address data protection in very general terms. The more detailed requirements set out in the 2017 Specification (and now the 2020 Specification) serve an important role in bridging the gap between principles and practice, providing organisations with useful guidance on how to align their data protection programmes in the Mainland with the increasing demands of international data protection practice.
One of the most striking features of the 2020 Specification is how far its guidelines seek to move the Mainland’s data protection landscape towards the accountability requirements seen under the European Union’s General Data Protection Regulation (GDPR). But more significantly, in some respects the 2020 Specification threatens to exceed GDPR requirements. In particular, the 2020 Specification moves towards a forced ‘unbundling’ of consents, requiring separate, explicit ‘opt-in’ consents to each purpose for which personal data is being processed, with a specific focus on third-party access, biometric personal information, advertisement personalisation and other forms of digital marketing.
Fully forced unbundling of consents under the 2020 Specification
The 2017 Specification requires that information controllers who intend to collect personal information must obtain consent of information subjects. Moreover, voluntary, specific, and unambiguous consent from information subjects is required for the collection of sensitive personal information after informing them of how the information will be processed as part of:
- the core functions of the information controller’s product or service, and
- any ancillary processing purposes.
The 2020 Specification further develops the guidance in respect of unbundling by requiring information controllers to provide unbundled consents for the collection of all types of personal information (not just sensitive ones) relating to each separate business function offered to the individual.
Specifically, a single consent is sufficient for processing for all ‘basic’ purposes; however processing for ‘extended’ purposes would need unbundled and separate consent for each use case. The 2020 Specification recommends that a distinction be drawn between ‘basic’ and ‘extended’ processing purposes. ‘Basic’ processing purposes are defined based on the information subject’s primary needs and expectations of using the products or services. Though not expressly defined, ‘extended’ purposes should be taken to mean any other purposes not based on such primary needs and expectations, such as profiling and retargeting.
The 2020 Specification entitles information controllers not to provide products and services to information subjects that refuse to consent to collecting personal information for ‘basic’ purposes. To restrict information controllers from unreasonably expanding the scope of ‘basic’ purposes, the 2020 Specification clarifies that information controllers cannot subjectively determine the information subjects’ primary needs and expectations. Typically, upgrading services, enhancing the user experience and the research and development of new products are not ‘basic’ processing purposes.
Manufacturing consent – recommendations under the 2020 Specification
The 2020 Specification sets out further recommendations as to how organisations should obtain requirements on consent from information subjects.
- Affirmative action: consent must be based on the information subject’s affirmative action (such as voluntary clicking, ticking or entering the relevant information), as the condition for commencing the provision of specific business functions.
- Opting out: information controllers must provide easy-to-follow means through which business functions can be turned off or allow opting out.
- Requests to reconsider opt-outs: where information subjects refuse to opt in or opt out from any specific business function, information controllers must not send repeat consent requests within 48 hours.
- No reduction in quality: where information subjects refuse to opt in or opt out from any specific business function, information controllers must not suspend other business functions for which the information subject has opted in, or lower the service quality of such business functions.
- No forced participation in research and development: information controllers must not force an information subject to agree to the collection of his/her personal information for the sole purposes of improving service quality, enhancing user experience, developing new products, increasing security or other such purposes.
New requirements for personalised display and targeted advertising
‘Personalised displays’ are defined under the 2020 Specification to include features of digital interfaces such as personalised research results and other displays based on the information subject’s web browsing history, personal interests and so on. The 2020 Specification adds requirements on information controllers specifically targeting tailored results.
- Information controllers that provide ‘business functions’ must prominently differentiate personalised displays and non-personalised displays (for instance, by indicating words such as ‘pushing’).
- E-commerce operators that provide personalised recommendations or targeted search results shall also provide a means of opting out of such recommendations.
- Information controllers that push personalised news or information services must provide a straightforward opt-out method enabling the user to receive generic content instead. At the time of such opt-out, information controllers must also provide the information subject with an option to delete or anonymise personal information used for targeted advertising.
New requirements for access to platform data
If an information controller includes third-party products or services with personal information collection functions in its products or services, for example enabling businesses to operate applications and mini-programmes within its platform ecosystems, the following requirements under the 2020 Specification will apply:
- establish procedures for enabling secure access to data and access conditions, such as conducting security assessments
- specify, by entering a contract with the third-party product or service provider, the security responsibilities of both parties and the personal information security measures to be implemented
- indicate to information subjects that such products or services are provided by a third party
- preserve contracts and management records relating to third-party platform access, and ensuring that such information is made available to the relevant parties
- require third parties to obtain consent from information subjects and, when necessary, verify the methods through which said third parties satisfy this requirement
- require third parties to establish procedures for responding to requests for information and complaints made by information subjects
- monitor third-party information protection practices, require remediation where necessary and disable platform access if the third party fails to implement the information security requirements, and
- where a product or service is embedded in, or connected to, third-party automated tools (such as software development kits and mini- programmes), technical inspections and audits are recommended to be carried out, and access should be disabled if third-party activities exceed the scope of what has been agreed.
If the third parties do not obtain separate consents from information subjects for processing their personal information, then information controllers will be deemed as joint controllers with such third parties. Consequently the following requirements will apply:
- the personal information controller must confirm with the third party the personal information security requirements to be met, their respective responsibilities and duties in relation to personal information security, and expressly inform information subjects of
the same, and
- failing to expressly inform the information subjects of the above required information, the information controller must assume liability for any personal information security issues created by the acts or omissions of such third party.
New requirements regarding processing by a third party
Under the 2020 Specification, an information controller is responsible for taking immediate action against a third-party processor who processes data on its behalf if it becomes aware that the processor has failed to process personal information according to its requirements, or has failed to perform its duties to protect the security of personal information.
Also, if an information controller discovers that a data recipient that has received, shared or transferred data has processed the personal information in violation of laws or agreements between the parties, the information controller must take immediate actions, such as requiring the third-party processor or data recipient to discontinue the relevant conduct and, when necessary, terminating its business relationship with the third-party processor or data recipient.
Revising the examples list of sensitive personal information
The scope of ‘sensitive personal information’ under the 2020 Specification is broader than the concept typically seen in the international context, including identification card numbers, biometric information, bank account details, communications records, property details, credit reference information, location data, transaction data and personal data of children under the age of 14.
Compared to the 2017 Specification, the 2020 Specification removed personal phone numbers, email addresses, online identity information and information relating to personal health from the list of sensitive personal information, but at the same time, added address books, friends lists and lists of groups into the list.
Separate requirements on processing of biometric personal information
The 2020 Specification adds new requirements regarding biometric personal information, which is now widely used in many identity authentication scenarios, such as unlocking smart phones and paying bills. Due to its nature of uniqueness, additional protections are urgently needed to secure biometric data from unauthorised access and misuse.
- Definition: biometric personal information is defined as personal genes, fingerprints, voice prints, palm prints, auricle, iris, facial recognition features and so forth.
- Collection of biometric personal information: the collection of biometric personal information faces more stringent requirements than those for sensitive personal information, including (i) separately informing the information subject regarding the purpose, method, scope and the storage period for which such information is collected and used, and (ii) obtaining explicit consent prior to collection and use.
- Processing of biometric personal information: biometric personal information must be stored separately from identification information. In principle, raw biometric personal information (for example, samples and images) must not be stored. Furthermore, biometric personal information must not be shared or transferred unless it is necessary to do so due to business needs and explicit consent has been obtained from information subjects. Lastly, no biometric personal information may be publicly disclosed.
Elevating the position of data protection officer
The 2020 Specification requires information controllers to appoint a dedicated data protection officer (DPO) in cases of organisations principally engaged in the processing of personal information and employing more than 200 individuals, organisations processing the personal information of more than one million individuals, or processing sensitive personal information of more than 100,000 individuals. It further requires the DPOs to be experienced and knowledgeable in personal information protection – such officers shall be involved in important decision-making relating to the processing of personal information, and will directly report to the chief person-in-charge of the organisation.
Overall, what emerges from the 2020 Specification is that the Mainland appears to see some value in hitching a ride on the GDPR train, but with heavier emphasis on certain ‘hot button’ issues that are perceived as particularly problematic in the Mainland, like ‘pushed’ personalisations and empowering information subjects to opt out. In that sense the Mainland may have partially decoupled from the GDPR train, pursuing its own agenda for data protection.
The direction of travel is clear from the 2020 Specification. The amendments in relation to unbundled consents are largely directed at online data collection, striving to seek a balance between allowing the Mainland’s internet economy to continue to grow and innovate, and at the same time providing transparency and security to internet users. These changes raise the stakes for data protection in the Mainland significantly. Forcing an unbundling of consents for these types of ‘extended’ processing models and mandating an opt-out from advertisement personalisation will have a significant impact on the Mainland’s internet economy, both for the leading platforms who maintain thriving ecosystems based on these technologies, and for the brands and marketers seeking to extract data-driven business value from platform interactions. The amendments in this area to the 2020 Specification have raised a significant debate in the Mainland and this area in particular is one to watch.
Andrew McGinty, Philip Cheng, Sherry Gong, Mark Parsons, Maggie Shen,
Copyright: Hogan Lovells