On October 22, 2019, the drafting group of China’s National Information Security Standardization Technology Committee (“NISSTC”) released a third set of draft amendments to the Information Security Technology - Personal Information Security Specification (GB/T 35273 – 2017) (the “Updated Draft Specification”). The original Specification, first issued on December 29, 2017, became effective May 1, 2018, and saw earlier draft amendments on February 1, 2019 and June 25, 2019. The NISSTC received more than 400 public comments on the proposed June amendments. The latest draft amendment was issued without a public comment period.
Though not legally binding, the Specification is considered best practice for private companies when formulating compliance programs. Furthermore, government enforcement authorities may, in practice, look to the Specification as a reference point for all companies when conducting enforcement.
In general, the structure of this Updated Draft Specification is the same as previous versions. The main changes relate to consent (Section 3.7), the prohibition against compelling users to consent to multiple business functions (Section 5.3), personalized display (Section 7.5), account cancellation (Section 7.12), data processing by a third party (Section 8.1), sharing and transferring personal information (Section 8.2), and co-controllers of personal information (Section 8.6).
Consent
The Updated Draft Specification clarifies appropriate formats for obtaining consent and provides that both expressed and implied consent are acceptable. In addition, oral as well as written statements are considered valid forms of consent.
Prohibition against Compelling Users to Consent to Multiple Business Functions
Under the Updated Draft Specification, data controllers are prohibited from requesting that data subjects consent to the collection of personal information for the purposes of improving service, upgrading data subjects’ personal experience, developing new products and enhancing security.
Personalized Display
When displaying business functions to data subjects, data controllers shall make an explicit distinction between personalized display and non-personalized display. Personalized display refers to activities that present information, such as search results, to the data subject based on the data subject’s personal information – such as the subject’s browsing history, interests and preferences, consumption records and habits.
For e-commerce services that display search results for products and services in a personalized format, the data controller shall also provide the option of displaying results based on non-personal factors.
If data controllers send news via push notification through personalized displays, they are no longer required to indicate “personalized display” or “targeted push” on the notification itself. However, data controllers shall provide a simple and straightforward way to withdraw from or close personalized display mode. If the data subject chooses to withdraw from or close personalized display mode, the data controller shall provide the option of deleting or anonymizing personal information used for targeted push activities.
Account Cancellation
The Updated Draft Specification provides more detailed requirements for facilitating account cancellation.
- Data controllers shall set up a convenient interactive page for account cancellation and respond to cancellation requests from the data subject in a timely manner.
- If the account cancellation needs to be processed manually, processing shall be completed within 15 days.
- Personal information required to verify identity for account cancellation shall not be more than that collected for registration and use of the service.
- Data controllers shall not place unreasonable conditions on, or make extra requests for, account cancellation.
- Data controllers shall clearly state how they handle the sensitive personal information collected for account cancellation (e.g., deletion or anonymization of sensitive personal information upon cancellation).
Processing by a Third Party
If the data controller is aware of or finds that the third party does not conduct data processing or protect personal information as required, the data controller shall stop the third-party processing of data and take effective remedial measures. Where necessary, data controllers shall terminate the business relationship with such a third party and request that the third party delete personal information obtained from the data controller.
Sharing and Transfer of Personal Information
Data controllers shall execute relevant agreements with data recipients specifying the data recipients’ rights and obligations. In cases where data controllers find that a data recipient has violated the law or the agreement, the data controller shall stop the data recipients’ processing of data and take effective remedial measures. Where necessary, data controllers shall terminate the business relationship with such data recipients and request that the data recipients delete personal information obtained from the data controller.
Co-controllers of Personal Information
In the event that the data controller and the third party are co-controllers of personal information, the data controller and the third party shall execute a relevant agreement specifying the respective obligations of the data controller and the third party regarding personal information protection. Data subjects shall be informed of these obligations. If the data controller fails to inform data subjects of the third party’s identity and the obligations of the data controller and the third party, the data controller shall be liable for the third party’s actions.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code