Search This Section
16 Feb 2019
On 1 February 2019, the National Information Security Standardization Technical Committee (“NISSTC”) released the revised draft (“Revised Draft”) for the Information Security Technology – Personal Information Security Specification (National Standard GB/T 35273-2017, “Current Specification”) to seek public comments. The NISSTC is a technical work organization under the Standardization Administration (“SAC”) focusing on information security standardization in the specialized field of information security technology. The Current Specification, referred to by some industry players as China’s General Data Protection Regulation (“GDPR”), was released by the SAC on 29 December 2017 and became effective on 1 May 2018. Coincidentally, shortly thereafter, the EU GDPR came into effect on 25 May 2018. The Current Specification, as a recommended national standard, is not mandatory or legally binding. However, as the Current Specification was formulated with the participation of Alibaba, Tencent, Huawei and other information technology enterprises and through broad solicitation of comments from enterprises in the information technology industry in China, it has been adopted by many information technology industry players and has had relatively significant influence.
The Current Specification will be updated through the Revised Draft, in less than eight months since it was first implemented. To some industry players, the Revised Draft further draws lessons from the provisions and implementation experience of the GDPR, while others consider that as the Revised Draft is released before promulgation of the Personal Information Security Protection Law of the People’s Republic of China (“Personal Information Security Protection Law”), it will impose significant influence on relevant industrial practice, and further, may have certain influence on the Personal Information Security Protection Law currently being drafted.
Full Swing Upgrade in Personal Information Protection
The Revised Draft is a full upgrade to the Current Specification, in that it raises new requirements on aspects of personal information including collection, processing, management and transmission, and refers to similar provisions of the GDPR in some aspects. The major revisions include:
Collection of Personal Information
Storage and Processing of Personal Information
Transfer and Sharing with Third Parties
Internal Management and Security Assessment
In terms of legislation, the Ninth Amendment to the Criminal Law of the People’s Republic of China, effective on 1 November 2015, defined the criminal liabilities faced by network service providers for divulging users’ personal information. The Cyber Security Law of the People’s Republic of China (“Cyber Security Law”), effective on 1 June 2017, set out several requirements on administering cyber security through relevant systems, symbolizing a new milestone of China’s cyber security administration. In the meantime, the Personal Information Protection Law, the first ever such law in China, is currently being formulated and deliberated. The comment drafts for the Guideline for Internet Personal Information Security Protection and the Regulations on the Graded Protection of Cyber Security, released by the Ministry of Public Security in 2018, indicate that the subsequent and specific laws and regulations are also being formulated. It is expected that China will soon have established a legal system for the protection of personal information security with the Cyber Security Law playing an anchor role, and the Current Specification also playing a pivotal role in this system.