DaHui Lawyers

English  |  中文

rss feed


Search This Section

16 Feb 2019

China’s “GDPR” Undergoes Major Upgrade – Revised Draft for Personal Information Security Specification Released

On 1 February 2019, the National Information Security Standardization Technical Committee (“NISSTC”) released the revised draft (“Revised Draft”) for the Information Security Technology – Personal Information Security Specification (National Standard GB/T 35273-2017, “Current Specification”) to seek public comments. The NISSTC is a technical work organization under the Standardization Administration (“SAC”) focusing on information security standardization in the specialized field of information security technology. The Current Specification, referred to  by some industry players as China’s General Data Protection Regulation (“GDPR”), was released by the SAC on 29 December 2017 and became effective on 1 May 2018. Coincidentally, shortly thereafter, the EU GDPR came into effect on 25 May 2018. The Current Specification, as a recommended national standard, is not mandatory or legally binding. However, as the Current Specification was formulated with the participation of Alibaba, Tencent, Huawei and other information technology enterprises and through broad solicitation of comments from enterprises in the information technology industry in China, it has been adopted by many  information technology industry players and has had relatively significant influence.

The Current Specification will be updated through the Revised Draft, in less than eight months since it was first implemented. To some industry players, the Revised Draft further draws lessons from the provisions and implementation experience of the GDPR, while others consider that as the Revised Draft is released before promulgation of the Personal Information Security Protection Law of the People’s Republic of China (“Personal Information Security Protection Law”), it will impose significant influence on relevant industrial practice, and further, may have certain influence on the Personal Information Security Protection Law currently being drafted.

Full Swing Upgrade in Personal Information Protection

The Revised Draft is a full upgrade to the Current Specification, in that it raises new requirements on aspects of personal information including collection, processing, management and transmission, and refers to similar provisions of the GDPR in some aspects. The major revisions include:

Collection of Personal Information

  • Specially restricting certain enterprises’ extensive collection of personal information, and prohibiting compulsory, bundling and packaging authorization.
  • Specially requiring distinguishing basic functions from extended functions. While the Current Specification has touched upon the concept of distinguishing core services from additional services, the Revised Draft requires further specifying the functions corresponding to the information collected. 

Storage and Processing of Personal Information

  • Specially requiring service providers to provide service opt-out channels which operate as conveniently to users as service opt-in channels.
  • Specifying a discretionary control mechanism of contents for personalized display and the personal information that such personalized display is based on – when a personal information subject elects to opt-out from the personalized display mode, the option to delete or anonymize personal information should be provided.

Transfer and Sharing with Third Parties

  • Establishing a management mechanism and workflow for third-party access and requiring specification of security liabilities through contracts and clear indication to users that products or services are from third parties; requiring third parties to obtain the authorization and consent from users for collecting their personal information. Requiring third parties to establish a mechanism to respond to personal information subjects’ claims and complaints and urging and supervising third parties to enhance their personal information security management, and to cease access when necessary. The requirements on third-party service providers in the Revised Draft are in many places similar to those on sub-processors set out in the GDPR.

Internal Management and Security Assessment

  • Requiring assessment of the impact on security as compared to the purposes for which personal information is collected and taking proper measures to protect personal information. The Revised Draft does not specify the requirements on personal information protecting measures. It is expected that the finally promulgated Revised Draft may refer to the formal draft of the Information Security Technology – Guide to Personal Information Security Impact Assessment (currently a comment draft).
  • Specifying requirements on institutions and specialized responsible persons for the protection of personal information.
  • Recommending the establishment of personal information processing records.


In terms of legislation, the Ninth Amendment to the Criminal Law of the People’s Republic of China, effective on 1 November 2015, defined the criminal liabilities faced by network service providers for divulging users’ personal information. The Cyber Security Law of the People’s Republic of China (“Cyber Security Law”), effective on 1 June 2017, set out several requirements on administering cyber security through relevant systems, symbolizing a new milestone of China’s cyber security administration. In the meantime, the Personal Information Protection Law, the first ever such law in China, is currently being formulated and deliberated. The comment drafts for the Guideline for Internet Personal Information Security Protection and the Regulations on the Graded Protection of Cyber Security, released by the Ministry of Public Security in 2018, indicate that the subsequent and specific laws and regulations are also being formulated. It is expected that China will soon have established a legal system for the protection of personal information security with the Cyber Security Law playing an anchor role,  and the Current Specification also playing a pivotal role in this system.

› More Insights