On March 6, 2020, the China Standardization Administration and the State Administration for Market Regulation jointly released an updated version of the Personal Information Security Specification (the “Specification”) which will become effective on October 1, 2020.[1] The updated Specification updates the current Specifications[2] that have been in effect since May 1, 2018, and is the result of a revision effort by the Specification’s drafters, that included a series of interim drafts published for public comment on January 30, 2019, June 21, 2019, and most recently, on October 22, 2019, in order to address certain loopholes and practices leading to excessive collection of personal information.

The updated Specification contains several new or modified requirements, some of which were first introduced in the prior interim drafts, that are likely to impact app developers, app platform or “super app” operators, and content platforms. These include:

  • a detailed framework for informing and obtaining consent from data subjects by differentiating core and non-core functions, and prohibiting data controllers from requiring users to give consent for non-core functions in order to access core functions, a practice also known as “bundled consent”;
  • a data protection framework for app platforms, third party apps, products or services that are connected to or operate on a platform, including specifying new requirements for the use of third party login services and requiring the platform to (i) assess the data protection capabilities of such connected third party apps, products or services, (ii) put in place a data processing agreement with the developers of such connected third party apps, products or services, and (iii) be jointly liable as joint data controllers with the developers of such connected third party apps, products or services unless appropriate measures are taken;
  • new requirements for the collection, use, and transfer of personal biometric identification information (facial recognition, fingerprint, voiceprint, handprint, earprint, iris identification, genetic information, etc.), including separate notification to data subjects of and obtaining express consent for collection of such information, and new storage requirements for such information; and
  • new requirements for displaying personalized content, such as personalized news feeds, content recommendations, and search results, including offering an option to opt-out of personalized content displays.

The updated Specification puts into practice the recent trend of moving away from general overarching one-size-fits-all consent and privacy policy language covering all current and future business operations that has become ubiquitous in the digital economy. Going forward, the updated Specifications suggest that personal information controllers will need to do a better job at determining what are core and non-core functions, identifying clearly what personal information is collected for core and non-core functions, and giving users more choice to opt out of non-core functions if they choose not to share the required personal information needed for such non-core functions.

Although compliance with the Specification is voluntary and not a legal requirement, in practice government regulators tasked with enforcing China’s data protection and privacy laws do refer to the Specification for enforcement guidance, and thus the Specification serves as important recommended guidance for companies on how to comply with China’s data protection and privacy laws when collecting, processing, using, and transferring personal information in China. Companies that collect and use personal information when conducting business in China are advised to review the changes in the Specification and update their privacy policies and data practices in China to address the changes.

[1] GB/T 35273-2020 Information Security Technology – Personal Information Security Specification

[2] GB/T 35273-2017 Information Security Technology – Personal Information Security Specification