Currently, there is no specific data protection law in China; rules relating to personal data protection are found in different laws and regulations. Some weeks ago, on 1 June 2017, the new Cybersecurity Law entered into force. We already wrote about it here.
Recently, a new draft of a Standard called “Information security techniques – personal information security specifications” (unofficial English translation) was published on the official website of the National Information Security Standardization Technical Committee.
This draft Standard contains definitions and requirements regarding personal data. The draft Standard is not expected to apply to organizations that have less than 10 employees and process personal information of less than 10,000 individuals in any continuous 12 months.
In accordance with Art. 3.1 of this document, Personal Information (个人信息) includes name, date of birth, identity card number, personal account information, which are recorded electronically or otherwise and can be used alone or in combination with other information to identify natural persons, such as information on biological characteristics, location, behavior, address, phone number, fingerprint, iris etc.
Interestingly, real estate information, bank card numbers, or identification numbers belong to the same group of “personal sensitive information” (个人敏感信息) as health records (according to Art. 3.2 and table B.1 in annex B). The document states that sensitive personal information should be stored in encrypted form (Art. 7.1. C).
Transfer of personal information (个人信息转让) must be in accordance with the relevant provisions of the state (按照国家有关规定执行。). There is a privacy statement / policy example in annex C No.8: “Transfer of personal information. If there is a Transfer of personal information due to business needs, government and judicial regulation require detailed description of the types of data required for Transfer of personal information, as well as standards, agreements and legal mechanisms (contracts, etc.) for cross-border transmission compliance.”
Except where otherwise provided by laws or regulations, personal information should only be acquired with the express consent of the data subject (个人信息主体同意). A consent must be revocable: personal information should be deleted, except where laws or regulations require data retention.
Another rule about “transfer and disclosure of personal information” (个人信息转让) is contained in Art. 9: Personal information and other important data gathered or produced by critical information infrastructure operators during operations within the mainland territory of the People’s Republic of China, shall be stored within mainland China. Where business requirements make it absolutely necessary to transfer data outside the mainland, the measures jointly formulated by the State network information departments and the relevant departments of the State Council to conduct a security assessment shall be followed; unless laws and administrative regulations provide otherwise.
The Standard is one of seven new draft “Information Security Technology” standards (also known as “TC260).