In further tightening of the personal information protection regulatory regime in China, the State Administration for Market Supervision and the Standardization Administration of China have jointly issued a new version of the National Standard Personal Information Security Specification (“2020 PIS”) on 6 March 2020. The 2020 PIS will come into force on 1 October 2020. This alert highlights certain key changes in the 2020 PIS compared to the previous version originally implemented on 1 May 2018.
Biometric Identification Information
The 2020 PIS introduces new and more stringent requirements to regulate the collection, storage and sharing of “Biometric Identification Information” (“BII”), which includes facial recognition characteristics, fingerprints and voiceprints, etc. Before collecting BII, data controllers will be required to independently inform data subjects of the relevant rules of collection, usage and storage and obtain their explicit consent. This new requirement is in line with the recent regulatory trend of tackling the common malpractice of bundling consent for collecting personal information regardless of the
sensitivity of such information.
As elaborated in the 2020 PIS and its previous version, “explicit consent” refers to affirmative acts of the data subjects such as clicking/selecting the “agree” option, or otherwise proactively giving consent, whether in writing or verbally. Such consent is already required under the existing PIS where personal sensitive information is collected. The 2020 PIS does not provide concrete guidance on what qualifies as “independently” obtaining informed and explicit consent. Providing a separate pop-up box informing data subjects about the collection, usage and storage of BII and seeking consent might be a possible solution, but the sufficiency or suitability of such practice will depend on the facts and should be considered carefully.
Moreover, the 2020 PIS provides that original BII (e.g. specimens and images of fingerprints and facial recognition characteristics) should not be stored, but it has suggested some practical alternative measures, for example, storing only an abstract of the BII, using the BII at the point of collection to directly conduct identity verification, and immediately deleting the original BII collected after completion of the verification process. However, if storage of BII cannot be avoided, it should be kept separately from other types of personal information.
Sharing and assigning of BII is not recommended but, if required by business needs, data subjects must be independently informed and their explicit consent obtained.
Common marketing practices such as data consolidation, user profiling and personalized displays (e.g. displaying listings of products or services based on data subjects’ browsing history and consumption habits) will be scrutinized under the 2020 PIS. For instance, data controllers must obtain explicit and informed consent from data subjects before consolidating their data. In creating users’ profiles for marketing purposes, data controllers must avoid specifically identifying the individual data subjects. For example, data controllers should consider classifying data subjects based on their common characteristics such as age range and gender, instead of using their unique identification information to precisely identify each individual.
When offering personalized displays to data subjects based on their preferences, data controllers should clearly indicate that the displayed content has been customized and provide the option of non-personalized content at the same time. Examples of acceptable non-personalized displays suggested in the 2020 PIS include displaying products or services based on the geographical location of data subjects instead of their personal traits. Moreover, data subjects should be allowed to adjust the degree of personalized displays.
Other Key Issues
The 2020 PIS also requires that separate consents be obtained from data subjects where multiple business functions are offered by data controllers, rendering the common practice of requiring data subjects to provide bundled consent unacceptable. The rights of data subject are further boosted by:
A new prohibition on compelling data subjects to consent merely on the basis of improving service quality, enhancing user experience, developing new products, or enhancing security;
Refined procedures for data subjects to cancel their user accounts with data controllers, for example, account cancellation requests must be handled by data controllers within 15 working days, and data controllers may not impose additional or onerous burdens on data subjects for cancelling accounts, such as requiring data subjects to provide an accurate activity history.
The changes introduced in the 2020 PIS are a clear indication of the current enforcement priorities of the Chinese regulators. Businesses are strongly recommended to review their existing personal information protection practices and documentation and should take appropriate steps to manage the increasing compliance risks.
For further information, please contact:
Andy Yu, Deacons