The National Information Security Standardization Technical Committee issued a draft of the new national standards on May 26, 2022. The new draft—Information Security Technology: Requirements of Privacy Policy of Internet Platforms, Products and Services (Draft Requirements)—is available for public comment until July 25, 2022. The Draft Requirements document is China’s first list of national standards focusing on privacy policy and covers five aspects of compliance requirements, including (1) the preparation procedures, (2) the privacy policy’s content, (3) release and visualization, (4) revision, and (5) the resolution of disputes over the privacy policy. The standards can act as a reference point in drafting and implementing company privacy policies for their products or services.

The main content of the Draft Requirements is as follows:

Procedures for the Preparation of Privacy Policy

A personal information processor (PIP) is required to follow the below procedures when preparing the privacy policy:

• Establish a complete personal information security management system (ISMS), clarifying the responsible department or person involved in the preparation of the privacy policy, as well as the division of responsibilities;
• Analyze the necessary personal information to be collected and used for products or services, and clarify the scope of necessary and nonessential information;
• Conduct an advance personal information impact assessment (PIIA) for processing of personal information that is likely to result in a high risk to personal information holders. Situations that may have a significant effect on the rights and interests of the personal information holders include processing sensitive personal information, entrusting third parties to process personal information, and transmitting personal information overseas;
• Establish and maintain a table or chart describing the processing of personal information for different types of services;
• Establish a response mechanism regarding the rights of personal information holders (e.g., rights of inquiry, correction, and deletion);
• Draft privacy policies in clear and easy-to-understand language with standardized numbers and diagrams; and
• When there is a change to the rules of collection and use of personal information, update the privacy policy in a timely manner, proactively display and explain the reason for the update, and ensure that the previous versions can be accessed for review.

Contents of the Privacy Policy

The Draft Requirements proposes that the privacy policy should include the following at a minimum:

• Releasor and scope of application. These may include the identity and address of the PIP, the contact information of the person in charge of protecting personal information, the scope of products or services to which the privacy policy applies, the personal information holder types, and the effective date(s) of the privacy policy.
• Summary. This usually includes the types of personal information collected by businesses or services, the main scenarios for providing personal information to third parties, the main ways for personal information holders to exercise their rights, and the main channels for personal information holders to file complaints and report.
• Rules for collection and use of personal information. Among other responsibilities, the PIP should:
  • Refer to service types in the “Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (Apps)” to list in detail the types of services and specific businesses that collect and use personal information;
  • List the types of necessary and nonessential personal information collected by each business in the form of a personal information collection list;
  • Remind the personal information holders of the types of information involved when collecting sensitive information, such as an identification card, passport, driver’s license, other legal documents, and personal biometric information, and explain the purpose and rules of processing such information;
  • Explain the geographic area implicated in the use of personal information, such as the locations where personal information is stored and backed up, and the geographic scope involved in the process of personal information transmission (note: cross-border transmission needs to be listed separately or highlighted);
  • Indicate the expected retention period of different types of personal information or the method for determining the storage period of personal information, and the deadline for deletion or destruction of personal information; and
  • Provide a list of types of information that will be delivered externally, indicating whether personal information needs to be shared or transferred, the types of personal information and reasons for its inclusion, the recipient of personal information, the constraints and management guidelines set for the recipient, the purpose of the recipient’s use of personal information, the security measures taken in sharing and transferring personal information, and whether the sharing or transfer of personal information brings high risks to the personal information holders.
• Rules for ensuring the security of personal information. The PIP should explain the security measures established for the protection of personal information, the personal information security regulations currently followed, the certifications obtained, and the possible security risks that may exist after the provision of personal information.
• Rules for protecting the rights of the personal information holders. Explain the rights that the personal information holders have over their personal information, which include (but are not limited to) the scope of personal information from which personal information holders are allowed to choose when personal information is collected, used, and publicly disclosed, as well as the control permissions of the personal information holders to view, copy, correct, supplement, delete, etc.
• Rules for cross-border transfer of personal information. Specify the types of data that need to be transferred across borders, and the standards, protocols, and legal mechanisms (contracts, etc.) to which cross-border transfers are to be followed.
• Rules for updating privacy policy. This includes the procedures for updating the privacy policy and the situations that might arise from the updates, both of which will have a significant effect on the rights and interests of users. The PIP should explain the method used to notify the personal information holders in a timely manner (the suggested notification methods include push notifications, emails, text messages, etc.).
• Contact details of the PIP. The PIP needs to clearly explain the channels for handling feedback and complaints related to personal information security issues, the time when the personal information holders can receive responses, and the external dispute resolution agencies (such as the courts in the jurisdiction where the PIP is located) and their contact information.

Release and Visualization of the Privacy Policy

The PIP should adhere to the following rules when publishing the privacy policy:

• Proactively remind personal information holders to read the privacy policy before any information is collected;
• Post the privacy policy on a webpage that provides simple, long-term access for personal information holders, include a simplified Chinese version, and ensure accessing the privacy policy does not exceed four mouse clicks;
• Do not try to obtain a single consent from personal information holders for multiple services;
• Remind personal information holders to reread the privacy policy when different types of services are opened;
• Do not force collection of nonessential information or infringe on the rights of the personal information holders by updating the privacy policy; and
• Make the summary of the privacy policy available through an interactive selection interface.

Revision of the Privacy Policy

When revising the privacy policy, the PIP should distinguish whether the revision of any privacy policy content will have a significant impact on the rights and interests of the users:

• When the content revision will not result in significant impact on the rights and interests of the users, the privacy policy should be updated, and users be notified in a timely manner; and
• When the content revision will involve a significant impact on the rights and interests of the users, the PIP should openly solicit opinions from the public for a period of no less than 30 working days, fully adopt the opinions when applicable, revise and improve the privacy policy, announce whether the opinions are adopted or not, and explain the reason for not adopting any opinions.  

Resolution of Disputes Over the Privacy Policy

When the PIP receives feedback and complaints from personal information holders about the privacy policy, the PIP shall give a clear and explicit explanation to those personal information holders within five working days and provide external dispute resolution methods as requested by the personal information holders. In addition, the PIP should proactively provide work records that were created during the preparation of privacy policies to external dispute resolution agencies.

Takeaway

The Draft Requirements are closely related to the national standards, Information Security Technology – Personal Information Security Specification (GB/T 35273-2020), and has high significance in guiding all the PIPs. We suggest that companies adjust the preparation procedures, specific content, release form, etc. of their privacy policies according to the Draft Requirements to reduce compliance risk. They also should pay attention to the latest developments and implementation of China’s privacy policy requirements.

[View source.]