What is China’s Personal Information Security Specification?

What is China’s Personal Information Security Specification?
September 22, 2021 | 6 minutes read

China’s Personal Information Security Specification, also known as The Specification for short, is a Chinese data security law that came into effect in 2018. In the same vein as other privacy laws around the world such as the EU’s General Data Protection Regulation or GDPR or Personal Information Protection and Electronic Documents Act or PIPEDA, the Personal Information Security Specification was passed to create a baseline for the protection of personal information and data within China. Issued by China’s National Information Technology Security Standard organization known as TC260, the law was developed and drafted by a team with input from both local and national cybersecurity and audit and standards organizations, prominent internet companies, government ministry research units, and major universities within the country.

What is the scope and application of the Personal Information Security Specification?

The Personal Information Security Specification applies to all business entities and organizations that collect the personal information or data of Chinese citizens. Under The Specification, personal information is defined as “names, dates of birth, identity card numbers, biometric information, addresses, telecommunication contact methods, communication records and contents, account passwords, property information, credit information, location data, accommodation information, health and physiological information, transaction data, etc”. What’s more, all forms of information, whether recorded electronically or by other means, that can be used alone or in combination with other forms of information to identify “a specific natural person or reflect activities of a specific natural person” also constitutes personal information under the law.

Alternatively, The Specification also defines sensitive personal information to mean “identity card numbers, biometric information, bank account numbers, communication records and contents, property information, credit information, location data, accommodation information, health and physiological information, transaction data, and the PI of children 14 years of age or under”. To this end, any form of personal information that was “once leaked, illegally provided, or abused, can threaten personal and property security and/or easily cause personal reputational damage, physical and mental health damage, or discrimination” also constitutes sensitive personal information under the law.

What are the requirements of business agencies and organizations under The Specification?

Under China’s Personal Information Security Specification, businesses and organizations that collect the personal information and sensitive personal information of Chinese citizens must adhere to a variety of data protection principles when collecting, processing, and disclosing said data. These principles include the following:

  • Commensurability of Powers and Responsibilities Principle– Organizations and business entities must bear the responsibility for any damage that occurs during the course of information collection, processing, or disclosure.
  • Purpose Specification Principle– Personal information can only be processed for specific, justified, necessary, and legal purposes.
  • Consent Principle– Organizations and business entities are responsible for obtaining consent from data subjects, as well as providing said data subjects with specific information regarding the scope, method, purpose, and rules for data processing.
  • Minimization Principle– Organizations and business entities are only permitted to process the minimum types and quantities of personal information necessary to fulfill the purposes for which said data was collected, and in conjunction with the purposes for which consent was obtained from a data subject, unless a data subject also consents to further processing of their personal information.
  • Openness and Transparency Principle– The scope, rules, purpose, and other pertinent information related to a business or agency that is collecting the personal information of Chinese citizens must be made publicly available in a manner that is explicit, intelligible, and open to outside supervision.
  • Ensuring security principle– Organizations and business entities who collect the personal information of Chinese citizens must take into account the risks involved in processing said personal information, as well as develop and implement appropriate security, technical, and management measures to safeguard the integrity, confidentiality, and availability of personal information in their possession.
  • Subject Participation Principle– Organizations and business entities who collect the personal information of Chinese citizens must also provide data subjects with the means to access, correct, delete, withdraw consent from, and close accounts that contain said data subject’s personal information.

What are the rights of Chinese citizens under China’s Personal Information Security Specification?

Under China’s Personal Information Security Specification, Chinese citizens are afforded a variety of rights in relation to their data privacy and protection. Some of these rights include:

  • The right to access– Organizations and business entities are responsible for providing data subjects with access to the types of personal information they have in their possession regarding said data subjects, the sources of said personal information, the purposes for which the personal information is being used, and the identity of any third party who has also accessed this personal information.
  • The right to rectification– Organizations and business entities are responsible for providing data subjects with an avenue for recourse for the means of rectification, in the event that personal information they hold relating to said data subjects is found to be incomplete, inaccurate, or erroneous.
  • The right to deletion– Organizations and business entities must delete a data subject’s personal information if said personal information was obtained in an unlawful manner, if the personal information has been used in a context outside of what was set forth at the time in which the data subject granted consent, or if the personal information has been shared with a third party or otherwise disclosed to another entity without first obtaining consent from the data subject in question.
  • The right to withdraw consent– Organizations and business entities are responsible for providing data subjects with a method with which they can use to withdraw consent to the access of their personal information, as well as ensuring that a data subject’s personal information is no longer processed after their consent has been withdrawn.
  • The right to de-registration– Organizations and business entities that provide products or services through registered accounts are responsible for providing data subjects with a means of de-registering from said accounts. This method for de-registration must be easy to operate.
  • The right to obtain a copy of personal information– Organizations and business entities are required to provide data subjects with a copy of their personal information upon request.
  • The right to receive a response to requests for information– After a business entity or organization has verified the identity of a particular data subject, they are then responsible for responding to their request for information within a timely manner that does not exceed 30 days from the point of initial contact.

What are the penalties for violating China’s Personal Information Security Specification?

While the Personal Information Security Specification does not outline specific punishments for violations of the law, organizations, individuals, and business entities who have been proven to be non-compliant are subject to prosecution from the Supreme Court of China in practice. To illustrate this point further, In April of this year, a law professor visiting a zoo in China sued said zoo for attempting to collect his facial recognition information. As a result, the court ruled that the zoo should delete the plaintiff’s biometric information, as the collection of such personal information is “unnecessary for the performance of the consumer contract between the zoo and the plaintiff”.

In accordance with The Chinese Cybersecurity law, the Personal Information Security Specification functions as the privacy means of protecting the personal data rights of Chinese citizens. Through these two laws, there are various standards that businesses and organizations that operate both within and outside of China must adhere to at all times when collecting, processing, accessing, and disclosing personal information. As these two laws in conjunction with one another offer protections similar to the EU’s landmark General Data Protection Regulation or GDPR, Chinese citizens are afforded a level of privacy protection that many other countries have yet to adopt.