China Issues New Data Protection Standard


Website By MMLC Group, China
Firm's Profile & Articles Law Firm's Profile & Articles
Phone Call +86 (10) 8515-1091
When the new Cyber Security Law as promulgated, it did not include a definition of personal information, and was silent on other key issues required for transparent compliance. The National Information Security Standardization Technical Committee has recently released a new standard looking at personal information, thus potentially filling some gaps in the Cyber Security Law.

When the Cyber Security Law came into effect on June 1, 2017, it incorporated a number of articles about personal information protection. For instance, in Chapter Four "Cyber Information Security" thereof, it devotes five articles to regulate how a network operator should collect, use and store the personal information in principle. Furthermore, in Article 64 of the Cyber Security Law, it
FIND MORE LEGAL ARTICLES
provides the responsibility of infringing the personal information, which includes warning, confiscation of illegal gain, fines and so on. However, when it comes to define the meaning and scope of the personal information, it only states a general definition of the personal information, which refers to as various information that can identify certain natural person's identification or reflect certain natural person's activity, whether individually or combining with other information, in electronic or other form. Considering that people are spending more and more time online, and therefore, leaving all kinds of information and tracks by visiting a webpage or using an online service, what kind of information can be categorized as protected "personal information" needs to be further specified.

Recently, it is reported that the National Information Security Standardization Technical Committee issued a national standard titled as Information Security Technology - Personal Information Security Specification (GB/T35273-2017, the Specification) on December 29, 2017. The Specification specifies the collection, storage, use, deletion, as well as handling of the personal information, and this article will mainly focus on introducing the definition of personal information in the Specification, since such definition lays the ground of the whole Specification and may become reference for the Chinese authorities identify the scope of the personal information.

The Specification defines "personal information" as various items of information that can identify certain natural person's identification or reflect certain natural person's activity, whether individually or combining with other information, in electronic or other format. It also brings up the definition of "personal sensitive information" therein, which means personal information that may endanger personal and property safety and are easily resulting in damage to personal reputation, physical and mental impairment or discrimination treatment and so on, once it is disclosed, illegally provided or abused.

It is worth noticing that, in order to further illustrate the scope of personal information/personal sensitive information, the Specification incorporates some informative annexures to exemplify such information in detail:

Personal Information

In Annexure A of the Specification, two routes are provided to determine whether information should be identified as personal information: one is identification, which means to identify a certain person due to the characteristics of information; whereas the other one is association, which means information generated from certain person's activities. In case information can fall into one of the categories mentioned above, such information can be determined as personal information. More specifically speaking, the personal information includes types of information as follows:

1. Personal Basic Information:Name, birthday, sex, ethnic, nationality, family relationship, address, telephone number, email address etc;

2. Personal Identity Information:ID card, officer's identity card, passport, driver's license, work card, entry card, social security card, residence card etc;

3. Personal Biological Identifying Information:Personal gene, finger print, vocal print, palm print, earflap, iris, facial characteristic etc;

4. Online identity information:System account, IP address, email address and relevant code, password, password protective answer, users' personal digital certificate etc;

5. Personal health physical information:Relevant record generated from medical treatment due to illness, such as disease, hospitalization record, doctor's order, inspection report, surgery and anesthesia record, care record, medicine record, medicine and food allergic information, maternity information, illness history, treatment situation, family illness history, current illness history, infectious disease history and so on; as well as relevant information concerning personal health, and weight, height, lung vital capacity etc.;

6. Personal education and work information:Personal occupation, title, working unit, education, degree, education experience, work experience, training record, transcript etc;

7. Personal property information:Bank account, identifying information (password), deposit information (including amount, payment and receiving record etc.), house information, credit and loan information, reference information, transaction and consuming record, bank statement, and virtual property information, such as virtual currency, virtual transaction, exchange code for games etc;

8. Personal communication information:Communication record and content, SMS, multimedia message, email, and data describing personal communication (metadata) etc;

9. Contact information:Contact record, friend list, group list, email address list etc;

10. Personal Internet surfing record:User's operation record stored by log file, including website cookies, software use record, clicking record etc;

11. Personal often used equipment information:Information that describing personal equipment's basic circumstance, such as hardware serial number, equipment's MAC address, software list, sole equipment identifying code (e.g. IMEI/android ID/IDFA/OPENUDID/GUID, SIM card IMSI information etc.);

12. Personal location information:Including tracks, precise locating information, lodging information, latitude and longitude etc.;

13. Other information:Marriage, religion, sex orientation, unpublished crime record etc.

Personal Sensitive Information

In Annexure B of the Specification, the personal sensitive information is referred to personal information that may endanger personal and property safety and is easily resulting in damage to personal reputation, physical and mental impairment or discrimination treatment and so on, once it is disclosed, illegally provided or abused. Usually, personal information of children under age 14 and privacy information of natural person belong to personal sensitive information.

It provides three angles to determine whether it should be identified as personal sensitive information:
Disclosing: once such information is disclose, it will result in that the subject of such information or the organization/institution that collect and use such information lose the control of such personal information, and cause uncontrollable spread and use thereof. Furthermore, in case some personal information is disclosed and directly used or analyzed along with other information in a way that is against the wish of the subject of information, and may bring great risk to the subject's right and interest, then such information shall be determined as personal sensitive information.
Illegal providing: in case some personal information may bring great risk to the subject of the personal information's right and interest, due to spread outside the scope of authorization by the subject thereof, such information shall be determined as personal sensitive information.
Abuse: in case some personal information may bring great risk to the subject of the personal information's right and interest, when it is used outside the authorized reasonable scope (e.g. changing the processing intent, expanding processing scope etc.), such information shall be determined as personal sensitive information.

More specifically speaking, the personal information includes types of information as follows:

1. Personal property information:Bank account, identifying information (password), deposit information (including amount, payment and receiving record etc.), house information, credit and loan information, reference information, transaction and consuming record, bank statement, and virtual property information, such as virtual currency, virtual transaction, exchange code for games etc;

2. Personal health physical information:Relevant record generated from medical treatment due to illness, such as disease, hospitalization record, doctor's order, inspection report, surgery and anesthesia record, care record, medicine record, medicine and food allergic information, maternity information, illness history, treatment situation, family illness history, current illness history, infectious disease history and so on; as well as relevant information concerning personal health etc;

3. Personal Biological Identifying Information:Personal gene, finger print, vocal print, palm print, earflap, iris, facial characteristic etc;

4. Personal Identity Information:ID card, officer's identity card, passport, driver's license, work card, entry card, social security card, residence card etc;

5. Online identity information:System account, email address and relevant code, password, password protective answer, users' personal digital certificate etc;

6. Other information:Personal phone number, sex orientation, marriage, religion, unpublished crime record, communication record and content, tracking, webpage viewing record, lodging information, precise locating information etc.

Comment

It is worth of pointing out that the Specification inherits the concept of personal information, but makes a further illustration of the concept by listing a series of detailed examples; it also introduces the concept of the personal sensitive information which is closely related to the personal information. Although this Specification is recommended other than mandatory, there is no doubt that such illustration will be helpful to identify personal information/personal sensitive information during the collection and use thereof, as well as compliance issues under the Cyber Security Law and related regulations. This Specification will come into effect on 1 May 2018.

ABOUT THE AUTHOR: Fei Dang
Fei Dang is an Associate in the MMLC Group.

Copyright MMLC Group
More information from MMLC Group

Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.

Find a Lawyer

Find a Local Lawyer