On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments.
Even though, upon reaching final form and taking effect, the Guideline will not be a mandatory regulation, it nonetheless has a key implementing role in relation to the PRC Cyber Security Law (the “CSL”) and the Administrative Measures for the Multi-Level Protection of Information Security (the “Multi-Level Protection Measures”) in respect of protecting information systems and personal information in China.
The MPS has long been involved in data security through its multi-level protection system under the Multi-Level Protection Measures, but it has not to date exercised a great deal of power over matters of personal information protection. The draft Guideline therefore represents the MPS’s most recent major foray into this area. The draft Guideline has three major parts:
- management mechanisms
- technical measures; and
- specific requirements/processes in handling personal information.
In this update we address the key requirements in relation to these three areas. To achieve some unity across these disparate areas, the draft Guideline draws on (and cites explicitly) Information Security Technology – Baseline for Classified Protection of Information System (GB/T 22239-2008) and Information Security Technology – Personal Information Security Specification (GB/T 35273-2017).
In relation to management mechanisms, the draft Guideline requires a personal information controller to establish:
- sound management mechanisms to protect both its information systems and the personal information it collects; and
- internal management regulations and structures to protect information systems and personal information. Such regulations and structures are envisaged to include regulations concerning personal information protection, regulations for personnel’s daily management of personal information, personal information management structures and incident response plans.
In addition, the draft Guideline lays down certain ground rules in relation to establishing posts in management bodies, the hiring of management personnel, the departure of management personnel, and external personnel access.
In relation to technical measures, the draft Guideline requires that each personal information controller:
- is to adopt certain technical measures to protect its information systems and personal information;
- should comply with the Level 3 standard under the Information Security Technology – Baseline for Classified Protection of Information System in order to protect its information systems;
- should adopt password technology to ensure the confidentiality of personal information segments, or the entire message during the transmission process; and
- should deploy intrusion prevention devices at the boundaries of personal information processing systems to detect, prevent, or limit external and internal cyber-attacks. It is also required that personal information processing systems and devices storing personal information should use a combination of two or more authentication technologies, such as passwords, cryptographic technology, or biometric verifications, to identify the user, and at least one of the adopted authentication methods should contain cryptographic techniques.
Specific requirements and processes in handling personal information
The draft Guideline’s requirements in relation to specific requirements/processes in handling personal information mainly focus on personal information protection, including personal information collection, storage, use, third party entrusted processing, information sharing and transfer, disclosure and emergency response. Such requirements broadly overlap requirements under the Information Security Technology – Personal Information Security Specification.
Under the draft Guideline:
- a personal information controller should inform the personal information subject regarding the purposes, scope, the method and means, and the processing methods, of data collection. The collected personal information should be processed with appropriate security procedures, such as encrypted storage. The use of personal information should comply with relevant contracts and requirements signed with the personal information subject and should not exceed the agreed scope;
- prior to any sharing and transferring of personal information, a personal information controller should obtain the authorisation and a consent letter from the personal information subject and it should also inform the subject regarding the purposes of the transfer, the type of the information recipients, etc; and
- where there is any information leak, the affected personal information subject should be duly informed.
Although the draft Guideline will not be a mandatory regulation, we consider that it could be regarded as an example of good practice and practical supplementation guidance under the framework envisaged by the CSL.
There are other PRC authorities who have already looked at aspects of the protection of personal information protection, such as the Cyberspace Administration of China, the PRC Ministry of Industry and Information Technology and the State Administration for Market Regulation. It follows that a personal information controller may face supervision from several different PRC authorities in relation to personal information protection at the same time. It may also be the case that, in the future, different PRC authorities might wish to enact their own overlapping rules and that such rules may not be fully consistent. That could lead to uncertainties and challenges for a personal information controller seeking to fully comply with all the relevant PRC rules.
Given the Guideline is still in draft form, it may subject to further modification before it is finalised. As a legal team specialising on PRC data compliance, we will keep monitoring changes in relation to the draft Guideline and issue a revised update if necessary.