The National Cybersecurity Standardization Technical Committee published the draft on its website and said the guidelines aim to serve as a reference point for “organizations involved in the processing, cross-border transfer and protection of sensitive personal information.”
China aims to build a comprehensive data governance framework focused on protecting critical data, including by imposing stricter restrictions on how companies collect and use sensitive personal information, while facilitating the free flow of less sensitive data to unlock its economic potential.
Alfred Wu, an associate professor at the Lee Kuan Yew School of Public Policy at the National University of Singapore, said the newly released guidelines were “broadly in the same vein,” adding that “top leaders are currently most concerned about data security and national security.”
Under PIPL, companies will need to obtain specific and individual consent to access sensitive personal information, and platforms that illegally collect personal information may be subject to suspension or termination by regulators.
Emmanuel Pernod Leplay, a data privacy consultant at Deloitte Cyber Risk in Paris, noted that the new guidelines provide specific examples of categories of data previously listed in the PIPL.
“The PIPL has often been criticised for being too vague, so this will clarify the rules and remove grey areas,” said Pernod Leplay, who holds a PhD in comparative data protection law from Shanghai Jiao Tong University in China.
The draft defines sensitive personal information as “personal information which, if leaked or used illegally, could easily violate an individual’s dignity or endanger their safety or property.”
The sensitive information covers eight categories, including biometrics, religious beliefs, specific identities, medical information, financial accounts, personal locations, personal information of minors under the age of 14, marital status, social credit information, undisclosed criminal records, and sexual orientation.
“The benefit for businesses is that the categories will be clearer, they will have a better idea of when they need to comply with certain requirements and it should also improve the protection of individuals’ personal data. This may result in greater trust in online financial and health services,” Pernod-Leplay said.
According to Zeng Liangyuan, an associate professor of information and communications engineering at the University of Electronic Science and Technology of China, the guidelines can serve as a manual for handling sensitive information, including data classification and export issues.
“By following this guide, companies can ensure that their data processing activities are not only compliant with the law, but also secure and reliable.”
PIPL already makes it much more difficult and costly for technology companies to collect and use consumers’ personal data, and observers have compared its impact to that of the European Union’s General Data Protection Regulation, considered the world’s toughest privacy and security law.
Pernod Leplay said the guidelines were further evidence that “China has a wider list of sensitive data than other jurisdictions, such as the EU.”
For example, he explained, China considers things like financial data and real-time location information to be sensitive, but the EU does not.
According to the guidelines, financial account information includes bank account, securities, fund and insurance account numbers and passwords, as well as payment tracking information generated based on the account information.
Whereabouts information includes real-time precise location, GPS trail, and airline tickets.
In particular, Zeng said the guidelines emphasize the importance of considering the overall sensitivity of the information, recognizing that seemingly ordinary data can become sensitive when combined with other information.
“By taking this holistic approach, we can effectively protect individual privacy and security in a complex information environment.”
But there are still loopholes: “China does not consider political opinions to be sensitive data, but in the EU they are clearly sensitive data,” Pernod Leplay pointed out.
Singapore’s Wu said the guidelines were primarily aimed at regulating tech giants such as Tencent and Microsoft, but there were no clear checks on governments’ powers to regulate data, adding that “Western countries are particularly concerned about the potential misuse and abuse of personal data by governments.”
02:34
Pay with the palm of your hand: Tencent launches new payment method in China
Pay with the palm of your hand: Tencent launches new payment method in China
Tuesday’s guidelines described biometric information as a type of sensitive personal information that can include genetic information, fingerprints, voiceprints, iris scans, facial recognition features and gait.
Although detailed guidelines are in place, they are not binding law and their impact will ultimately depend on how well companies and authorities enforce the rules, analysts say.
Authorities “need to step up to actually enforce the new rules and make sure the obligations are a reality and not just on paper,” Pernod-Lepley said, calling for more resources, manpower, oversight and regulation.
Financial, health care and e-commerce companies will need to have strong compliance programs and staff to enforce the rules, he noted, “but this staff is not easy to find. Training is key.”
Zeng agreed. He said the industry will need to upgrade its technological infrastructure, including data classification, encryption and access control systems, to fully comply with the guidelines, and staff training is also essential for correct application. Companies may also need to adjust their service processes and product features to meet the stricter information processing standards, Zeng said.
Effective implementation can be ensured through strengthened and regular government supervision and monitoring, Zeng added.
