On May 26, 2022, the TC260 published the Draft Confidentiality Agreement Requirements for Internet Platforms, Products and Services (“Draft requirements”) for public consultation. The draft requirements flesh out the regulatory regime regarding privacy policies as proposed in the Personal Information Protection Act (“PIPL”) and Specification of personal information (“SIP Specification”), reiterating many of the existing requirements as well as adding requirements set forth in a wide range of application regulations and recently pushed draft regulations that complement the PIPL. In particular, the draft requirements provide clarity on the processes for formulating and publishing privacy policies, as well as the content to be included in privacy policies. If adopted, the draft requirements will likely be consulted by regulatory authorities and third-party agencies when evaluating organizations’ privacy policies.
Content of privacy policies
- Personal Information Collection List: a list of the types of personal data collected or processed by the services and business functions. The list should differentiate and separately list the types of essential and non-essential personal information collected by each business function. In addition, organizations should list the method, frequency, when each type of personal data is processed, and possible impacts on individuals for opting out of processing the specific type of personal information.
- Transfer abroad: Specify where personal information is used, stored, and backed up. A visible mark must be made for data transfer outside mainland China.
- List of external provision of personal information: a list to explain the sharing of data with third parties, describing in detail:
- the types and reasons for sharing and transferring personal information;
- recipients of personal information;
- recipient data management guidelines;
- recipients’ use of personal information;
- the security measures in place; and
- whether these data processing activities will result in high risks for the data subject.
- Storage: To differentiate between different types of personal information when specifying their different retention periods or the method for determining the storage period.
- Exemption from consent: specify the circumstances in which the sharing, transfer or public disclosure of personal information does not require consent (for example, law enforcement, security audits, protection of data subjects against fraud and bodily injury, etc.).
Publication of privacy policies and other practical requirements
- Publication: Privacy policies should be easily accessible and provided in Simplified Chinese. Users should be able to access the policy in no more than four clicks on a website/app.