Regulatory policy

CHINA: Draft Privacy Policy Rules Released – Is Your Privacy Policy Compliant?

On May 26, 2022, the TC260 published the Draft Confidentiality Agreement Requirements for Internet Platforms, Products and Services (“Draft requirements”) for public consultation. The draft requirements flesh out the regulatory regime regarding privacy policies as proposed in the Personal Information Protection Act (“PIPL”) and Specification of personal information (“SIP Specification”), reiterating many of the existing requirements as well as adding requirements set forth in a wide range of application regulations and recently pushed draft regulations that complement the PIPL. In particular, the draft requirements provide clarity on the processes for formulating and publishing privacy policies, as well as the content to be included in privacy policies. If adopted, the draft requirements will likely be consulted by regulatory authorities and third-party agencies when evaluating organizations’ privacy policies.

Content of privacy policies

As provided by the draft requirements, key (non-exhaustive) content to include in a privacy policy includes:

  • Summary: highlighting the key content of the privacy policy. This generally includes categories of personal data processed by key functions, data sharing with third parties, approach to exercising data subject rights, complaint channels, etc.
  • Personal Information Collection List: a list of the types of personal data collected or processed by the services and business functions. The list should differentiate and separately list the types of essential and non-essential personal information collected by each business function. In addition, organizations should list the method, frequency, when each type of personal data is processed, and possible impacts on individuals for opting out of processing the specific type of personal information.
  • Transfer abroad: Specify where personal information is used, stored, and backed up. A visible mark must be made for data transfer outside mainland China.
  • List of external provision of personal information: a list to explain the sharing of data with third parties, describing in detail:
    • the types and reasons for sharing and transferring personal information;
    • recipients of personal information;
    • recipient data management guidelines;
    • recipients’ use of personal information;
    • the security measures in place; and
    • whether these data processing activities will result in high risks for the data subject.
  • Storage: To differentiate between different types of personal information when specifying their different retention periods or the method for determining the storage period.
  • Exemption from consent: specify the circumstances in which the sharing, transfer or public disclosure of personal information does not require consent (for example, law enforcement, security audits, protection of data subjects against fraud and bodily injury, etc.).
  • Privacy Policy Changes: The amended privacy policy shall be posted on the official website or internet platform for at least 30 business days for public comment. For data controllers with more than 100 million daily users, any material privacy policy changes must be evaluated by a third-party agency and regulatory approval must be obtained.

Publication of privacy policies and other practical requirements

The Draft Requirements also provided other (non-exhaustive) practical requirements for posting the privacy policy that organizations will need to comply with under the Data Protection Framework:

  • Publication: Privacy policies should be easily accessible and provided in Simplified Chinese. Users should be able to access the policy in no more than four clicks on a website/app.
  • Obtain consent: According to the PIPL, bulk consent is not allowed. Data should be collected product by product. In the event that new products/services are introduced, data subjects should be instructed to read the relevant parts of the privacy policy when activating new services and to give their consent.
  • Dispute settlement: a complaint from the data subject must receive a response within 5 working days. Where an external dispute resolution agency is engaged to assist in handling a complaint, the controller must provide working records of the preparation of the privacy policy to such agencies for review. Thus, data controllers should keep good records of their privacy policy drafting and implementation efforts.
  • Internal procedures: a series of internal procedures should be adopted, including, but not limited to, the conduct of a personal information impact assessment, security measures, procedures for exercising the rights of data subjects, contracts with third-party data processors, etc. Data controllers should keep a good record of these internal procedures, and submit to the external dispute resolution agency in case of dispute regarding the privacy policy.