China drafts data law amendments

China’s National Information Security Standardisation Technical Committee has released amendments to 2017’s Information Technology – Personal Information Security Specification for public comment.

Since becoming effective in May 2018, the standard has set out best practices expected by Chinese regulators, and has been widely used by companies to benchmark compliance in China.

The amendments reflect evolved approaches against a global backdrop of advances in data protection and privacy behaviours.

Enhanced notice and consent requirements

Currently, the Standard requires to data subject consent for collection of PPI and its subsequent use, while further informed consent is needed for processing activity that exceeds the original scope.

Explicit consent that is freely given, specific and unambiguous is required for the collection of sensitive personal information.

The draft amendments propose to enhance the notice and consent requirements in three significant ways to address the issues of bundled consent and data over-collection.

Prohibition on forced consent and bundled consent

The amendments prevent data controllers from forcing data subjects to consent to functions provided by a product or service and its associated data collection, including scenarios such as the following:

  • controllers should not force data subjects to consent to a bundle of services/functions;
  • unless affirmatively opted in by data subjects (by filling in personal information, clicking through, or ticking checking boxes), data controllers shall not activate services/functions or start to collect personal information;
  • data controllers are required to provide opt out mechanisms for data subjects and such opt out mechanisms should be as easily accessible and friendly to use as opt-in mechanisms;
  • if a data subject refuses to opt in to certain services/functions, the data controller is also prohibited from (i) frequently requesting consent or (ii) suspending or downgrading services/functions to which the data subject has provided opt-in consent.

The proposed changes no longer highlight the difference in consent requirements between the collection of sensitive and non-sensitive personal information.

As a result, explicit consent will likely become the de facto requirement for any collection of personal information in China, with narrowly defined exceptions discussed below.

Enhanced notice requirements

The draft amendments add more information that is required to be included in a data controller’s privacy policy.

Data controllers shall notify data subjects of the types of personal information that each function or service will collect, distinguishing the information collected by “basic” functions and “extended” functions.  If sensitive personal information will be collected, the description of such collection shall be highlighted in the privacy policy.

A data controller’s privacy policy also needs to state the data protection principles that the controller is following and the measures taken to protect personal information collected. Data subjects have to be reminded of the risks involved in providing their personal information to the controller and the consequence of not providing such information.

Narrowed scope of exception for notice and consent requirements

The draft amendments add “complying with legal obligations imposed on data controllers by laws and regulations” as an exception.  However, the new Article 5.7 removes the exception for performance of contract.

In practical terms, data controllers can no longer rely on contracts with data subjects as a ground for collection and processing.  This is a significant change, and is narrower than GDPR. If adopted as proposed, neither the execution of an agreement with a data subject nor meeting a company’s “legitimate interests” would be valid grounds for processing in China.

Personalised recommendations and target advertising

The draft amendments add a new article on “personalised display,” which imposes specific requirements on two types of data controllers serving personalized recommendations based on data subjects’ browsing history, interests, consumption record or habits.

The draft amendment also recommends that data controllers establish a portal allowing data subjects to manage their preferences for receiving personalized advertisement.  Once a data subject opts out from targeted marketing, the data controller is recommended to delete or anonymize the personal information used for targeted promotions.

Requirements on Access by Third Parties and Data Integration

When a data controller allows third parties to collect personal information through their products or services (for example, though Application Programming Interfaces), the new Article 8.7 requires the controller to:

  • implement a third-party access management process and set up conditions on access such as conducting security assessments, if necessary;
  • specify security responsibilities and measures in the contracts with third parties;
  • notify data subjects that certain products or services are provided by third parties;
  • retain third-party access records;
  • require third parties to obtain consent from data subjects and verify consent collection mechanisms adopted by third parties;
  • require third parties to establish procedures for responding to data subject requests;
  • monitor data protection practices of third parties and disable third party access if issues are spotted; and
  • conduct technical inspections and audits on APIs and other embedded applications and cut off access if the data collection goes beyond the agreed terms.
  • Note that this article applies only when the third parties are not acting as a processor for the controller (defined by Article 8.1) or a co-controller (defined by Article 8.6).

Revised notification requirements for incident response

Data controllers are required to notify data subjects of all security incidents. The draft amendments, however, limit such notification requirements to security incidents that may impact the rights and interests of data subjects, such as the breach of sensitive personal data

Data processing records

The draft amendments recommend that data controllers maintain an inventory of their data collection and use in a newly added Article 10.2.  The inventory should include:

  • types, volume and sources (for example collected from data subjects directly or through third parties) of personal data;
  • processing purposes, whether processors are involved and whether the data will be shared, transfer, publicly disclosed or transferred abroad; and
  • systems and personnel relating to each steps of the processing activities.

These amendments signal the enforcement priorities of the Chinese government, and will likely impact upon companies’ data protection practices in China.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.