China - Personal Data: What Are The "Best Practices" Expected By The Authorities?

Legal News & Analysis - Asia Pacific - China - Regulatory & Compliance

14 May, 2019


On 1st February 2019, the National Technical Committee for the Standardisation of Information Security (the «TC 260») published a draft to modify the current standard GB/T 35273-2017 (the «Standard») which has been in force since 1st May 2018. This draft was submitted to public consultation until 3 March 2019 (the «Draft»).


Although not legally binding, the Standard provides guidelines to the regulatory authorities for the interpretation of the Cybersecurity Law and the «best practices» for the collection and processing of personal data.


The finalised version of this new Standard should be issued in the next few weeks.


In the meantime, we have summarised below the main modifications brought by the Draft. The modi cations notably concern:


(i)  the prohibition of blanket consent;


(ii)  exceptions where consent is not required;


(iii) information required to be inserted into privacy policies;


(iv) requirements in the event of the supply of personalised content;


(v) personal data access management by third parties (in particular through API);


(vi) keeping records of processing activities ; and


(vii) thresholds above which a Data Protection Of cer must be appointed. 





In addition to the already-existing provisions relating to consent, the Draft prohibits a Data controller1 providing a product or service with multiple functions requiring the collection of personal data, from forcing the Data subjects 2 to accept the functions offered by the aforesaid product or service and thereby to consent to the collection of their personal data for all the functions offered.


In principle, the Data controller may not obtain the consent of the Data subject to the collection of their data in a sole operation, by regrouping all the functions provided by their product or all of their services. Only positive and voluntary actions by the Data subject are able to activate the various functions of the aforesaid product or service, or trigger the collection of personal data, such as, for example, ticking a box, clicking a «I Agree» or «Next» icon, by voluntarily lling in a form etc. («Opt-in Systems»).


Similarly, the Data controller should provide mechanisms for unsubscribing («Opt-out Systems») that are easily accessible and as simple to use as the Opt-in Systems.


The Draft also provides that if the Data subject were to refuse to subscribe for certain services or activate certain functions, the Data controller would not be able to seek the consent of that person again, or at least not on a frequent basis. Besides, the Data controller would be prohibited from suspending the other functions and services selected by the Data subjects, or reducing the quality of the functions and services to which they had already subscribed.


The Draft does, however, introduce a distinction in Schedule C, between the basic/essential functions of the products and services («basic business functions») and additional functions («extended business functions»). The distinction, which is mainly aimed at applications, enables the Data controller in some cases to obtain blanket consent for the collection of personal data.


Basic functions are de ned as the core functions expected by the Data subject; those for which they have selected the product or service, and which meet their principal requirements. By contrast, the improvement of user experience or the development of a new product, for example, would not be considered a basic function.


For basic functions, the relevant person must


(i) be informed beforehand (e.g. through a pop-up window at the application interface) of the type of personal data collected by the aforesaid functions as well as the consequences of withholding their consent for the collection of their data, and


(ii) expressly consent to the collection of their data. The Standard provides that express consent means a requirement for the expression of a specific and unambiguous intention which may result from either a written  document or a positive act by the person. If the Data subject does not consent to the collection of their data, the Data controller is entitled to refuse to provide them with the aforesaid basic/ essential functions.


Additional functions may only be activated on a one-by-one basis after prior notification of the Data subject and the procurement of their consent for each additional function. If, however, the Data subject does not consent to the collection of their data, they shall not be able to use the aforesaid additional functions but the Data controller shall not be entitled to refuse to provide them with the basic/essential functions or to reduce the service quality of these functions.




The current Article 5.4 of the Standard has been moved to 5.7, and the Draft has added as an exception the requirement of compliance by the Data controller with obligations required under laws and regulations. The former exception relating to the performance of contracts has been deleted. If the Draft remains as is, the Data controller should henceforth no longer be entitled to rely on the performance of a contract to which the Data subject is a party, as legal grounds to justify the collection and processing of personal data.




The current Article 5.6 already provides a whole batch of information to be inserted into privacy policies and brought to the attention of persons whose data is collected and processed.


In its new version, Article 5.6 adds that the Data controller shall also inform the Data subjects of the categories of personal data collected for each function/service, distinguishing between data collected by basic/essential functions and those collected by additional functions.




The Draft provides new requirements in the case of personalised content:


(i) For suppliers of content that disseminates current news in «push» mode or information services: they must indicate this clearly by statements such as «personalised content» or «targeted push», and provide Data subjects with simple and intuitive mechanisms to deactivate the personalised content mode.


(ii) For e-commerce operators who provide personalised content tailored to the interests of the Data subjects, their leisure activities, consumer habits or other characteristics, they should enable the Data subjects to deactivate the targeting mode based on personal characteristics.


Moreover, the Draft recommends that Data controllers should implement a mechanism whereby Data subjects could manage their preferences for receiving personalised content and be able to delete or anonymise personal data on the basis of which personalised content was sent.




The Draft provides that if the Data controller enables third parties to collect personal data, through their products or services, for example APIs (Application Programming Interfaces), and such third parties are not Data processors (i.e. they are not acting on the instructions of the Data controller) or Data co-controllers, the Data controller shall be obliged to take the following measures:


  • establish a mechanism of access management and a work- ow for access to the third-party product or service;
  • contractually set out the obligations of each party in terms of security and con dentiality;
  • inform the Data subjects that the product or service is provided by a third party;
  • require the third party to procure the consent of persons concerned by the collection of their data and verify the mechanisms applied by that third party for obtaining consent;
  • ensure that the third party has implemented a mechanism for the management of requests from Data subjects;
  • control compliance by the third party with its obligations of security and confidentiality.


For further information, please contact:


Lisbeth Lanvers-Shah, Partner, DS Avocats


1. Data controllers are legal or natural persons who decide on the procedures and purposes of personal data processing.

2. Data subjects are natural persons whose personal data is collected.