On 26 May 2022, the TC260 released the Draft Requirements on Privacy Agreements for Internet Platforms, Products and Services (“Draft Requirements”) for public consultation. The Draft Requirements flesh out the regulatory scheme regarding privacy policies as put forward in the Personal Information Protection Law (“PIPL”) and Personal Information Specification (“PIS Specification”), reiterating many of the existing requirements as well as adding in requirements set out under a wide range of app regulations and recently pushed draft regulations that supplement the PIPL. In particular, the Draft Requirements provide clarifications on the processes of formulating and publishing privacy policies, as well as contents to be included in the privacy policies. If passed, the Draft Requirements will likely be referred to by regulatory authorities and third party agencies in evaluating organisations’ privacy policies.

Content of Privacy Policies

As provided by the Draft Requirements, the key contents (non-exhaustive) to be included in a privacy policy include:

  • Abstract: highlighting the key contents of the privacy policy. This generally include, the categories personal data being processed by key functions, data sharing with third parties, approach to exercise data subject rights, complaining channels, etc.
  • Personal Information Collection List: a list setting out the types of personal data collected or processed by services and business functions. The list should differentiate and list separately essential and non-essential personal information types collected by each business function. Additionally, organisations should list the method, frequency, timing of each type of personal data being processed, and the possible impacts on individuals for refusing the processing of the specific type of personal information.
  • Overseas transfer: specify the location where personal information is being used, stored and backed up. Conspicuous mark shall be made to for data transfer outside of Mainland China.
  • List of External Provision of Personal Information: a list to explain data sharing with third parties, describing in detail:
    • the types and reasons of sharing and transferring personal information;
    • recipients of personal information;
    • recipients’ data management guidelines;
    • the recipients’ use of personal information;
    • security measures put in place; and
    • whether these data processing activities will bring high risks to the data subject.
  • Storage: to differentiate between different types of personal information when specifying their different retention periods or method of determining storage period.
  • Exemption from Consent: specify the circumstances where the sharing, transfer or public disclosure of personal information does not require consent (e.g. law enforcement agencies, security audits, protection of data subjects from fraud and personal injury etc.).
  • Changes of Privacy Policy: the amended privacy policy will need to be published on official website or internet platform for no less than 30 working days for public comments. For data controllers with more than 100 million daily users, any material changes to the privacy policy must undergo a third-party agency evaluation, and regulatory approval must be obtained.

Publication of Privacy Policies and Other Practical Requirements  

The Draft Requirements also provided other practical requirements (non-exhaustive) relevant to the publication of privacy policy which organisations will need to comply with in line with the data protection framework:

  • Publication: privacy policies should be easily accessible and be provided in simplified Chinese. Users should be able to access the policy in no more than four clicks on a website/app.
  • Obtaining consent: consistent with the PIPL, bundled consent is not allowed. Data should be collected on a product by product basis. In the case where new products/services are introduced, data subjects should be prompted to read the relevant parts of the privacy policy when enabling new services and provide consent.
  • Dispute resolution: a data subject complaint should be responded within 5 working days. Where an external dispute resolution agencies is engaged to assist with a complaint, the data controller shall provide working records of the preparation of the privacy policy to such agencies for consideration. Thus, data controllers shall keep good records of its drafting and implementation efforts of the privacy policy. 
  • Internal procedures: a series of internal procedures should be adopted, including without limitation the conduct of personal information impact assessment, security measures, procedures for exercising data subject rights, contracts with third party data processors etc. Data controllers should keep good record of such internal procedures, and submit to the external dispute resolution agency in case of any dispute regarding the privacy policy.