On 26 May 2022, the TC260 released the Draft Requirements on Privacy Agreements for Internet Platforms, Products and Services (“Draft Requirements”) for public consultation. The Draft Requirements flesh out the regulatory scheme regarding privacy policies as put forward in the Personal Information Protection Law (“PIPL”) and Personal Information Specification (“PIS Specification”), reiterating many of the existing requirements as well as adding in requirements set out under a wide range of app regulations and recently pushed draft regulations that supplement the PIPL. In particular, the Draft Requirements provide clarifications on the processes of formulating and publishing privacy policies, as well as contents to be included in the privacy policies. If passed, the Draft Requirements will likely be referred to by regulatory authorities and third party agencies in evaluating organisations’ privacy policies.
Content of Privacy Policies
- Personal Information Collection List: a list setting out the types of personal data collected or processed by services and business functions. The list should differentiate and list separately essential and non-essential personal information types collected by each business function. Additionally, organisations should list the method, frequency, timing of each type of personal data being processed, and the possible impacts on individuals for refusing the processing of the specific type of personal information.
- Overseas transfer: specify the location where personal information is being used, stored and backed up. Conspicuous mark shall be made to for data transfer outside of Mainland China.
- List of External Provision of Personal Information: a list to explain data sharing with third parties, describing in detail:
- the types and reasons of sharing and transferring personal information;
- recipients of personal information;
- recipients’ data management guidelines;
- the recipients’ use of personal information;
- security measures put in place; and
- whether these data processing activities will bring high risks to the data subject.
- Storage: to differentiate between different types of personal information when specifying their different retention periods or method of determining storage period.
- Exemption from Consent: specify the circumstances where the sharing, transfer or public disclosure of personal information does not require consent (e.g. law enforcement agencies, security audits, protection of data subjects from fraud and personal injury etc.).
Publication of Privacy Policies and Other Practical Requirements
- Publication: privacy policies should be easily accessible and be provided in simplified Chinese. Users should be able to access the policy in no more than four clicks on a website/app.