What are the new requirements on platform privacy policies, and do they affect your business?
The Draft Standard specifies the procedures, contents and forms applicable to privacy policies of internet platforms, products and services and also sets out requirements in relation to readability, transparency, dispute resolution and other issues. Ambitiously, the Draft Standard also seeks to cover various requirements from upper level-legislation, to harmonise inconsistencies in certain national standards, as well as to provide more detailed recommendatory provisions that will be helpful reference for internet businesses’ compliance programmes.
Although only having recommendatory authority, the Draft Standard will exert quasi-binding legal effect as government authorities and third-party evaluation institutions can be expected to use it as reference supervising, assessing and evaluating businesses’ data compliance practices. Hopefully the Draft Standard will give the legal departments of many internet companies an easier path to maintaining complaint privacy policies.
Based on our first review of the Draft Standard, however, there are issues to be clarified:
First things first, the Draft Standard uses the term “internet platforms, products and services” without definition but some of the proposals mimic those attaching to internet platform operators in the draft Network Data Security Management Regulations released last November. In the November regulations, “internet platform operators” are “data processors which provide users with internet platform services such as information publishing, social networking, transactions, payments, or audio-visual services.” Does the Draft Standard also apply to situations like corporate websites, hotel-owned booking websites, ancillary apps for medical devices, etc.? Those we have spoken to in business believe these examples should fall outside of the Draft Standard’s coverage, but the current wording is unclear on this. The market will look to the TC260 to clarify the scope of data processors regulated under the Draft Standard.
Privacy agreement or policy
On the one hand, we expect the PIS Specification to be refreshed at some point in light of the release of the PIPL. On the other hand, one of the TC260 drafters confirmed to us that there should not be any special significance placed on the nomenclature of the Draft Standard – somehow the Draft Standard got this name during the proposal stage. It remains to be seen which approach prevails as these standards progress under the PRC authorities’ direction.
Of course, if the first question regarding applicable scope of the Draft Standard is resolved narrowly, it will likely be acceptable to impose this requirement on internet platforms only, as their privacy policies will naturally be longer. Until then we withhold judgement, but it is another reason why clarifying the applicability of the Draft Standard is key to applying it practically to industry.
Pending status of upper-level regulations
A key piece of upper-level legislation that the Draft Standard will follow is the November draft regulations mentioned above. These draft regulations received plenty of feedback from the industry, and thus may undergo relatively heavy changes in generating its next version.
What can we do?
The Draft Standard is open for public comment until 25 July. If you see anything that could impact your business, please raise your voice through your business associations, GR advisors, or us!
“I don’t believe that the regulatory actions will really stop. Various ministries still have a mandate to enforce all the regulations that have been amended and strengthened,” said Charles Mok, visiting scholar at the Global Digital Policy Incubator at Stanford University.