What are the new requirements on platform privacy policies, and do they affect your business?

On 26 May, the National Information Security Standardisation Technical Committee of China (or “TC260”), which is China’s chief committee on technical standards, released a draft national standard entitled Information Security Technology — Requirements of Privacy Policy of Internet Platforms, Products and Services (Draft Standard).

The Draft Standard specifies the procedures, contents and forms applicable to privacy policies of internet platforms, products and services and also sets out requirements in relation to readability, transparency, dispute resolution and other issues. Ambitiously, the Draft Standard also seeks to cover various requirements from upper level-legislation, to harmonise inconsistencies in certain national standards, as well as to provide more detailed recommendatory provisions that will be helpful reference for internet businesses’ compliance programmes.

Although only having recommendatory authority, the Draft Standard will exert quasi-binding legal effect as government authorities and third-party evaluation institutions can be expected to use it as reference supervising, assessing and evaluating businesses’ data compliance practices. Hopefully the Draft Standard will give the legal departments of many internet companies an easier path to maintaining complaint privacy policies.

Based on our first review of the Draft Standard, however, there are issues to be clarified:

Applicable scope

First things first, the Draft Standard uses the term “internet platforms, products and services” without definition but some of the proposals mimic those attaching to internet platform operators in the draft Network Data Security Management Regulations released last November. In the November regulations, “internet platform operators” are “data processors which provide users with internet platform services such as information publishing, social networking, transactions, payments, or audio-visual services.” Does the Draft Standard also apply to situations like corporate websites, hotel-owned booking websites, ancillary apps for medical devices, etc.? Those we have spoken to in business believe these examples should fall outside of the Draft Standard’s coverage, but the current wording is unclear on this. The market will look to the TC260 to clarify the scope of data processors regulated under the Draft Standard.

Privacy agreement or policy

The Chinese name of the Draft Standard used “隐私协议” (privacy agreement) instead of the commonly used term “隐私政策” (privacy policy), though the official English name still uses “privacy policy”. Privacy agreement does not seem to appear in upper-level regulations or other national standards, but we have seen reminiscent wordsmithing by the TC260 in the case of the recently updated draft of the national standard for identification of key data. For that standard, the Cyberspace Administration of China (CAC) reportedly requested that TC260’s drafters use “识别规则” (identification rules) instead of “识别指南” (identification guidelines) to stress that business operators should abide by the (non-mandatory) standards. It is not clear if the concept of an “agreement” in the Draft Standard originates from the CAC, but the logic behind the use of “agreement” and “rules” is similar.

Indeed, the question of whether this wording indicates anything substantive is a valid one, since there remains legal debate as to if a privacy policy could constitute a binding contract between users and businesses under PRC law (similar to the legal effect of a user agreement), as opposed to a mere informative statement. Although some PRC judicial rulings which pre-date the launch of the new Personal Information Protection Law (PIPL) have found that a privacy policy could be considered a contract, the most important national standard on data protection compliance in China – the Personal Information Security Specification (PIS Specification) – clearly states that “the main function of the personal information protection policy is to disclose the scope of and rules for the personal information controllers’ collection and use of personal information, therefore it should not be deemed a contract”.

On the one hand, we expect the PIS Specification to be refreshed at some point in light of the release of the PIPL. On the other hand, one of the TC260 drafters confirmed to us that there should not be any special significance placed on the nomenclature of the Draft Standard – somehow the Draft Standard got this name during the proposal stage. It remains to be seen which approach prevails as these standards progress under the PRC authorities’ direction.

Summary judgment

Under the Draft Standard, a privacy policy should have a summary of the main body, either presented at the beginning of the full policy or in a separate document. The purpose of this recommendation is to provide users with a quick understanding of the policy’s key components.

While we appreciate the drafters’ intentions to increase the “readability” of privacy policies, query if it is necessary to make this summary seem best practice in all scenarios foreseen by the Draft Standard. In particular, if a privacy policy is of limited length, there would seem little need to produce a summary, which might then be too concise and could lead to misunderstanding. Furthermore, preparation of a summary will incur additional costs for businesses.

Of course, if the first question regarding applicable scope of the Draft Standard is resolved narrowly, it will likely be acceptable to impose this requirement on internet platforms only, as their privacy policies will naturally be longer. Until then we withhold judgement, but it is another reason why clarifying the applicability of the Draft Standard is key to applying it practically to industry.

Pending status of upper-level regulations

A key piece of upper-level legislation that the Draft Standard will follow is the November draft regulations mentioned above. These draft regulations received plenty of feedback from the industry, and thus may undergo relatively heavy changes in generating its next version.

That said, some provisions of the Draft Standard closely follow the November draft regulations. For example, to revise its privacy policy, a business operator must release its updated privacy policy for public consultation for no less than 30 working days. If the operator has more than 100 million daily active users, the drafting or material revision of the privacy policy is subject to certification by designated third-party institutions. If the November draft regulations change, the Draft Standard are likely to change accordingly.

What can we do?

The Draft Standard is open for public comment until 25 July. If you see anything that could impact your business, please raise your voice through your business associations, GR advisors, or us!