China's National Standard on Personal Information Processing Notice and Consent Came into Effect
China’s national standard (Guo Biao or GB) on notice and consent regarding the processing of personal information has came into effect on 1 December 2023. China’s national standards are standards which cover a broad range of areas that all business entities shall abide in their business activities. The national standards are further categorized into “mandatory standards” (with a national standard number start with “GB”) and “recommending standards” (with a national standard number start with “GB/T”).
The new national standard on notice and consent regarding personal information processing, namely “Information security technology-Implementation guidelines for notice and consent in personal information processing” (GB/T42574-2023) (the “Notice and Consent GB”), was released by the National Standardization Administration on 23 May 2023 and has came into effect since 1 December 2023.
The Notice and Consent GB consists of 9 chapters and 14 annexes. The first 4 chapters are general provisions regarding the scope of application, quoted documents, glossary and abbreviations. Chapter 5 sets out the scenarios that notice and consent are required and Chapter 6 sets out the exempted scenarios. Chapter 7 is about the general principles regarding notice and consent. Chapter 8 and Chapter 9 provide detailed guidelines on how to implement notice and consent.
The annexes are further requirements on implemention of notice and consent under particular scenarios such like mobile applications, applications containing SDK, processiong of teenages (under age 14)’ personal information, processing in publice areas, processing by cloud computing, processing within automobile and porcessing in online shopping. And the final annex provides a list of typical scenarios when consent can be “implied”.
Chapter 6 of the Notice and Consent GB sets out the scenarios that notice and consent are not required to process personal information. The list under Chapter 6 is shorter than the list contained in a previous national standard, namely “Information security technology-Personal information security specification” (GB/T 35273-2020), which is because the GB/T 35273-2020 was issued before the enactment of the Personal Information Protection Law (the “PIPL”) .
The Chapter 6 of the Notice and Consent GB has followed the Article 13 of the PIPL,but sets out more detailed guidelines. For example, Article 13 of the PIPL alows processing personal information without personal information subjects’ consent if such processing is necessary for execution and performance of contract to which the personal data subject is a party. The Notice and Consent GB further states that when process personal information under such a basis, the processor shall expressly inform the information subjectsas for what purposes and to what scope will the processing be deemed as necessary for the execution and performance of contract. The Notice and Consent GB also emphasizes that the personal information protection policy issued by the processor shall not be deemed as a contract between the processor and the subjects.
III. General Principles
Chapter 7 of the Notice and Consent GB sets out the general principles regarding notice and consent.
According to Chapter 7, a notice shall be provided in an open and transparent manner. The notice shall be conveyed to the subject “effectively” which means the processors shall try their best to send the notice by a method which can directly communicate with the subjects. The notice shall also be “timely” served with “accurate and clear” contents by not using too broad expressions. Finally, the notice shall be easy to understand. The processor shall use generally used language, number and charts.
Regarding consent, Chapter 7 requires that when the processors acquire consent from information subjects, they shall consider that the consent does not exceed the scope of the notice, the consent is voluntarily made by the subject through voluntary action, the consent shall be obtained in a timely manner and the processors shall not unreasonably tie-up several kinds of business into one consent.
Chapter 8 goes on to provide more detailed guidelines on how to provide a lawful and sufficient notice. With respect to the manner of providing notice, Chapter 8 recommends the information processor to provide notice by interactive interface but when such method is impossible, the proceesor can provide notice by sending written notice, e-mail, electronic file and play of audio or video files. In the cases when individual notice is impossible or too costy, Chapter 8 allows the processor to provide personal information protection policy by public announcement. However, if the personal information protection impact assessment indicates that processing activities will impose great impact on the information subject, the processor shall individually notify even such a method is obviously difficult.
With respect to the content of the notice, the Notice and Consent GB reinstates that, in general, a notice shall contain the contents as provided under the Annex 4 of “Information security technology-Personal information security specification” (GB/T 35273-2020). The Notice and Consent GB also recommends the processor to give “enhanced notice” under certain scenarios(such like collection of sensitive personal information and collecting personal information by automatic programme). And, according to the Notice and Consent GB, an “enhanced notice” means a notice that “can not be by passed”. The processor can set out “specified page” or “individual process” to archieve such “enhanced notice”.Chapter 8 also sets out guidelines on what content shall be contained in the notice under specific scenarios. Such scenarios includes notice at the time of collection, notice at the time of provision and publication of personal information and notice at the time of change of processing activities.
Further to the contents, the Notice and Consent GB also gives guidelines on the implementation of notice. The Notice and Consent GB requires that a notice shall be displayed in a manner that is clear and easily understandable, consice on its contents with clear priority. Also, the Notice and Consent GB emphasizes the importance of the “timing and frequency” of providing notice. The processor shall consider from the perspective of “consumer experience” and ensure the personal information subjects receive sufficient notice without unnecessary disturbance.
Chapter 9 of the Notice and Consent GB sets out guidelines on how to obtain lawful and valid consent from personal information subjects. Chapter 9 emphasizes that, in principle, the processor shall obtain an “express consent” from the personal information subjects and to avoid “implied and passive” consent. An “express consent” means a “specific, clear and definite” intention to consent provided by the personal information subject. Personal information subjects’ signatures on paper or electronic document is the most typical type of “express consent”. Press “agree”, “next”, “continue” button or slide on an interactive interface can be deemed as an “express consent” when the notice is provided by electronic manner. Also, an “express consent” can be deemed obtained by taking certain actions such like voluntary insert or upload of personal information, show of ID card or fingerprints.
However, the Notice and Consent GB does not completely ruled out “implied consent”. It says “if personal information subject can not give express consent due to objective contrains, personal information subjects’ customs or for the purpose of protect various parties’ interests, personal information processor can imply the personal information subjects’ consent based on the analysis of information subjects’ behavior and the personal information subjects do not express objection to the processing of personal information”. The Notice and Consent GB further clarifies that “implied consent” is valid only when (1) there is obvious difficulty in obtaining express consent, (2) the personal information protection impact assessment indicates that the processing will not impose negative impact, (3) the processor has provided the notice in accordance with the Chapter 8 AND (4) the “implied consent” will not preclude the information subjects from exercising the right to withdraw. The Annex N to the Notice and Consent GB further provides a few typical scenarios that implied consent can be deemed as valid.
The Notice and Consent GB also provides guidelines on how to obtain “separate consent”. The PIPL requires processors to obtain “separate consent” when transfer personal information to third party, publicly disclose personal information, collect personal images and personal identifications for the purposes other than public security, processing sensitive personal information or export personal information. But the PIPL is silent on what kind of consent will amount to a “separate consent”. The Notice and Consent GB provides that in order to obtain a valid “separate consent”, the processor must give an “enhanced notice” first. And “separate consent” must only be “express consent”. Also, “separate consent” must be applied to particular and specific business or function. The processor shall not include “separate consent” in an “catch-all consent”. Finally, if the personal information subject refuse to provide “separate consent”, the processor shall ensure that the business or function which does not fall within the application scope of such “separate consent” will not be affected.
The Notice and Consent GB further provides guidelines on how to ensure the personal information subjects’ right to refuse to consent and withdraw consent and how the processor shall keep the record of consent.
In practice, “consent” is maybe the most frequently relied lawful basis for processing personal information. The Notice and Consent GB is, no doubt, an important supplementary resource to the general framework established by the PIPL.