A business working with China will inevitably process personal data for a variety of parties that the law requires provide their prior consent, such as employees, freelancers, or third-party business partners. For example, pharmaceutical companies producing medical devices need to involve outside experts and sometimes process patient data. Cross-border data transfer is necessary for most business models. China has several laws governing these activities. The primary statute governing notice and consent is the China Personal Information Protection Act; these rules are further supplemented by the GB/T 42574-2023 Information Security Technology – Personal Data Processing Notice and Consent Guidelines.
Contents
Whether Notice and Consent Are Required At All
What the Notification Should Contain
Types of Consent and How It Is Structured
Overarching Principles Behind Notification and Consent
Whether Notice and Consent Are Required at All
Understanding whether Chinese law requires providing notice requires looking at whether consent is required.
The first step is to consider whether there is a lawful basis for processing the personal information without first obtaining consent, of which the China Personal Information Protection Act § 13 enumerates seven bases, such as performing a contract, statutory requirement, or medical emergency.
If your use case does not involve one of these bases, then you must provide a notice to the individual and then obtain consent and give ongoing access to a consent withdrawal page. Whenever you make changes to the purpose, method, or type of data you collect, you must show a new notice and obtain authorization from the user again. Chinese law also requires you generally follow the principles of transparency, minimization, and traceability.
Chinese law generally requires businesses to provide notice before any personal data processing activities begin and to maintain the individual’s right to know about how their information is processed. There are exceptions under the Act covering statutory secrecy requirements, and notice is never required in those cases. There are also exceptions for protecting people during emergencies implicating the individual’s life safety or property, but notice must be provided promptly at the end of the emergency. (See Act § 17-18). Thus, the law treats notice and consent as two distinct legal requirements, and most of the time both are required. However, notice can be required in cases where consent is not mandatory.
If you are doing business with China, you will need both a legal expert to draft your privacy notices and consent mechanisms and technical implementation following the GB/T 42574-2023 specification. If you need help with China data privacy, reaching out to a CBL professional from our network of experts is an easy and reliable way to get affordable advice.
Timing of Getting Consent
Unless one of the statutory exceptions apply, you will need to obtain unambiguous consent from Chinese individuals by providing a clear and conspicuous notice to the individual at a specified time. The Guidelines require an organization to give notice and obtain unambiguous consent prior to any of the four following occurs:
- Initial collection of personal data, such as through an online form
- Sharing information with a processor, data recipient or when making the data public
- Change in processing purpose or method due to a merger or reorganization
- Whenever two or more parties decide on a joint processing purpose or method
Both notice and consent are required prior to any of the above events. Notice alone, without getting new consent, is sufficient when those business activities are stopped, for changes to activity that do not change processing purpose or method, or where the data retention period for the activity is extended.
To avoid be found to have relied on passive consent, a business should deliver notice using an eye-catching interface design, describing the purpose of collecting the data, retention period, and if there is a recipient outside of China. If handling sensitive data, explain why this is necessary and what the potential impact may be.
The notice must be accurate as to what kind of processing is done and be written clearly. Consent cannot be bundled with other processing activities, and new notice must be provided, and consent obtain whenever the processing purpose, method, or type of data changes. However, this is not required if a Data Protection Impact Assessment reveals it is not necessary, or if one of the statutory exceptions apply.
China’s national standards recommend you embed the compliance process into your recruiting, procurement, accounting, and client management systems to lower risks, in particular by maintaining transparency and ensuring notice is effectively delivered. (See GB/T42574-2023 Information Security Technology – Personal Information Processing Notice and Consent Guidelines § 5-6)
What the Notification Should Contain
Chinese statutes require performing a notification step, wherein a business provides information to individuals before processing their personal information. The notification information must include your contact information along with a clear and conspicuous description of the purpose, method, and types of information related to processing. You must also provide a mechanism for exercising rights under the Act and other laws, such as by allowing users to ask questions or request correction or deletion of their data. The data processing impacts must be explained in the notification. The China Personal Information Protection Act § 17 requires the notification be updated whenever the business makes any relevant changes.
The Guidelines includes rules about when and how three types of notifications should be provided in the context of a variety of different business models common in China. They notification types are: general notice, enhanced notice, and just-in-time notice. The notification types are not mutually exclusive. (See the Guidelines GB/T 42574-2023 Sections 8. 1-8. 2)
A general notice is always required; it is used to describe the personal information processing prior to collecting personal data. In China data privacy practice, it is part of either the Personal Data Processing Policy or a Privacy Policy. An enhanced notice is meant to be more conspicuous than a general notice; it’s similar to a general notice in that the business policy is described, but different in being easier to read and understand by individuals. Such notices ensure that individuals can make informed decisions about whether to provide consent relevant to their unique needs, enabled by specialized interfaces that display information in a way that cannot be skipped by users. That ensures they can see the basic data processing information.
A just-in-time notice uses a popup, notification bar, or alert immediately when a user takes action that implicates their data privacy. It is done to raise the user’s awareness about how their data is processed and make it easier to find relevant information; it is primarily used where notification but not consent is required.
Types of Consent and How It Is Structured
Above we discussed the relationship between notice and consent and the appropriate method for giving notice under Chinese data privacy law; now, we will turn to the requirements for obtaining personal information. The Act requires obtaining individuals’ consent whenever there is a change to the purpose, method, or data involved in processing personal information. Redoing notice and consent is only required for purpose, method, or data related changes but not required for other types of changes. Thus, the Guidelines do not require consent in scenarios that do not involve these kinds of changes. (See the Act § 14(b))
Unambiguous Consent. The China Personal Information Protection Act § 14(a) requires individuals voluntarily provide informed, unambiguous consent. This can be done by getting clear consent signals from an individual such as voluntarily checking a box, filling a form, or providing something. The rationale for the rule is passive consent is that individuals can be steered into neglecting learning about your data processing rules and thus be ignorant of them. (See The Act at § 14(a), and the GB/T 42574-2023 Guidelines at 3.6 and 9.1.1)
The Guidelines recognize that there are use cases where unambiguous consent is very difficult to obtain given typical Chinese user behavior and therefore allows for implied consent in these cases. What the rules mean by “implied consent” is that there are objective conditions, individual behaviors, or legal requirements that prevent obtaining unambiguous consent, but an analysis of the individual’s actions would imply that they did in fact consent.
Under the Guidelines Section 9.1.2, implied consent does not have a step for individuals to voluntarily indicate consent, thus the law is very restrictive about when it can be used. China’s rules impose four requirements:
- Obtaining unambiguous consent in the use case is not otherwise feasible
- The Data Protection Impact Assessment concludes there is no risk of negative impact to the individual
- Individuals are appropriately notified of the organization’s personal data processing policy
- Organizations that obtained implied consent have a mechanism to respect individuals’ right to revoke consent, notify them of how to do so, and as soon as feasible, obtain unambiguous consent
(See Guidelines Section 9.1.2 and Schedule N for hypothetical cases)
These four requirements are designed to protect individuals from having their rights infringed upon and should be seen as a last result used only when there is no viable alternative. Therefore, whenever circumstances change, the organization should obtain unambiguous consent from customers as soon as it is feasible.
Separate Consent vs Written Consent
The China Personal Information Protection Act requires separate consent or written consent in certain data processing contexts, but there is an exception if you are covered by a § 14(a)(1) lawful basis. The Act requires obtaining separate consent, before the following activities:
- Providing personal information to any third party
- Disclosing personal information generally
- Collecting personal information in a public place for a purpose that is not for public safety
- Any sensitive personal information
- Data transfer outside China
(See Act § 23, 25, 26, 29, 39)
Separate consent is where you fully perform your duty to notify before obtaining consent; it must be obtained prior to any data processing activities that Chinese law deems as having a substantial impact on personal rights. Written consent is where you memorialize the individual’s consent with a signature on paper or in a digital document for use cases where required by law or the organization’s policies. (See the GB/T 42574-2023 Guidelines § 9.4) Therefore, actions such as checking a box or clicking a confirm button do not constitute written consent. The following are the common contexts where Chinese law requires written consent:
- Use of their name or likeness in an advertisement
- Collection of human genetic material
- Publication of an employee’s personal information by an employer
In addition, whenever a data controller involves a new data processor, a new written consent is required. The Guidelines § 9.2, § 9.3, and § 9.4 lay out the specific rules for each context in which separate consent and written consent are required and special cases, which must be followed closely.
Mandatory Principles & Best Practices
The China Personal Information Protection Act imposes several principles for personal information processing, those being legality, legitimate purpose, data minimization necessity, good faith, openness, and transparency. (See the Act § 5 and § 7) The GB/T 42574-2023 Guidelines § 7 additionally require best practices for designing notification and consent mechanisms. Businesses also have a duty to openly and transparently disclosure their activities to the affected individual in China, and before or during processing data, communicate through a user interface, email, or text message about how it is done, the processing purpose, and security protocols.
The notice must be easy to read, in clear language and conspicuous on the device it is read by using fonts, colors, and vibration, so that the individual can understand the disclosure. Bundling different types of data processing activities together is not permitted. You must consider the impact the processing activity will have on individuals based on their personal habits and reasonable expectations at every step, with consideration for the Internet conditions, devices used, accessibility needs, and user’s cognitive capacity. Offer tiered options for different levels of consent.
Conclusion
In this article, we have learned about the connection between notice and consent requirements; Chinese law has several exceptions where consent is not required at all, but in some of those cases, notice will nonetheless be required. The regulations utilize a sliding scale for consent requirements, ranging from relatively subtle privacy notices to screen-blocking popups, and finally written forms that must have the individual’s signature. In addition to the regulations, there are several standards that reflect Chinese privacy professionals’ consensus on best practices, which if followed will reduce the possibility of regulatory liability.