On August 3, Cyberspace Administration of China (CAC) issued draft administrative guidelines for privacy-compliant reviews of personal information and related reference points for public expression. The goal of the documents is to provide regulatory oversight of data privacy compliance. However, data processors are also expected to self-regulate and increase their awareness of the need to protect personal information.
Under the guidelines, companies are required to conduct regular privacy health checks of personal information. Processors of personal information that process information of more than one million people must conduct a privacy-compliant audit at least once a year, and the other processors of personal information must do so at least every two years.
The reference points specify the focus of the audit at different stages of the processing of personal information. Particular emphasis is placed on auditing personal information processing rules: Methods for setting retention periods, actions after the expiration of the period, account deletion, withdrawal of consent, and ways and methods for communicating processing rules to individuals in a transparent, understandable, and complete manner.
In the case of information processing using automated decision making, the focus is on verifying whether a security assessment of the algorithm model has been carried out beforehand and whether a technological ethics review has been conducted. In the case of processing of publicly available information, it is checked whether this information can be used to carry out online violent activities or similar.
Picture> Unsplash
China Intellectual Property Blog 