A Commentary on MPS’New Policy of Internet PI Protection
By David Pan
With a view to regulating and guiding Internet companies to establish and improve their management system and technical measures with regard to personal information protection, the Cybersecurity Protection Bureau of the Ministry of Public Security released the Guideline for Personal Information Security Protection (Exposure Draft) (hereinafter referred to as the “Guideline”) to seek public opinion on November 30, 2018.(please click “Read more”)
After in-depth discussion, the Cybersecurity and Data Law Service Team of Llinks (Llinks Team) takes the view that the Guideline is complete in its content and structure. The Guideline focuses on guiding Internet companies to establish and improve the management system and technical measures for the protection of citizens' personal information, and puts forward an innovative and practical concept of “life cycle of personal information”. Moreover, the Guideline distinguishes between automatic and non-automatic methods of personal information use, which aptly reflects the practice of personal information security protection.
Llinks Team suggests that the following issues be clarified in the amendment and finalization of the Guideline.
1. Do the “Internet Companies” in the introduction part refer to companies in the internet industry or all the companies which conduct business by means of using Internet?
2. Article 4.2.1(b) provides that the top management of an Internet company should, or the top management should appoint a designated person to engage in personal information protection work. The word “engage in” appeared here is different from the counterpart of “be responsible for” set forth in the General Requirements for Graded Information System Security Protection. Does the Guideline require the top management of an Internet company to directly engage in personal information protection work?
3. Article 5.2 “Enhanced Requirements” includes the security of Cloud Computing and Internet of Things. For a comprehensive coverage, should “Enhanced Requirements” also include security of Mobile Interconnection and Industrial Control System?
4. Does the “Identity Authentication” stated in Article 6.1(d)(1) refer to computer system authentication mechanism or the real-name authentication system? In addition, is this requirement truly necessary for companies to implement personal information security protection obligations?
5. Article 6.2(c) requires that personal information must be deleted upon expiry of the set time limit. Nonetheless, Article 6.1 of the GB/T 35273—2017 Information Security Technology Personal Information Security Specification provides that personal information must be deleted or anonymized upon expiry of the set time limit. Does the Guideline deems deletion as a sole compliance method in the circumstance?
6. The Explanatory Note in Article 6.3(a) points out that anonymized or desensitized personal information data can be used for historic, statistic and scientific purposes, and such use can exceed the agreement and arrangement which are concluded with the personal information subjects. The note seems inconsistent with the explanatory notes in Article 7.3(c) of the GB/T 35273—2017 Information Security Technology Personal Information Security Specification. Based on the Guideline, will Internet companies be allowed to lawfully use anonymized or desensitized personal information data for historic, statistic and scientific purposes, without being bound by the agreement originally concluded with the personal information subjects?
Author:
✎ 往期分享
通力法评 | 企业收集、使用员工个人信息的典型场景与合规要点
通力法评 | 企业与第三方流转个人信息的典型场景与合规要点
通力法律评述 | 国家推荐标准《个人信息安全规范》的二十个要点
通力法律评述 | 管窥《个人信息和重要数据出境安全评估办法(征求意见稿)》: 规范的梳理与探讨
通力法评 | 工信部推进《网络安全法》落地措施之一——简评工信部《2018年电信和互联网行业网络安全检查工作的通知》
长按下图识别二维码关注我们
© 通力律师事务所
本微信所刊登的文章仅代表作者本人观点, 不代表通力律师事务所的法律意见或建议。我们明示不对任何依赖该等文章的任何内容而采取或不采取行动所导致的后果承担责任。如需转载或引用该等文章的任何内容, 请注明出处。