“Personal information” under CSL refers to all kinds of information that can determine the identity of an individual person independently or in combination with other information. Typical examples include an individual person’s name, date of birth, identification number, personal biometric information, residential address, and telephone number, etc.
CSL provides important principles for protecting personal information. The Personal Information Security Specification/个人信息安全规范 (“Specification”), a nationally recommended standard, provides more specific rules. Although the Specification is not mandatory, it is an important guideline in practice. Several other standards for personal information protection have also been drafted.
CSL and the Specification together provide important rules for protecting personal information, such as:
a) Informed Consent: Network operators must inform individuals of the purpose, method, and scope of the collection and the use of personal information, and obtain consent from individuals.
In addition, if the collected information is sensitive personal information, the consent must be express consent rather than implied consent.
b) Minimum Necessity: Network operators may only collect the personal information that is related to the services provided by the network operators, and must comply with the agreements with individuals.
c) Legitimate Collection: The personal information collected by network operators must come from legitimate channels. Sale or purchase of personal information is not allowed in China and may even trigger criminal liabilities.
d) De-identification vs. Anonymization: “De-identification” refers to the technological processing of personal information that makes the person unidentifiable if no additional information is used. “Anonymization” refers to technological processing of personal information that makes the person unidentifiable, even if additional information is used. De-identification may reduce the risk, but the de-identified personal information is still personal information under CSL. Anonymized personal information is no longer deemed to be personal information under CSL, and hence exempted from the above protection measures under CSL and the Specification.