China’s Personal Information Security Specification is China’s national standard on the collection and processing of personal information. An English language version of the May 2018 version of the Specification can be found here. Recently, China proposed changes to its May 2018 Specification.
The May 2018 Specification makes clear that consent is the preferred basis for data collection. There are some exceptions to consent enumerated in section 5.4, including for the performance of a contract, but excluding legitimate interests. However, in the proposed changes, contract performance is removed. In other words, two of the most significant grounds for processing under GDPR (other than consent) are not allowed in China.
U.S. or E.U. companies doing business in China will not be able to rely on having entered into contracts with Chinese citizens to process their data. they will now need to painstakingly explain all of the ways in which they will use the data and get consent for using it unless one of the other few very narrow exceptions applies. If you want to change in how you process data after collecting it and getting consent, most of the time that will be just too bad—unless there’s another exception. You will need to go back and get fresh consent. [read more]
Source: Griffen Thorne | China Law Blog
China Personal Information Security Specification