Both China and the European Union take “consent” an important element in protecting personal information. Under the GDPR, consent is one required legal base – among others – to process personal information. China’s Cybersecurity Law, which is currently the overarching law in this field in China, requires network operators to obtain user consent before collecting and using their personal information. Distinguished from the GDPR that provides ample options beyond consent to allow entities to process personal information, China rules basically stick to consent. So, does this mean China gives more controls to individuals over their data?
Before answering this question, let’s first dig a little bit deeper into consent. The spectrum of consent can be wide, with the implied consent on the one end where silence may satisfy, and the expressed and explicit consent on the other end that may require a signature or sending a confirmation email. Consent based on opt-in or opt-out can cause very different designs technically and organizationally. As a consequence, different standards of consent can trigger different burdens on data controllers and processors, depending on how much is needed to demonstrate the existence of consent.
The consent required by the GDPR has a much higher standard than under China rules.
The GDPR adopts a two-tier mechanism of consent.
- Tier 1: In general, data processing needs consent which must be freely given, specific, informed and unambiguous indication of individuals’ wishes. This usually requires affirmative actions, such as ticking a box to opt in.
- Tier 2: If the processing involves sensitive personal information, explicit consent is required. This is a higher requirement compared with Tier 1, usually requiring a signature or sending a confirmatory email.
Article 7 of the GDPR give further specific requirements. For example, data controllers bear the burden of proof to show that they have obtained valid consent from data subjects. If a declaration of consent is pre-formulated by the data controller, the consent should be provided in an intelligible and easily accessible form, using clear and plain language, and no unfair terms; if the declaration also covers other matters, the request must be clearly separated from other matters. In addition, people should be able to withdraw their consent whenever they like and data controllers and processors must respond promptly. Last but not least, if there is a clear imbalance of powers, the already obtained consent may be invalidated for “not freely given.”
Because of such a high standard under the GDPR, consent may not the optimal option to legitimize data processing in many circumstances. Entirely relying on consent to process data can be risky. If the consent turns to be invalid or gets invalidated, the data controller could face a high penalty for unlawful processing. Therefore, to comply with the GDPR, data controllers are often suggested to find other legitimate bases to process data as a complement – or even a replacement – of consent.
In contrast, the consent requirement under China’s framework is ambiguous and of a lower standard. China’s Cybersecurity Law gives a rough-line principle about consent, which merely says that network operators must obtain informed consent before collecting and using personal information, without exceptions. Later, China government issued an implementation guideline Information Security Technology – Personal Information Security Specification (PISS) to give more pragmatic instructions. Although this is a non-legally binding standard, the PISS is widely used by companies in China for compliance because the regulatory authorities may refer to it as the best practice standard to audit companies.
PISS also gives a two-tier mechanism about consent:
- Tier 1: In general, data controllers should get “authorized consent” and the data subjects should be well informed.
- Tier 2: To collect sensitive personal information, an “explicit consent” is required, which should be fully informed, voluntary, specific, and unambiguous. A written declaration or affirmative action is required to show that the data subject has clearly authorized the specific data processing. Additionally, explicit consent is also required when the data will be used beyond the initial purpose for which the data was collected, and when the data will be publicly disclosed.
Although both the GDPR and the PISS use the phrase “explicit consent,” their standards are obviously different. From the descriptions of each, the explicit consent under the PISS Tier-2 should be more equivalent to the general consent under the GDPR Tier-1. And it is unclear what the “authorized consent” mean under the PISS Tier-1, but for sure this is an even lower standard and may include implied consent.
In addition, the PISS has a provision providing a broad list of exemptions where data processing is allowed without consent. A full translation of this provision is attached at the end of the post. According to the legislation rules of China, the PISS as a national standard subject to China’s Cybersecurity Law cannot have any content conflicting with the Cybersecurity Law. Since the Cybersecurity Law entirely focuses on consent as the only legal base for data collection and usage, so should the PISS. In light of this, this exemption list in the PISS seems not right, because it allows data processing without consent that directly conflicts with the Cybersecurity Law. On the other side, it seems that the drafters of the PISS recognized the problem of completely sticking to consent and try to make a solution obviously inspired by the GDPR.
In summary, consent can mean very different things. Requiring data processing to be based fully on consent does not necessarily mean more protections than other laws with a lesser focus on consent.
Appendix – Translation of § 5.4 of the PISS
In the following scenario, no authorized consent is required from data subjects when personal information controllers collect and use personal information:
- a) directly related to national security;
- b) directly related to public security, public health, and significant public interests;
- c) directly related to criminal investigation, prosecution, court trial and execution;
- d) to protect vital legal interests of data subjects or other individuals and it is hard to obtain consent from data subjects;
- e) made public by the data subjects themselves;
- f) collected from the legally released information, such as the legal news report or the government’s information disclosure;
- g) necessary to sign and perform contracts per the requests of the data subjects;
- h) necessary to maintain the safe and stable operations of the provided products or services, such as to detect and solve the problems of the products or services;
- i) controlled by a news agency which needs the information for a legitimized news report;
- j) controlled by an academic research institution which needs the information for statistical purposes or academic research purposes and has de-identify the information in the research results released to the public;
- k) permitted under other scenario by laws and regulations.