China: TC260 requests comments on draft Standard on Automated Decision-Making
On August 16, 2023, the National Information Security Standardization Technical Committee (TC260) requested public comments on the draft National Standard Information Security Technology Security Requirements for Automated Decision-Making Based on Personal Information (the draft Standard).
In particular, the draft Standard uses the definition of automated decision-making from Article 73(2) of the Personal Information Protection Law (PIPL). Likewise, 'decision with significant impact on individual's rights and interests' under the draft Standard means decisions that have a legal impact on the realization of an individual's statutory rights and similar significant impacts on other rights of an individual.
The draft Standard divides automated decision-making into two parts. Feature generation is provided as the selection and collection of specific personal information to achieve specific business purposes and their subsequent automatic analyses. Secondly, decision-making is provided as specific actions taken on individuals with the participation of personal characteristic information provided by the feature generation.
Principles and strategy
Notably, the draft Standard outlines security risks for automated decision-making and corresponding security principles for personal information processors carrying out automated decision-making, including openness and transparency, and data quality. More specifically, the draft Standard details that an algorithmic impact assessment must be conducted prior to the development of automated decision-making algorithms. Equally, the draft Standard notes circumstances where personal information processors or algorithm developers should ensure human intervention and test and train the data used for algorithm training.
In addition, the draft Standard establishes requirements for feature generation, including personal information collection requirements, elaborating on the necessity for authentic and accurate personal information, alongside a valid legal basis.
Similarly, on decision-making, the draft Standard notes the need to take into account security requirements and the rights and interests of data subjects.
Public comments can be submitted to [email protected] until October 15, 2023.