China: TC260 requests opinions on the draft Requirements for Privacy Agreements of Information Security Internet Platforms
The National Information Security Standardisation Technical Committee ('TC260') requested, on 26 May 2022, comments on the draft Requirements for Privacy Agreements of Information Security Technology Internet Platforms and Products and Services. In particular, the TC260 highlighted the draft provides privacy policies should clearly, accurately, and completely describe the personal information processing of the personal information processor, showing the data subject the key content that may affect the data subject's rights and interests in an easy and understandable manner. More specifically, the TC260 outlined the draft establishes that privacy policies should include rules for, among other things, collecting and using personal data, cross-border data transfers, and contacting and identifying the personal information processor.
In addition, the TC260 noted the draft details that privacy policies must include, among other things, examples of personal data collected, and the retention period of such data. Furthermore, the TC260 stipulated the draft requires that privacy policies be easily accessible for a long time, noting that data subjects should not be forced to click more than four times in order to view the policy.
Finally, the TC260 outlined the draft contains provisions relating to updating privacy policies, specifically that personal information processors shall notify data subjects of changes to privacy policies, and where amendments have a significant impact on data subject rights, publicly solicit opinions from applicable industry associations on the matter.
Public comments may be submitted to [email protected] until 25 July 2022.