Caixin
Oct 14, 2020 07:17 PM
POLITICS & LAW

China Mulls Severe Penalties in New Data Protection Law

A string of high-profile data breaches in recent years has strengthened public calls for the government to pass a unified law safeguarding the personal information of citizens.
A string of high-profile data breaches in recent years has strengthened public calls for the government to pass a unified law safeguarding the personal information of citizens.

China’s most senior lawmakers are deliberating a draft data protection law that would slap a maximum fine of 50 million yuan ($7.42 million) on those who illegally handle personal information.

The Standing Committee of the National People’s Congress (NPC) will consider the proposed new Personal Information Protection Law during a legislative meeting that runs from Tuesday to Saturday in the capital, Beijing.

Liu Junchen, the deputy director of the Standing Committee’s Legal Affairs Commission, said the draft law aimed to prevent businesses, organizations and individuals from “arbitrarily collecting, illicitly obtaining, overusing and illegally buying and selling” personal data and using it to “violate the peace of people’s lives and endanger their health and property.”

A string of high-profile data breaches in recent years has strengthened public calls for the government to pass a unified law safeguarding the personal information of citizens. Currently, several statutes share that responsibility, including an official Standing Committee decision on protecting online data, a Criminal Law amendment and the Cybersecurity Law.

Those who violate the proposed new law would be ordered to “rectify” their behavior, have any illegal income confiscated and receive an official warning. Repeat or serious offenders could be fined 50 million yuan or the equivalent of up to 5% of their revenue from the previous year, and have their business licenses revoked or suspended.

The draft comes after a government crackdown last year resulted in more than 100 online apps being taken offline for gathering unnecessary personal information from users, lacking privacy agreements, and failing to adequately describe the scope and nature of their data collection operations.

If it passes, the eight-chapter law would provide overarching protection for China’s 900 million internet users. The document, which has not yet been made fully available to the public, defines personal information as that which is “recorded by electronic or other means in relation to identified or identifiable natural persons, not including anonymized information.”

The draft includes some 70 articles on how such data should be collected, stored, used, processed, shared and publicly disclosed, as well as on the rights of people who hand over their data and the obligations of those who handle it.

Significantly, it would enshrine the principle of informed consent, meaning that all entities that handle personal data would have to clearly inform the individual in advance about how they plan to use the information, and request the explicit consent of the individual or their legal guardian before doing so.

Individuals would have the right to know how their data is used and to request corrections or deletions, the proposal said, adding that entities handling personal information would not be allowed to collect more than they need to complete their stated tasks or refuse to provide a product or service if an individual refuses to give or later withdraws their consent.

Exemptions to the rules on consent would apply if the data in question must remain confidential under other laws and regulations; if it is needed to respond to public health emergencies or other threats to life, health and property; or if it is in the public interest for the purposes of reporting news or monitoring public opinion.

Amid angst about the public use of facial recognition technology, the draft also states that image acquisition and personal identification equipment may only be deployed in the streets for public security purposes.

Further provisions would place tighter safeguards around “sensitive” personal information, require overseas entities to establish special agencies or representatives in China before handling citizens’ data, and force entities to pass a government security check before transferring such data across the country’s borders.

The NPC Standing Committee will deliberate the draft law as part of a slate of proposals that include lowering China’s minimum age of criminal responsibility and potential new laws on biosecurity and export controls.

Contact reporter Matthew Walsh (matthewwalsh@caixin.com) and editor Michael Bellart (michaelbellart@caixin.com)

Download our app to receive breaking news alerts and read the news on the go.

You've accessed an article available only to subscribers
VIEW OPTIONS
Share this article
Open WeChat and scan the QR code