Apr 28, 2021 08:00 AM

China Outlines Tougher Privacy Protection Rules for Big Tech

A string of high-profile data breaches in recent years has strengthened public calls for the government to pass a unified law safeguarding personal information.
A string of high-profile data breaches in recent years has strengthened public calls for the government to pass a unified law safeguarding personal information.

China is considering new rules requiring large internet companies to set up independent bodies to supervise their handling of personal data in a continuing push to expand privacy protection.

A draft of the country’s first personal information protection law was submitted Monday to the Standing Committee of the National People’s Congress, China’s top legislature, for the second of three reviews, state media reported. Compared with a previous version released in October, the new draft outlines more detailed requirements for internet companies’ protection of users’ data.

Developing the Law on the Protection of Personal Information is among the top tasks of China’s lawmakers this year. The legislation is taking shape as large internet platforms collect vast amounts of consumer data via services ranging from e-commerce to finance management, sparking increasing concerns over privacy and safety.

If it passes, the eight-chapter law would provide overarching protection for China’s 940 million internet users, who are increasingly concerned about their data security as new technologies powered by big data continue penetrating every aspect of social life.

A string of high-profile data breaches in recent years has strengthened public calls for the government to pass a unified law safeguarding personal information. Currently, several statutes share that responsibility, including an official Standing Committee decision on protecting online data, a Criminal Law amendment and the Cybersecurity Law.

 Read more
Cover Story: The Fight Over China’s Law to Protect Personal Data

According to the new draft, companies providing basic internet platform services, with large user bases and complex businesses, should establish an independent body comprising external members to supervise the management of personal data.

Such companies would also be required to regularly issue a social responsibility report on personal information protection and would be required to stop business operations that violate privacy protection rules, according to the draft law.

Cheng Xiao, a law professor at Tsinghua University, said the new requirements would govern internet companies in businesses including e-commerce and instant messaging that have access to huge amounts of personal information. However, more details should be added to explain what companies would be subject to the new requirements, Cheng said.

The installment of an independent supervisory body would be similar to the mechanism of independent board directors in corporate governance, Cheng said. Supportive arrangements and management requirements should also be introduced to make sure the new mechanism operates smoothly, the professor said.

Some experts said such a mechanism may face difficulties in implementation as companies may be hesitant to share information with external members because of concerns about business secrets.

In the October version, the draft defined personal information as data “recorded by electronic or other means in relation to identified or identifiable natural persons, not including anonymized information.” It also specified how such data should be collected, stored, used, processed, shared and publicly disclosed, as well as the rights of people who turn over data and the obligations of those who handle it.

Chinese authorities are stepping up policy-building to enhance privacy protection in response to public concerns over tech companies’ handling of personal data.

Last week, the National Information Security Standardization Technical Committee (TC260), China’s top authority in charge of unified management and supervision of standardization work, issued for public comment a detailed draft of national standards to regulate the use and protection of facial recognition data. After taking effect, it would become the country’s first set of national standards for the use and protection of facial recognition data.

In March, several central government agencies issued rules taking effect May 1 that lay out what categories of data can be considered “necessary” for 39 types of mobile apps. The rules said apps should not deny users access to basic services if they refuse to share data beyond the designated categories.

Matthew Walsh contributed to this story.

Contact reporter Han Wei ( and editor Bob Simison (

Download our app to receive breaking news alerts and read the news on the go.

Follow the Chinese markets in real time with Caixin Global’s new stock database.

You've accessed an article available only to subscribers
Share this article
Open WeChat and scan the QR code