May 04, 2021 04:21 PM

Editorial: Protecting Personal Information Needs to Become China’s New Normal

China has been accelerating the creation of personal information protection legislation. In October 2020, a draft Personal Information Protection Law was unveiled to the public. Recently, a second draft was submitted to the National People’s Congress Standing Committee for review. This shows efforts to protect personal information are intensifying.

Expectations are high for China’s first specific personal information protection law. Personal information protection is the bottom line of the digital economy and social governance. One of the major missions of a personal information protection law is to draw boundaries; guide and bind government and market entities; regulate the use, collection, storage, processing, transmission, provision and disclosure of personal information; punish personal information infringement; and create stable norms.

At present, personal information rights are infringed or threatened everywhere. Some people have paid huge economic costs or even their lives. Nuisance calls and facial recognition are ubiquitous. This is the norm that we have to face, but it must be changed as soon as possible. Compared with the first draft, the latest one is significantly improved. In view of the current non-transparent and excessive use and collection of personal information, the second draft states that personal information shall not be handled through “coercion,” and refines the rules on consent withdrawal, automated decision-making, and cross-border provision of personal information. In addition, the draft stresses the supervision of super-large internet platforms. As its name implies, the personal information protection law doesn’t aim at promoting industry but at safeguarding rights and interests. Only when good laws are followed, can the digital economy develop in a healthy manner.

It is particularly urgent to protect personal information at present. Since the outbreak of Covid-19, the collection of personal information has been expanding, which has contributed a lot to epidemic prevention and control. With routine epidemic controls, it is pressing to make personal information use and collection a normal practice and think about withdrawal in a timely manner. The draft includes protecting the life and health of persons in response to public health emergencies or in emergency situations as one of the legal circumstances for handling personal information. However, the draft’s “explanations” also explicitly emphasize that the handling of personal information in the above circumstance must also strictly abide by the handling rules stipulated in this law and fulfill the obligation of personal information protection. At the very least, this means that “abnormal” use and collection of personal information should be continuously adjusted as the epidemic changes. Amid the epidemic, many venues collect personal information such as mobile phone and ID numbers. The competent authorities should timely consider and properly arrange for the deletion, destruction and withdrawal of such information.

Due to collective ignorance, personal information has not been effectively protected for a long time. There is a general lack of awareness of protecting personal information among government officials and market entities. Some localities or authorities seek to obtain as much personal information as possible for regulatory convenience, some officials have even trumpeted “penetrating privacy” as a feat, and others have commercial reasons to collect as much personal information as possible even if it is irrelevant. It is also urgent to enhance individuals’ awareness of protecting personal information. Many people think, “If you’re not bad, what are you afraid of?” This makes it difficult to impose strong restrictions on personal information infringers.

To change the abnormal personal information protection situation, it is of paramount importance to give individuals the right to control their own data through the law. The draft establishes the rules of handling personal information with “notification and consent” as the core. However, how to inform or whether consent is truly an option or a “must” will be examined in practice. For example, applications often excessively gather even irrelevant information; otherwise, users can’t install or use them. According to the draft, personal information handlers should have a specific purpose and sufficient necessity for dealing with sensitive personal information. It is necessary to develop a concrete system to ensure this principle is effectively binding. Therefore, the personal information protection law and its implementation rules should be detailed rather than general.

If a violator does not pay the price, the law will be left on paper. The draft sets up administrative and civil legal liabilities for infringement of personal information rights and interests. In case of serious circumstances, the draft stipulates that the illegal income shall be confiscated, a fine of less than 50 million yuan ($7.7 million) or less than 5% of the previous year’s turnover shall be imposed, the suspension of related businesses, business suspension for rectification and revocation of business licenses may be ordered, and directly responsible executives and personnel shall also be fined. The penalties are quite stiff, but it remains to be observed whether these rules will be carefully enforced, how to determine that a case is serious, and how much discretion the courts or regulators have. In addition, civil, criminal and administrative liabilities should also be closely coordinated. Currently, the draft put more emphasis on administrative liabilities, while the civil aspect is faced with many practical difficulties such as individuals’ burden of proof and high cost of right protection.

One major focus of the second draft is to strengthen the personal information protection obligations and supervision of super-large internet platforms. Personal information handlers that provide basic internet platform services, boast a large number of users and have complex business types shall perform the obligations of establishing an independent organization mainly composed of external members to supervise personal information handling activities, regularly release social responsibility reports on personal information protection and accept social supervision. Super-large internet platforms have massive amounts of data and even “platform hegemony.” Without a fundamental institutional framework established on the basis of the rule of law, relying solely on supervision through law enforcement may provide some typical cases, but it will be impossible to form a long-term effective governance mechanism.

In fact, many of the provisions in the draft aren’t new, but had been mentioned in a lot of laws and regulations before. However, the personal information protection situation remains unchanged. This calls for profound reflection. The public hopes the law will fundamentally change the wanton infringement of personal information interests. It is hoped that the law that is eventually enacted will be a “toothed” law with detailed implementation rules and turn out to be a milestone in China’s progress towards building a country under the rule of law.

Download our app to receive breaking news alerts and read the news on the go.

Follow the Chinese markets in real time with Caixin Global’s new stock database.

You've accessed an article available only to subscribers
Share this article
Open WeChat and scan the QR code
Get our CX Daily, weekly Must-Read and China Green Bulletin newsletters delivered free to your inbox, bringing you China's top headlines.

We ‘ve added you to our subscriber list.

Manage subscription