China passed its first national Personal Information Protection Law last week, adding legal teeth to the country’s scrutiny of personal information collection and use, and setting strict rules on how companies and government departments should treat this kind of data.
The law was passed Friday by the Standing Committee of the 13th National People’s Congress (NPC), China’s top legislature, and will come into effect on Nov. 1. The full text of the law (link in Chinese) has been published on the NPC’s website.
The law, which consists of 74 articles in eight chapters, “gives information owners as comprehensive a set of rights as possible” and reflects contemporary trends in personal information protection, said Shi Jiayou, a law professor at Beijing’s Renmin University.
China started working on a specific data protection law in 2003, but it took until last October for a draft law to be unveiled to the public. The legislation will provide data protection for China’s more than 900 million internet users — many of whom have experienced privacy breaches — and comes as Beijing boosts its oversight on the internet industry and data protection generally.
Here’re six things you need to know about the new Personal Information Protection Law.
1. Informed consent
The law says that it is based on the principle of informed consent, which means all data processors should clearly inform the data owners in advance about how they plan to use the information, and request the explicit consent of the owners or their legal guardians before doing so.
A personal information processor is defined in the law as an organization or individual that independently determines the purpose of personal data collection and use, and how this is carried out.
If there’s any change in important matters related to personal information processing, data processors should inform data owners again and obtain their consent.
The principle aims to guarantee citizens’ right to know about, and to decide on, how their personal data is used. Citizens also have the right to deny others’ permission to use their data and to restrict what it can be used for.
2. Safeguard “sensitive” information
The law includes a chapter on processing “sensitive” information, such as one’s religious beliefs, financial details, whereabouts and the personal information of minors aged under 14.
Data processors can only collect and handle this kind of information when they have a specific purpose and sufficient necessity, according to Article 28. The provision requires processors to carry out “strict” protection measures and obtain individuals’ consent. They also must inform individuals of why their sensitive information is being collected and what impact the processing might have on their personal interests.
A specific rule should be set up to govern the processing of minors’ personal data, the article said, without elaborating.
3. Information portability
The law includes a provision on the right to personal information portability, which is similar to provisions in the EU’s General Data Protection Regulation, considered to be among the toughest privacy and security laws in the world.
The right stipulates that personal information processors should provide people with the means to transfer their information, as long as the requests comply with China’s cyberspace regulations.
This provision was added to a revised draft that was submitted to the NPC Standing Committee last week for a third round of review. Legal industry insiders previously told Caixin that the inclusion of portability provisions would help prevent enterprises from taking advantage of their breadth of data collection to form a monopoly. It will also enhance people’s ability to make decisions about their personal information.
4. Plugging big data loopholes
Personal information processors who use this data for automatic decision-making should ensure the decision process is transparent and the results are fair and impartial, according to Article 24.
In the law, automatic decision-making refers to any activity in which software is used to analyze and evaluate an individual’s behavior, habits and interests, and health and credit status.
The article said processors shall not treat individuals in an “unreasonably different” way based on automatic decisions, including by charging different users different prices. Also, if an automatic decision has a “significant impact” on an individuals’ rights, they can ask processors to explain how the decision was made.
This article is responding to the contemporary phenomenon in which an increasing number of companies are using big data techniques (link in Chinese) to analyze and evaluate customers’ data for marketing, with some using these insights to treat customers differently, or even misleading and cheating them, said Yuan Yulai, a Zhejiang-based lawyer.
5. Regulating government agencies
The law includes a section on how government agencies should handle personal data, requiring them to follow the same consent principles as businesses, with exceptions for conditions specified by unnamed law and regulations.
Personal information processed by government agencies should be stored domestically, according to Article 36. Data that needs to be shared overseas should first go through a safety assessment by the relevant department.
In recent years, some instances of data leakage revealed some departments’ weak awareness of personal information protection, non-standard processing procedures and inadequate security protection measures, Yuan said.
6. Severe penalties
The sixth chapter of the law describes a new regulatory system that the Cyberspace Administration will coordinate and to which departments under the State Council, China’s cabinet, will fulfill their duties in accordance with the law.
In addition, relevant government departments at the county level and above are also responsible for protecting citizens’ personal information as well as supervising and managing the use of their data. These obligations include receiving complaints and reports from residents and carrying out investigations into illegal behavior.
The law mandates a maximum fine of 50 million yuan ($7.72 million) or the equivalent of up to 5% of revenue from the previous year for those that illegally handle personal information, among the toughest penalties in the world.
The penalties also include forced business suspension for rectification and the potential revocation of business licenses.
Authors: Qin Jianhang and Wang Xintong, Caixin Global