The latest revisions will impose stricter requirements on internet platforms and restrict Chinese firms from handing data to foreign agencies.
China is consulting on changes to its laws on personal information protection and data security, seeking to bolster safeguards for consumers in the way their personal data is handled.
Last week (26 April), draft revisions to the Personal Information Protection Law (PIPL) and the Data Security Law were submitted to the NPC (National People’s Congress) Standing Committee for review.
China solicited public opinions on a draft of the PIPL in October 2020, seeking to establish a set of rules for the handling of personal information with informed consent as its core principle, and to impose more stringent restrictions on the handling of sensitive personal information.
Under the draft, which is based on the EU’s GDPR (General Data Protection Regulation), violators would face a fine of up to CNY 50 million, or 5 percent of the previous year’s turnover.
The latest draft includes revisions that will require internet platforms to set up independent oversight bodies that would supervise their handling of personal data, to address concerns over privacy and safety of consumer data used in services ranging from e-commerce to financial management.
Each independent body would primarily be composed of people from outside the company, and tasked with overseeing the firm’s regular publication of social responsibility reports involving personal data protection.
The independent oversight body’s role resembles the GDPR concept of a DPO (Data Protection Officer), which is similarly tasked with helping regulatory authorities oversee a company’s data protection practices.
The revised draft also includes new protections for the personal information of deceased persons, and clarifies the role of the CAC (Cyberspace Administration of China) in enforcing personal data protection regulations.
The CAC has recently released new guidelines setting out requirements that prohibit mobile apps from collecting personal information that falls outside their business scope.
The consultation on the PIPL draft, available here, is open for comment until 28 May.
Meanwhile, the revised Data Security Law seeks to introduce a data classification system under which data will be classified based on varying levels of importance to economic and social development, Xinhua reports.
The levels of potential damage to national security, public interest, and the rights and interests of individuals and organisations caused by data tampering, corruption, leaks and unauthorised access and utilisation will also be taken into consideration in the data classification process, the draft says.
It also stipulates that key data catalogs shall be compiled for different regions, departments, industries and sectors to enhance the protection of important data.
China solicited public opinions on the draft Data Security Law following its first review at the sessions of the NPC Standing Committee in June 2020.
Since then, a clause has been added that will allow for companies to be fined up to CNY 1 million if they hand over domestically stored data to foreign law enforcement agencies, courts or investigators without consent from Chinese authorities. Any individual responsible for such unauthorised data transmissions can also be fined up to CNY 200,000.
The legislation will make it harder for overseas law enforcement agencies to move data out of China, as well as increase the complexity of the regulatory framework for firms with cross-border operations, the SCMP notes.
“For example, under this law, any Chinese or US company holding data of US users on a server based in China, could refuse a US court request to access such data if Beijing does not give its explicit approval,” the report says, adding that the law would apply to US businesses like Apple that are required to store data in China as part of their operations in the country.
The law could also be in conflict with US regulations, specifically the CLOUD (Clarifying Lawful Overseas Use of Data) Act, which was enacted by former US president Donald Trump to enable US agencies to demand access to data in foreign jurisdictions.
The consultation on the Data Security Law, available here, is open for comment until 28 May.