China has passed a law that authorities say "further perfects" existing arrangements for protection of personal data.
The new "Personal Information Protection Law of the People's Republic of China" comes into effect on November 1st, 2021, and comprises eight chapters and 74 articles that outline strict yet vague measures on how and when data is collected and managed, individuals' rights, and who ultimately owns data.
The Cyberspace Administration of China (CAC) said, as translated from Mandarin using automated tools:
On the basis of relevant laws, the law further refines and perfects the principles and personal information processing rules to be followed in the protection of personal information, clarifies the boundaries of rights and obligations in personal information processing activities, and improves the work systems and mechanisms for personal information protection.
The document outlines standardized data-handling processes, defines rules on big data and large-scale operations, regulates those processing data, addresses data that flows across borders, and outlines legal enforcement of its provisions. It also clarifies that state agencies are not immune from these measures.
The CAC asserts that consenting to collection of data is at the core of China's laws and the new legislation requires continual up-to-date fully informed advance consent of the individual. Parties gathering data cannot require excessive information nor refuse products or services if the individual disapproves. The individual whose data is collected can withdraw consent, and death doesn't end the information collector's responsibilities or the individual's rights – it only passes down the right to control the data to the deceased subject's family.
Information processors must also take "necessary measures to ensure the security of the personal information processed" and are required to set up compliance management systems and internal audits.
To collect sensitive data, like biometrics, religious beliefs, and medical, health and financial accounts, information needs to be necessary, for a specific purpose and protected. Prior to collection, there must be an impact assessment, and the individual should be informed of the collected data's necessity and impact on personal rights.
Interestingly, the law seeks to prevent companies from using big data to prey on consumers – for example setting transaction prices – or mislead or defraud consumers based on individual characteristics or habits. Furthermore, large-scale network platforms must establish compliance systems, publicly self-report their efforts, and outsource data-protective measures.
- China orders annual security reviews for all critical information infrastructure operators
- China sets goal of running single-stack IPv6 network by 2030, orders upgrade blitz
- Won't someone think of the kids? China's Cyberspace Admin steps up, orders massive cleanup to make the net safe for minors
And if data flows across borders, the data collectors must establish a specialized agency in China or appoint a representative to be responsible. Organizations are required to offer clarity on how data is protected and its security assessed.
Storing data overseas does not exempt a person or company from compliance to any of the Personal Information Protection Laws.
In the end, supervision and law enforcement falls to the Cyberspace Administration and relevant departments of the State Council. The penalties for failure were not listed, but one wouldn't want to run afoul – the CAC has cracked down hard on those who are loose with customer data.
For example in July 2021, China's Uber analog, DiDi, was booted from local app stores on grounds it was not compliant with data rules, less than a week after it IPO'd in the US.
In May 2021 the CAC ordered 105 apps, including LinkedIn, Bing, Douyin, TikTok and Baidu, to stop improperly collecting and using people's personal data. ®