Personal info under 'lock' with new law passed, completing three legal pillars on China's privacy, data and cyber security
Governance wisdom significant to global data security rules
Published: Aug 20, 2021 03:08 PM

Citizens in Guangzhou, South China's Guangdong Province have their faces scanned to enter the city's metro service on Monday at two pilot stations equipped with facial recognition systems. Passengers need to register their personal information in advance on the metro operator's app. Photo: VCG

Citizens in Guangzhou, South China's Guangdong Province have their faces scanned to enter the city's metro service on Monday at two pilot stations equipped with facial recognition systems. Passengers need to register their personal information in advance on the metro operator's app. Photo: VCG

China passed its Personal Information Protection Law on Friday, marking the latest addition to the regulatory framework that the country has been ramping up efforts on amid the rapid-growing digital economy. 

The new legislation, China's first, is set to be implemented on November 1. Together with the Cyber Security Law, which came into effect on June 1, 2017 and Data Security Law, which is set to be implemented in September, they will create a comprehensive legal framework to regulate businesses' collection, storage and use of personal data and their handling of key data concerning national security, and strengthen the current protection regime, experts said.

Such a legal system could also offer experience for other countries in an era where data is treated as a crucial production factor.

According to the law on privacy, when pushing information and business marketing to individuals through automated decision-making, personal information processors should provide options that don't target personal characteristics at the same time, or offer ways of rejection, the Xinhua News Agency reported.

It stipulates that individual consent should be obtained when processing sensitive personal information such as biometrics, medical and health, financial accounts and whereabouts.

The law also requires suspension or termination of services for apps that illegally process personal data. 

"These articles respond directly to the pain points in the sector of private data protection over recent years and it spans all industries in the practice of handling personal data," Zhao Zhanling, a legal counsel at the Beijing-based Internet Society of China, told the Global Times on Friday, adding that it is high time private information be put under the lock of a basic law that is applied across different industries.

"The new law will also increase compliance costs for personal data handlers," Zhao noted.

The draft law on personal information protection was submitted to the Standing Committee of the National People's Congress, China's top legislation, for its third reading from Tuesday to Friday.

Catching up, offering experience 

China, boasting of one of the most developed digital economies in the world, has been accelerating its push to build up its data regulation and protection environment. 

In September, China will implement its Data Security Law, which requires companies that process key data to conduct risk assessments and submit reports to the relevant authorities. 

The law on data security is deemed as a key supplement to the Cybersecurity Law that has been implemented since 2017.

Unlike the law on data security which attaches importance on data security at a macro level, the just-passed legislation is more focused on the individual level.

Compared with the West, China lags behind in the regulation of personal privacy based on a basic law like the Personal Information Protection Law, but has been quickly catching up in recent years, experts said. 

The national privacy law closely resembles the world's most robust framework for online privacy protections rolled out by Europe - the General Data Protection Regulation, which came into effect on May 25, 2018.

"Actually, we started making the stipulation on private information more than a decade ago, although there was some suspension in between, and have created basic legal frameworks based on regulation across different industries; plus, for the current criminal law, we have provisions concerning the protection of personal privacy of citizens," said Zhao.

From another perspective, however, China is leading in data management at a national level especially when some crucial data has become highly important to a nation's security.

The three pillar-like acts in China have a significant and far-reaching impact on the information protection of Chinese people, corporate data compliance practices, China's digital economy and the world, according to observers.

"Officials from a certain country's embassy in China have approached our team recently, hoping we can offer some elaborations on the Data Security Law, and they want to learn from China's experiences to promote similar laws in its own country," Zuo Xiaodong, vice president of the China Information Security Research Institute, told the Global Times on Friday.

"It shows that China's governance philosophy and wisdom on this matter have aroused the attention of the world and it is of positive significance for China to lead the formulation of global data security rules," Zuo said.

He added that in addition to the three basic laws, there is also a regulation paper on data security management to supplement the current legal framework. Its timetable for rollout is yet to be released.

'Double standards'

The privacy law has been interpreted as "one of the world's strictest" data privacy laws as some Western media reported, but their meaning of "strictest" is totally different from what people naturally understand since the former is a complete "double standard" practice, experts warn.

Chinese users tend to have high resonance with "strict" management after years of data abuse and illegal collection by some internet firms and hope the country can prevent such behaviors, Zuo said. "But through this word, the West means something quite different: the Chinese government wants to strengthen regulation and surveillance of data based on the current legal framework."

Unlike in Europe, where governments face more public pressure over data collection, the Chinese government is expected to maintain broad access to data, the Wall Street Journal reported.

"When it came to the discussion of adequate level of data protection, some EU officials said the level of personal information protection in China is poor, and it is impossible to give China a 'data protection adequacy determination,' and strict restrictions on the flow of EU data into China will be imposed," Zuo said. "But when China is endeavoring to roll out laws on data security and personal information protection, the West has such distorted interpretations, which is an obvious double standard practice.

"However, these noises will not hinder our progress on cyber and data governance according to our own conditions and pace," Zuo underscored.