Draft of internet data security regulation published

The Cyberspace Administration of China has published a draft regulation on protecting internet data security. It clarifies the provisions of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, and interprets principles in the laws by listing examples. “The details clearly answer what internet entities, including enterprises and users, should do and shouldn’t do in data handling, which will make law enforcement more practical,” said Wang Sixin, Professor of Internet Law at the Communication University of China. The draft regulation requires those handling data to delete personal data or remove identifying information within 15 working days in some situations, such as when receiving a user’s request to stop online services or can?cel an account, which is a requirement laid out in the Personal Information Protection Law (PIPL). “In this way, data processors can no longer refuse or delay removing personal information on the grounds that there is no clear time limit in the law,” he added. The draft document will be further improved following more consultations, Wang said. The Administration has posted the 75-article draft regulation on its web?site, and is inviting public feedback until December 13.

While establishing a category and class-based data protection system, data processors are also ordered to set up an emergency response mechanism to limit the damage caused by potential data security incidents in accordance with the draft regulation. Meanwhile, data processors should conduct a risk assessment of the necessity and safety of personal identity authentication under the draft, which clarifies that biometric information, including facial features, voices and fingerprints, cannot be the only means of identifying people’s identities. Additionally, online platform operators with huge data or resources involving state security, economic growth or public interests need to apply for a security review if they are ready to merge, reorganize or be split up, according to the draft. Such a security review is also a legal requirement for data processors that deal with personal information of more than 1 million people and plan to go public abroad, the China Daily reports.