The Standing Committee of the National People's Congress (NPC) passed the Personal Information Protection Law after its third reading last week. This marks the latest addition to the regulatory framework of the rapidly growing digital economy. The new law is set to come into force on November 1. Together with the Cyber Security Law, which came into effect on June 1, 2017 and the Data Security Law, which is set to be implemented in September, they will create a comprehensive legal framework to regulate businesses' collection, storage and use of personal data and their handling of key data concerning national security, and strengthen the current protection regime, experts said.
According to the law on privacy, when pushing information and business marketing to individuals through automated decision-making, personal information processors should provide options that don't target personal characteristics at the same time, or offer ways of rejection, the Xinhua News Agency reported. It stipulates that individual consent should be obtained when processing sensitive personal information such as data on biometrics, health, financial accounts and whereabouts.
The law also requires suspension or termination of services for apps that illegally process personal data. “These articles respond directly to the pain points in the sector of private data protection over recent years and it spans all industries handling personal data," Zhao Zhanling, a legal counsel at the Beijing-based Internet Society of China, told the Global Times, adding that it is high time private information be put under the lock of a basic law that is applied across different industries. “The new law will also increase compliance costs for personal data handlers,” Zhao noted. Having one of the most developed digital economies in the world, China has been accelerating the build up of its data regulation and protection environment. In September, China will implement its Data Security Law, which requires companies that process key data to conduct risk assessments and submit reports to the relevant authorities. The law on data security is a key supplement to the Cybersecurity Law that has been implemented since 2017.
Compared with the West, China lags behind in the regulation of personal privacy based on a basic law like the Personal Information Protection Law, but has been quickly catching up in recent years, experts said. The national privacy law closely resembles the world's most robust framework for online privacy protections rolled out by Europe – the General Data Protection Regulation, which came into effect on May 25, 2018. The three pillar-like acts in China have a significant and far-reaching impact on the information protection of theChinese people, corporate data compliance practices, China's digital economy and the world, according to observers, the Global Times reports.
The China Daily adds that China also issued trial guidelines on automobile data protection to protect drivers’ privacy and safeguard national security as vehicles are becoming increasingly digitalized. The Ministry of Industry and Information Technology (MIIT) said around 15% of vehicles sold in the country last year had some autonomous functions. That means over 3 million vehicles with cameras or radar hit Chinese roads in 2020. One highlight of the guidelines that will go into effect from October 1 is that carmakers and other data processors shall not collect data on trips unless they have the drivers’ and passengers’ consent. Also, data collected within vehicles should not be used outside vehicles unless necessary. Sensitive private data should be deleted within 10 days of drivers’ and passengers’ requests. Vital data must be stored within China if it involves such things as China’s military, government, traffic and logistics information as well as electric vehicles’ charging networks,. It must not be exported before it passes safety appraisals by the relevant Chinese departments.
