China has been ramping up efforts to protect personal data security. The Personal Information Protection Law (PIPL) that was passed in August, went into force on November 1. Mobile applications and mini programmes, social media platforms have become an essential part of people’s daily life to meet their needs for diverse services.
After searching for a product on a platform, some consumers have found that other platforms may start to push the same product. Meanwhile, others complain of price discrimination where one user pays more for the same item on the same platform. They also complain that the privacy policy terms on applications are not always reader-friendly.
In response to such problems, a set of requirements and protections for data privacy, with informed consent at its core, have been included in the PIPL, which is also known as the country’s first comprehensive and systematic law on personal data protection.
“This is a comprehensive protection rule on the collection, storage, use, processing, transmission, provision, disclosure and deletion of personal information, following the promulgation of China’s Cybersecurity Law, Civil Code and Data Security Law. Such a basic law to protect personal information has improved China’s top-level design in the field of cybersecurity and data protection.”
Xu Zhongyuan, dean of the Law School of Central South University
The law makes provisions prohibiting the excessive collection of personal information and big data-enabled price discrimination against existing customers. According to the law, when pushing information and business marketing to individuals through automated decision-making, personal information processors should refrain from targeting users’ personal characteristics and offer ways for them to reject the offer.
The law also mandates the suspension or termination of services for apps that illegally process personal data. Prominent signs must be put up in public places where image acquisition and personal identification equipment are installed, stipulating that the collected images and identification information can only be used to safeguard public security.
Sensitive personal information, such as one’s biological data, religious beliefs, health, financial information and whereabouts, and the personal information of the minors under 14, is protected under the law. It can only be processed for a specific purpose, sufficient necessity and strict protection measures.
Chinese internet companies have already introduced measures to reflect their information protection obligations, some even before the law’s implementation. China’s e-commerce giant issued a notice on its open platform to strengthen the protection of sensitive information in consumer orders, launching a consumer sensitive information protection plan to encrypt sensitive information.
The Cyberspace Administration of China issued draft measures on outbound data security assessment to better regulate companies that transfer important data generated and collected in China overseas and ensure a free and orderly flow of data in accordance with the law.
As reported by OpenGov Asia, China has also passed regulations on cybersecurity. Measures including monitoring, defence, and proper handling of cybersecurity risks and threats from both home and overseas will be carried out to ensure that relevant facilities are protected from attacks, intrusions, interference and sabotage. The regulation came as the country’s major IT infrastructure faces severe security challenges including frequent cyberattacks.
Measures including monitoring, defence, and proper handling of cybersecurity risks and threats from both home and overseas will be carried out to ensure that relevant facilities are protected from attacks, intrusions, interference and sabotage. The regulation came as the country’s major IT infrastructure faces severe security challenges including frequent cyberattacks.
The regulation also called on operators of major IT infrastructure projects to bear their primary responsibility of maintaining the integrity, confidentiality and availability of relevant data. Requirements for these operators include conducting security checks and risk assessments every year and prioritising safe and creditable internet products and services in procurement.