China has passed a law that authorities say will “further refine” existing personal data protection agreements. The new “Law for the Protection of Personal Data of the People’s Republic of China” comes into force on November 1, 2021 and consists of eight chapters and 74 articles. They outline strict but vague measures about how and when data is collected and managed, people’s rights, and who ultimately owns the data.
On the basis of relevant laws, the law further refines and perfects the principles and personal information processing rules to be followed in the protection of personal information, clarifies the boundaries of rights and obligations in personal information processing activities, and improves the work systems and mechanisms for personal information protection.
The document describes standardized data processing processes, defines rules for big data and large companies, regulates those who process data, addresses data that flows across borders, describes the legal application of its provisions and also makes it clear that government agencies are not immune to dimensions. CAC notes that data collection consent is at the core of Chinese law, and the new legislation requires the individual’s prior, fully informed, and up-to-date consent. Data collection parties must not request excessive information or refuse products or services if the individual does not consent. Data collection can withdraw consent, and death does not end the information collector’s responsibilities or individual rights; it only transfers the right to control the data to the family of the deceased.
Information processors must also “take the necessary measures to ensure the security of the personal data processed” and must set up compliance management systems and internal audits. In order to collect sensitive data such as biometrics, religious beliefs, and medical, health and financial bills, the information must be required and protected for a specific purpose. An impact assessment must be carried out before the survey and the person must be informed about the necessity of the collected data and the effects on personal rights.
Interestingly, the law aims to prevent companies from using big data to exploit consumers, for example to set transaction prices or to mislead or deceive consumers based on individual characteristics or habits. In addition, large network platforms have to set up compliance systems, publicly report their efforts and outsource data protection measures. And when data flows across borders, data collectors have to set up a specialized agency in China or appoint a responsible representative. Organizations need to be clear about how data is protected and how its security is assessed.
The storage of data abroad does not release a person or a company from complying with the laws on the protection of personal data. Ultimately, the oversight and enforcement of the law lies with the Cyberspace Administration and the relevant departments of the State Council. But you don’t want to contradict: The CAC has cracked down on those who are walking around with customer data. For example, in July 2021, China’s analog Uber DiDi was ripped from local app stores for failing to comply with data rules, less than a week after its US IPO.
Source link
