In August, China released the highly anticipated Personal Information Protection Law (PIPL) in response to mounting worries over personal data infringement among its nearly 1 billion internet users. The law, scheduled to come into effect in November, lists the obligations of information processors, particularly large internet platforms and government organs.
China has been stepping up supervision of data protection. In June, it passed the Data Security Law, following the Cybersecurity Law in 2016 and a series of related regulations. “Now with the PIPL, the three form the basic legal system to maintain information network security in the country,” noted Fu Wei, director of the digital development research center of Beijing-based Fuxi Institution, which focuses on internet research.
The PIPL prohibits excessive collection of personal data, stipulating that processing personal information requires clear and reasonable purposes and should proceed in a way that affects personal interest the least. The law bans illegally obtaining, using, processing, transmitting and trading of personal information. Processing of personal data should be based on personal consent (except in emergency or certain law-regulated situations). Giving the users the right to say no, the law stipulates that personal information handlers should not refuse services to users who disagree or withdraw consent.
The law differentiates general and sensitive personal information, such as biometrics, medical and health information and location data that causes severe consequences once leaked. Dealing with the latter requires gaining individual consent separately and strict protection measures. Zhao Zhanling, a lawyer with the Beijing-based Yunjia Law Firm, said that many companies package requirements regarding personal data in their user agreement or privacy policy and users just check a box when they register. “But it won’t apply anymore when it comes to sensitive information. They’ll have to get personal consent separately if they’re dealing with sensitive information.”
Regarding data-enabled automated decision making, including tailored push notifications and advertisements, the law prohibits price discrimination and requires companies to provide non-personalized information. Installing devices for personal data collection and ID identification in public places should be for maintaining public security, and the data collected can only be used for public security purposes except in cases of individual consent, according to the PIPL.
The law provides more assurance for users in safeguarding their rights, according to Zhao the lawyer. For example, it adopts presumption of defaults in data infringement cases, requiring information handlers to prove their innocence. “In the past, when individual users’ rights were infringed, it was hard for them to show evidence,” Zhao said.
Besides, using public interest litigation to protect individuals’ rights is written into the law. “It will play an important role in the future. The majority of users will not use legal means to protect their rights due to the difficulty and high cost involved. Public interest litigation by prosecutors and social organizations will make up the deficiency and serve as a supervision power for companies,” Zhao said.
“Following the implementation of the law and supportive policies, problems like excessive collection and misuse of personal information are expected to be effectively cracked down on,” said Fu Wei, also a postdoctoral fellow at Tsinghua University’s Center for Internet Governance.
The law also endows individuals the right to check, copy and transfer their personal information, which Fu expects to help the country’s anti-monopoly efforts in the platform economy.
What’s more, in regulating cross-border transmission of personal data, the law requires operators of key information infrastructure and personal information processors (PIP) that handle data reaching designated amounts regulated by internet and information departments to store collected personal data within the border. It is not clear yet what designated amount means. Information processors that need to transmit personal data cross-border have to pass a security evaluation from relevant departments and gaining individual consent, and they need to make sure the overseas information receiver abides by at least the same standards of data security as China.
“Specific measures are expected to come out soon as important supporting rules to go with the law,” said Zhao, adding that these regulations are meant to protect public interest and also national security, as increasingly frequent cross-border flow of personal information has aggravated the risks.