China puts continuous consent at the center of data protection law • The Register
China has passed a law that the authorities say “further improves” existing provisions on the protection of personal data.
The new “Personal Information Protection Law of the People’s Republic of China” comes into force on November 1, 2021 and consists of eight chapters and 74 articles that outline strict but vague measures on how and when data is collected and managed, rights of individuals, and who ultimately owns the data.
The Cyberspace Administration of China (CAC) noted, translated from Mandarin using automated tools:
The document describes standardized data processing processes, defines the rules on big data and large-scale operations, regulates data processing, processes data that crosses borders and describes the legal application of its provisions. He also specifies that state agencies are not immune to these measures.
The CAC says consent to data collection is at the heart of Chinese laws and that the new legislation requires prior informed and constantly updated consent from the person. Parties who collect data cannot demand excessive information or refuse products or services if the person disapproves of them. The person whose data is collected can withdraw their consent, and death does not terminate the responsibilities of the information collector or end human rights – it only transfers the right to control the data to the family of the deceased subject. .
Information processors must also take “the measures necessary to ensure the security of personal information processed” and are required to put in place systems for managing compliance and internal audits.
To collect sensitive data, such as biometrics, religious beliefs, and medical, health, and financial accounts, the information must be necessary, for a specific purpose, and protected. Before collection, there must be an impact assessment, and the individual must be informed of the need for the data collected and its impact on human rights.
Interestingly, the law seeks to prevent companies from using big data to prey on consumers – for example by fixing transaction prices – or misleading or defrauding consumers based on characteristics or habits. individual. In addition, large-scale network platforms must establish compliance systems, publicly declare their efforts, and outsource data protection measures.
And if the data crosses borders, data collectors must establish a specialized agency in China or appoint a responsible representative. Organizations are required to clarify how data is protected and its security assessed.
Storing data abroad does not exempt a person or company from complying with any of the laws on the protection of personal information.
Ultimately, oversight and law enforcement is the responsibility of the Cyberspace Administration and the relevant departments of the Council of State. The penalties for failure weren’t listed, but no one would take it out on him – the CAC has severely cracked down on those who lack customer data.
For example, in July 2021, Uber’s Chinese analogue, DiDi, was booted from local app stores on the grounds that it did not comply with data rules, less than a week after its release. IPO in the United States.
In May 2021, the ACC ordered 105 apps, including LinkedIn, Bing, Douyin, TikTok, and Baidu, to stop collecting and inappropriately using people’s personal data. ®