Personal Information Protection Law of China came into effect

A law restricting the collection of user data by technology companies came into force in China on Monday. The document contains provisions to strengthen the protection of personal data, especially for users of online platforms.

According to the law, no organization or individual should illegally collect, use, process, transfer, trade, provide or disclose other people's data. Companies breaking the new rules could face fines of up to 50 million yuan ($ 7.7 million), or up to 5% of their annual revenues.

The text of the law was published on the portal of the National People's Congress. It also stipulates that the online platforms with large numbers of users should develop detailed rules of conduct for parties providing services through these platforms. They must clearly define data processing regulations and obligations to protect personal information by providers of products or services on online platforms.

The law is extraterritorial: its provisions regulate the processing of personal data of Chinese users for the provision of products and services or analysis of user behaviour not only in China but also abroad. In this case, foreign companies are required to open a special office or appoint a representative in China, which will be responsible for ensuring the security of this data.

The cross-border transfer of data is also subject to special regulation - companies will be required to obtain special consent from the users for the transfer of their data abroad. In addition, operators of critical information infrastructure and companies with a significant audience of Chinese users will have to undergo government certification and a special security audit, the rules of which will be set by the Cyberspace Administration of China. According to the draft explanatory document submitted by the Chinese authorities for public comment last week, the regulation will apply to companies with more than 1 million users.

In a dialogue with Interfax, Director of the Center for Global IT-Cooperation Vadim Glushchenko noted that the China’s Law on the protection of personal information largely takes into account the experience of regulating this area in the world, in particular, the application of the General Data Protection Regulation (GDPR).

“At the same time, one of the key differences between the Chinese law and the European regulation is the establishment of special requirements for Internet platforms, such as the creation of a control system for the protection of personal information in accordance with government requirements, the formulation of clear standards for products and services of the platform and its obligations on protection of personal information, as well as the termination of the provision of services or products that seriously violate national legislation regarding the processing of personal information,” stated Glushchenko.

The expert also emphasized that with the help of the new law, the Chinese authorities are trying not so much to restrain cross-border data transfer, as to clearly define the conditions for such transfer and the requirements for its protection.

“And China, of course, is not alone in this. Just look at the regulation of this issue in the same European Union, where, in accordance with the GDPR, , the so-called “Decision on the adequacy” of the personal data protection system of one or another country is required for the cross-border transfer of personal data of EU citizens”, - added Glushchenko.

According to him, in general, the law is aimed at reducing the influence of digital giants, which has become a global trend in recent years.

The expert highlighted that the Russian “Landing Law" is also a part of this trend. “At the same time, it is based on a consistent approach aimed at the softest “landing”, - claimed Glushchenko.

In turn, the chairman of the commission for legal support of the digital economy of the Moscow branch of the Russian Lawyers Association, Alexander Zhuravlev, told the agency that the new Chinese law regulates the activities of IT giants more stringently than the Russian “Landing Law” and imposes additional restrictions on the operation of companies within the country.

“In comparison, our law is softer than the law that operates in China. This law also introduces certain rules of conduct for IT companies and those, who process personal data of Chinese people,” Zhuravlev said.

For years, China's soft rules for accessing personal data have allowed the country's tech companies to quickly develop and adapt products and technologies based on consumer preferences. At the same time, there have been a lot of complaints lately about the theft of personal data, as well as frauds committed with their use.

https://www.interfax.ru/world/800790