File Photo: Xinhua
As home to the world's most online users, China on Tuesday unveiled its highly anticipated draft law on personal data protection, a significant step to address the long-held problems of leaks and hacks.
The draft was submitted for first review at the ongoing session of the top legislature meeting on Tuesday. It clarifies the definition of sensitive private data, including race, ethnicity, religion, biometric data, medical and financial data, and personal trajectory.
It states that those who violate the law could face a fine of up to 50 million yuan ($7.4 million) or 5 percent of its past year's turnover, which observers said will strike a heavy blow to organizations, enterprises and individuals who have constantly disturbed people's lives by illegally collecting, using and trading personal information for profit.
Legal experts said the existing laws do not provide adequate protection for individuals because they do not impose significant punishment on companies engaged in breaches.
Key information infrastructure operators and entities that handle a substantial amount of personal information that need to provide personal information to overseas must undergo security assessment from Chinese authorities.
If overseas organizations or individuals are found to have damaged Chinese citizens' rights to private data or involved in personal data activities that harm national security and public interests, they will be put into a blacklist by the Cyberspace Administration of China.
Wang Sixin, a media law professor at Communication University of China, believes that this specific clause targets overseas internet companies, especially in the US, given some popular social media platforms were found to leak users' privacy.
In August 2019, Twitter fixed an issue on its advertising platform that resulted in the company sharing some users' data with advertising partners without the users' consent. Earlier the same year, Facebook's database leaked the phone numbers of 419 million users.
The draft law has been long awaited and widely welcomed, as the big data industry has been rapidly growing in China, which played a vital role in helping fight the coronavirus epidemic, such as tracking down close contacts to confirmed patients through online tools, and monitoring personal trajectory to quickly identify suspected cases.
Similarly, based on the EU General Data Protection Regulation, which took effect on May 25, 2018 and replaced the Data Protection Directive, violations could result in a fine of up to €20 million, or 4 percent of the firm's worldwide annual revenue from the preceding financial year. GDPR regulators have issued hundreds of fines to companies, including Google and Facebook, worth more than €114 million in the first 20 months of GDPR, according to its website.
Experts suggested Chinese law on personal information protection should also impose specific punishments on overseas organizations or individuals if they are found to leak Chinese citizens' privacy. They warned that the enforcement of the personal information protection law should be cautious; otherwise, it may harm the development of new technologies, as personal data also has abundant social, economic and governance value.