Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
A revised draft of China’s Personal Information Protection Law was submitted for review on April 26, 2021. Photo: AP

China’s Big Tech firms to create user information oversight bodies under upcoming data privacy law

  • ‎China’s upcoming Personal Information Protection Law will have internet companies create independent bodies to oversee their compliance of data privacy regulations
  • The law’s latest draft is undergoing a second round of review, as Beijing increases scrutiny of how Big Tech companies handle user data
China’s internet giants are each expected to create an independent oversight body for protecting users’ information under the upcoming data privacy law, according to a report by state-run Xinhua News Agency.
The much-anticipated Personal Information Protection Law (PIPL), the country’s first set of rules to safeguard personal data, is undergoing a second round of review, as Beijing tightens its scrutiny of how Big Tech companies gather and make use of private data. The initial version of PIPL was unveiled in October last year, and a revised draft was submitted on Monday for review. 

The new draft requires internet platforms with a “large number of users” and “complex businesses” to establish “independent bodies” that oversee how they process personal data, according to the report.

It said each independent body, which will be primarily composed of people from outside the company, would be tasked with overseeing the firm’s regular publication of social responsibility reports involving personal data protection.

China’s upcoming data privacy law tightens scrutiny of how Big Tech companies gather and make use of private data. Photo: AP

It remains unclear how the upcoming law’s latest draft defines a “large number of users” and the manner in which “independent bodies” will oversee the way internet platforms handle user data. This draft will soon be introduced to the public, while the law’s final version is expected to be rolled out within the year after a third round of review.

Putting the onus on Big Tech companies to become the gatekeepers for user data protection is a concept that is legally unprecedented internationally, according to Raymond Wang, a partner at law firm Anli Partners.

The closest parallel would be Facebook’s settlement with the Federal Trade Commission (FTC) in 2019 for privacy violations, following the Cambridge Analytica scandal, Wang said. The FTC directed Facebook to create an independent privacy committee to oversee its compliance.
An independent oversight body’s role, such as what is proposed under China’s upcoming privacy law, bears some resemblance to the concept of a Data Protection Officer (DPO) under the European Union’s General Data Protection Regulation (GDPR), according to Michael Tan, partner at international law firm Taylor Wessing.

China’s digital dreams at risk from black market for personal data

The GDPR requires companies to appoint and provide resources for a DPO, who shall help regulatory authorities oversee a company’s data-protection practices.

Beijing is building a data-governance regime that seeks to strike a balance between protecting user privacy, creating a viable market for data and a thriving digital economy, while maintaining strong government control. That has put the PIPL and the upcoming Data Security Law at the top of the agenda of Chinese lawmakers, according to legal experts.

At a press conference last week in Beijing, Zang Tiewei, spokesman for the Legislative Affairs Commission under the National People’s Congress Standing Committee, said the PIPL’s revised draft added protection for the personal information of deceased persons, and clarifies the role of the Cyberspace Administration of China in enforcing personal data protection regulations.

Chinese police crack syndicate selling schoolchildren’s personal data online

The Ministry of Industry and Information Technology (MIIT), meanwhile, released on Monday a provisional regulation on how mobile apps in China should handle users’ personal information, ramping up Beijing’s efforts to curb the excessive collection of personal data by app operators.

That provisional regulation, first mentioned by the MIIT in February, said companies should process data based on two principles: “informed consent” and “data minimisation”.

It also clarified the responsibilities of different parties in processing personal information, including app developers, app distribution platforms and mobile device makers. The MIIT is now soliciting public comments for the new provisional regulation, the implementation of which has not been set.