China’s Big Tech firms to create user information oversight bodies under upcoming data privacy law
- China’s upcoming Personal Information Protection Law will have internet companies create independent bodies to oversee their compliance of data privacy regulations
- The law’s latest draft is undergoing a second round of review, as Beijing increases scrutiny of how Big Tech companies handle user data
The new draft requires internet platforms with a “large number of users” and “complex businesses” to establish “independent bodies” that oversee how they process personal data, according to the report.
It said each independent body, which will be primarily composed of people from outside the company, would be tasked with overseeing the firm’s regular publication of social responsibility reports involving personal data protection.
It remains unclear how the upcoming law’s latest draft defines a “large number of users” and the manner in which “independent bodies” will oversee the way internet platforms handle user data. This draft will soon be introduced to the public, while the law’s final version is expected to be rolled out within the year after a third round of review.
Putting the onus on Big Tech companies to become the gatekeepers for user data protection is a concept that is legally unprecedented internationally, according to Raymond Wang, a partner at law firm Anli Partners.
The GDPR requires companies to appoint and provide resources for a DPO, who shall help regulatory authorities oversee a company’s data-protection practices.
Beijing is building a data-governance regime that seeks to strike a balance between protecting user privacy, creating a viable market for data and a thriving digital economy, while maintaining strong government control. That has put the PIPL and the upcoming Data Security Law at the top of the agenda of Chinese lawmakers, according to legal experts.
At a press conference last week in Beijing, Zang Tiewei, spokesman for the Legislative Affairs Commission under the National People’s Congress Standing Committee, said the PIPL’s revised draft added protection for the personal information of deceased persons, and clarifies the role of the Cyberspace Administration of China in enforcing personal data protection regulations.
The Ministry of Industry and Information Technology (MIIT), meanwhile, released on Monday a provisional regulation on how mobile apps in China should handle users’ personal information, ramping up Beijing’s efforts to curb the excessive collection of personal data by app operators.
That provisional regulation, first mentioned by the MIIT in February, said companies should process data based on two principles: “informed consent” and “data minimisation”.
It also clarified the responsibilities of different parties in processing personal information, including app developers, app distribution platforms and mobile device makers. The MIIT is now soliciting public comments for the new provisional regulation, the implementation of which has not been set.