China technology
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
The proposed regulations are still under review and there is no official timetable for their implementation. Photo: Shutterstock

Data privacy in China: Zhejiang province proposes rule to ‘destroy’ personal data collected during emergencies

  • Zhejiang province is reviewing new rules for handling public data, including that collected as a response to a public emergency
  • Personal data was collected on a wide scale in China during the Covid-19 pandemic for contact tracing, leading to rampant leaks

China’s eastern province of Zhejiang, which is leading the country in applying big data technology to administration, has drafted rules stipulating that personal data collected during a public emergency should be either “sealed” or destroyed after use, a decision that would put certain checks on government agencies.

A draft version of the rules on how public institutions should collect, use and share data during emergencies states that they should provide support by sharing public data, and can demand businesses and individuals to provide relevant data, according to state-run news agency China News Service.

But once the emergency response is over, public institutions should assess and classify the collected data, and make sure data that involves state secrets, business secrets and personal privacy be either “sealed up” or destroyed, the news agency reported this week. The draft rules, the full text of which has not been made available yet, also state that relevant data applications should be shut down after the emergency response.

As part of China’s efforts to combat the Covid-19 pandemic, local governments, organisations and public venues all collected personal information aggressively for contact tracing purposes. But poor protection measures have led to rampant personal information leaks. There have been instances where spreadsheets of people’s personal information including names, addresses and phone numbers have ended up circulating on social media platforms, sometimes resulting in doxxing and harassment.

The draft Zhejiang rules represent the latest attempt by a local Chinese government to explore data governance, as Beijing builds a national legal framework for data with new laws including the Data Security Law, which was passed in June and goes into effect next month, and the Personal Information Protection Law, which is expected to be passed within the year. Local authorities are now experimenting with more detailed and more aggressive rules on how public institutions and businesses should handle personal data.

The rules from Zhejiang, the home of Alibaba Group Holding and the first Chinese province to implement a “health code” system during the coronavirus, could be endorsed by the national government to become a new standard. However, while the Chinese state grapples with greater control of data, many uncertainties remain about China’s new data regime.

According to Zhejiang’s draft rules, the provincial government will build up its “public data platform” and municipal governments can set up their own platforms. These platforms should be the only “channel and vehicle” for government agencies to share data.

The rules stipulate that government agencies should not ask individuals for multiple identification. If a person can prove their identification with documents, government agencies should not require further identification, such as fingerprints, or iris and facial recognition, the news agency reported.

The proposed regulations are still under review and there is no official timetable for their implementation.

Meanwhile, China’s southern tech hub Shenzhen passed a new data regulation last month that explicitly forbids apps from profiling and serving personalised recommendations to users under the age of 18. It also states that all users have the right to opt out of both user profiling and personalised recommendations, a common practice among major internet platforms to drive user engagement.

The proposed Shenzhen rules, slated to take effect at the beginning of next year, also include a penalty of up to 50 million yuan (US$7.7 million) for companies that engage in algorithmic price discrimination, where a platform offers different prices to different users based on how much it thinks they are willing to pay. No national laws or regulations have specifically banned the practice, even though it has been repeatedly criticised by authorities.

This article appeared in the South China Morning Post print edition as: Zhejiang drafts rules on handling of personal data