South China Morning Post
Advertisement
Advertisement
China technology
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
China is establishing a data governance framework that seeks to ensure the security of what it deems as important data, while putting limits on how businesses collect and use sensitive personal data. Photo: Shutterstock
TechPolicy

New draft of China’s personal information protection law adds restrictions on how apps collect personal data

  • Latest draft of China’s upcoming Personal Information Protection Law will target how apps handle personal data
  • Law is expected to be rolled out within the year, completing China’s national legal framework for data governance
China technology
Xinmei Shen
Xinmei Shen
Why you can trust SCMP

A new draft version of China’s Personal Information Protection Law (PIPL), a much-anticipated piece of legislation as Beijing tightens regulation of Big Tech on numerous fronts, proposes “targeted” restrictions on how mobile apps handle personal data, Beijing’s top legislative body said on Friday.

The new law, expected to be officially rolled out within the year, is now going through its third round of review at the Legislative Affairs Commission of the National People’s Congress (NPC) Standing Committee, the lawmaking body said at a press conference on Friday. The third review is usually the final round before a law is passed.

The latest draft includes several revisions to the previous version, including “targeted” regulations on mobile apps that excessively collect personal information, the commission said. It will also target algorithmic discrimination, a common practice among Chinese internet companies where a platform charges different prices to different users based on how much it thinks they are willing to pay.

The legislation, along with China’s data security law, which goes into effect next month, is expected to put an end to a Wild West era for China’s Big Tech companies in which they have largely had a free hand in how they collect and use consumer data.

Zhejiang province proposes rule to ‘destroy’ personal data collected during emergencies

Commission spokesman Zang Tiewei said at the press conference that the new draft has added definitions for automated decision making, which includes user profiling and recommendation algorithms, asking companies to make sure that the result of their automated decision-making is “fair” and “just”.

Further details of the new law remain unclear at this stage, as the full draft has not yet been made public.

China is establishing a data governance framework that seeks to ensure the security of what it deems as important data, putting limits on how businesses collect and use sensitive personal data, while encouraging the circulation of less sensitive data to unleash its economic value. The PIPL, along with the freshly passed Data Security Law and local data regulations, are all aimed at helping Beijing achieve these goals.
The previous version of the draft, unveiled in April, proposed that the country’s internet giants should each set up an independent oversight body primarily composed of people from outside the company to oversee how they process personal data. Companies that operate internet platforms with “a large number of users” and “complex businesses” will be subject to the provision, although neither term yet has a concrete definition.
China to punish data exports to overseas courts

The latest draft also proposes that the personal information of minors under the age of 14 should be treated as sensitive personal information. Previous drafts of the PIPL stipulated that sensitive information include an individual’s race, religious beliefs, biometrics and financial accounts. When processing sensitive personal information, businesses should make sure to obtain people’s “independent consent”, meaning that requests for it must be made separately from other information requests.

This article appeared in the South China Morning Post print edition as: China plans to further tighten rules for data use
Post