At a glance: The National People’s Congress (NPC) Standing Committee issued the second draft of its Personal Information Protection Law (PIPL) for public comments. Notable changes since the first draft was released in October 2020 include:
- Expansion of the law’s scope to cover private data use by big tech companies, which are required to establish independent bodies to supervise the handling of personal information
- Penalties of up to CNY 1 million for the transfer of domestically stored personal information to foreign authorities without government permission
- Requirement for companies to give users the choice of whether to receive automated, personalized advertisements based on their personal information
The NPC simultaneously issued the second draft of its Data Security Law (DSL) for review, which, among other things, increases the fines for data security violations for companies and responsible personnel.
MERICS comment: The release of these second drafts represents a big step toward finalizing China’s comprehensive legislative framework for data protection – a key regulatory focus since the implementation of the Cybersecurity Law in 2017.
China’s data privacy regime largely mirrors the European GDPR with its focus on giving users more control and knowledge about how their data is being handled. The PIPL includes some provisions limiting the government’s use of personal information, yet the focus of both drafts is primarily on commercial use. Another round of crackdowns on corporate data violations was carried out in recent weeks by the Cyberspace Administration of China (CAC) and the Ministry of Industry and Information Technology (MIIT).
European businesses, which are already grappling with increasing data compliance costs in China, must be prepared for regulatory burdens that go beyond GDPR requirements. The tight restrictions on providing data to foreign authorities, alongside existing requirements for foreign firms to store data locally, may force more European companies to separate their Chinese and European data pools. The lack of an independent data protection authority and ambiguity regarding the definitions of ‘personal information’ and ‘important data’ in some sectors will also continue to create uncertainty for foreign firms regarding the laws’ implementation.
Policy name: Personal Information Protection Law (Second Review Draft) (个人信息保护法（草案二次审议稿）征求意见) (Link)
Issuing body: NPC Standing
Date: April 29, 2021
You are reading an excerpt of our latest MERICS China Industries.
If you want to learn more about our membership model for institutions and businesses, please click here.
If you are a MERICS member, you can access the full publication here.