China began soliciting public comment on Wednesday for draft legislation to place tight limits on the transfer of personal data outside the country and let Beijing retaliate against any “discriminatory” prohibitions by the US.
If passed, the Personal Information Protection Law will become China’s first unified piece of national legislation on the safeguarding of personal data.
Any company seeking to take users’ personal data outside China will undergo screening by cybersecurity authorities, according to the draft. Businesses involved in “critical information infrastructure,” such as telecommunications or finance, and those that handle large quantities of personal information will have to store such data on servers within China and undergo risk assessments before sending it abroad.
The aim is to strengthen protections for China’s more than 900 million internet users as concerns mount over data misuse. Opinions from experts and others will be solicited until mid-November. The law will likely take effect in 2021.
The bill explicitly enables Beijing to take retaliatory steps against countries or regions that impose discriminatory measures against China in this area. Many observers see this provision targeting American companies such as Microsoft and Apple that do business here.
The law would apply to all companies and organizations operating in China, as well as any overseas businesses that handle the data of Chinese nationals here.
The measure will affect the many Japanese companies looking to expand in China, the one bright spot in a global economy battered by the coronavirus pandemic. Retailers that collect information on customers and auto manufacturers that track driving data will face stricter limitations on what they can do with that information.
Companies will generally be required to obtain user consent before collecting personal information, except in emergencies or situations that require secrecy. The law provides for consent to handle “sensitive” data, whose misuse could lead to discrimination or threaten users’ security, with ethnicity, religion, biometric characteristics, medical and financial information, and location tracking among the characteristics specifically named in that category.
Violators face penalties including fines of up to RMB 50 million yuan (USD 7.51 million) or 5% of annual revenue. Authorities may also revoke licenses or permits, or order the operations in question to be shut down.
The purpose of the bill, according to the draft text, is to protect personal information rights as well as provide a legal framework to promote the use of such data. It bans the handling of personal data in ways that harm national security or the public interest.
South Africa Today