China: adoption of a regulation on personal data protection

0

Data protection is a delicate issue that is often debated. In France, and more generally throughout the European Union, the General Data Protection Regulation (GDPR) is the reference text for personal data protection. In China, such legislation did not exist, at least, until August 20, 2021, when a final version of the Personal Data Protection Law was passed and adopted by the National People’s Congress, which holds the legislative power in China. Although the official text has not yet been published, some information is known.

A regulation for data security and personal data protection

This is another step towards the protection of personal data in China. On August 20, China’s legislative body voted by a majority to adopt a final version of its major law on personal data protection. Based on the model of European regulations (including the RGPD), this text should help protect Internet users from fraud and malicious initiatives.

In case of non-compliance with the provisions of this new legislation, companies are exposed to penalties and fines of up to 5% of their annual turnover or 50 million yuan, or 6.6 million euros. It is also possible that companies will be threatened with suspension or permanent termination of their services in the event of very serious misconduct.

With this new law, China intends to minimize the collection of data by the private sector and to subject their use to customer consent. In parallel with the upcoming enactment of this legislation, the Data Security Law is expected to come into force on September 1, 2009, to provide a framework for classifying personal information according to national security and economic value.

Several measures inspired by the GDPR, Chinese government not concerned

Among the set of new measures in China’s future personal data regulation, here are the ones known so far:

  • Digital companies will have to seek permission to process personal biometric, medical, health, financial and location information. Internet users will have to be able to refuse targeted advertising.
  • An end to algorithmic discrimination, which is regularly exploited in China to adjust the price of products sold online based on consumer data collected online.
  • A ban on the transfer of information from China to countries that do not have the same level of data protection. While the European Union obviously has such legislation, the United States does not.

If the text is greatly inspired by the RGPD, other aspects are however quite different: for example, the new legislation will not apply to the Chinese government, which will be able to continue to monitor its population, as the BBC reported with the Uyghurs, last May. The Chinese data protection law will not come into force in China until November 1.

Translated from Chine : adoption d’une règlementation sur la protection des données personnelles