Photo taken on Sept. 27, 2021 shows visitors watching a sand table of 5G-empowered smart city
at PT Expo China 2021, an influential information and communications technology (ICT) annual
event in Asia, held in Beijing. (Photo by Chen Xiaogen/People’s Daily Online)
China’s law on personal information protection took effect on Monday. The new law specifies and
completes the guiding principles for the protection of personal data and rules that must be
followed when processing personal information, defines rights and obligations in personal
information processing activities, and improves working systems and mechanisms for personal
information protection.
The law states that the handling of personal information should be guided by and directly related
to clear and reasonable purposes, and be carried out in ways that affect the rights and interests of
relevant individuals the least, said experts.
It also stipulates that the collection of personal data should be limited to the minimum extent
possible to achieve such purposes, according to experts.
To address problems that have been complained about the most, such as bundling various policies
into one agreement and forcing users into consent, the law requires personal information
processors to obtain individual consent in links including processing sensitive personal
information, providing personal information for third parties, disclosing personal information, and
cross-border transfer of personal data.
The law clearly stipulates that personal information processors shall not excessively collect
personal information or refuse to provide products or services for users simply because they do
not agree to share their personal information.
Meanwhile, individuals should be allowed to withdraw their consent to the handling of their
personal information, and after the withdrawal, personal information processors shall immediately
stop processing or delete their personal information, according to the law.
In an effort to put an end to big data-enabled price discrimination against existing customers, the
law states that personal information processors shall ensure the transparency of their automated
decision-making based on personal information and the fairness of the decisions and shall not
unfairly treat individuals in terms of transaction price and other trade conditions.
Sensitive personal information, which includes biometrics, medical and health, financial accounts
and whereabouts, can only be processed with specific purposes, absolute necessity, and strict
protective measures, according to the law.
Sensitive personal information processors shall assess the influence of their activities and inform
individuals about the necessity and impacts of such activities on their rights and interests
beforehand, says the law.
The number of China’s Internet users reached 989 million by the end of 2020. The huge netizen
population serves as the cornerstone of the country’s digital economy, for which data is an
important driving force.
Protecting personal data isn’t contrary to developing digital economy, said experts, who noted that
the key to a win-win situation for both is to keep a balance between the utilization and security of
information on the basis of protecting individual rights and interests and promoting reasonable
flow of information.
The law designed to tighten personal data protection has arrived amid rising concerns and
complaints about excessive collection of personal data by some service providers.
More often than not, people find they are asked to provide information about their geographical
locations when they only want to install a flashlight app on their mobile phones; when they
download a text editor app, the app provider asks for access to their address books; and their facial
information is probably captured without their consent as they enter the sales office of a real estate
company.
After investigating hundreds of thousands of apps, a research team of Renmin University of China
found that many of the more than 30 permissions requested by apps do not match with the
requirements of apps for realizing their functions.
Commercial exploitation of some information is the primary purpose of apps’ excessively
requesting permissions from users. For instance, pushing personalized advertisements and other
information to users represents the potential commercial value of personal information.
App operators can even make a judgment about users’ jobs and the places they often go to after
acquiring certain permissions, according to an app developer.
Analyzing users’ characteristics based on data can help improve their consumption experience and
at the same time lead to infringement acts in consumption activities, such as price discrimination
against existing customers.
High hopes are usually placed on the self-discipline of personal data collectors for protecting
people’s personal information. However, information leakage can happen easily due to the lack of
solid “protecting wall”. What’s worse, some information collectors even trade in data, which could
result in illegal use of personal information. Against the backdrop, the execution of the law on
personal information protection becomes all the more significant.
