China’s top legislature, the Standing Committee of the National People’s Congress (NPC), has received the latest draft of the country’s first personal information protection law (PIPL) for regulatory review, following the first draft published in October 2020, as reported by Caixin on April 27. The final version of the PIPL is expected to be submitted for voting by this year after the third round of review.
Compared with the previous version, the second draft of the PIPL tightens the data privacy rules for large-scale internet firms, requiring companies that collect massive amounts of personal data to establish independent supervisory bodies to oversee their data handling process. Meanwhile, these enterprises are also banned from collecting personal information through any form of coercion, while they are required to publish social responsibility reports on their personal data protection actions on a regular basis. Moreover, the draft regulations add data protection rules for deceased persons and identify the Cyberspace Administration of China (CAC) as the leading department to push forward law enforcement. According to data from the CAC, China’s internet users hit 989m by the end of 2020, representing more than 20% of the global total, with an internet penetration rate of 70.4%.
The PIPL marks the Chinese government’s latest effort to strengthen its data privacy and information protection rules in the country. In late March, four departments including the CAC and the Ministry of Industry and Information Technology (MIIT) issued new regulations, straightening out the scope of necessary personal data collection for 39 types of commonly used mobile apps, among which 13 types of softwares, including live streaming and short video apps, shall not have any compulsory personal information requirements. As of April 20, MIIT carried out personal data protection evaluations of approximately 290,000 apps in 2021, requiring 1,862 apps to take rectification measures and removing 107 apps from app stores for violating data protection rules. Later in April, MIIT and two other departments started soliciting public comments for the country’s first specialised regulations on the protection of personal data in apps, clarifying the responsibilities of app developers, app stores, third-party service providers, and mobile device producers in privacy protection. The country is also currently working on establishing a national standard for facial recognition data collection, processing and storage.