China opens draft regulations on data protection to public consultation

Authorities in China aim to enhance the protection of personal information, ensuring the legal rights of individuals and promoting the healthy development of the platform economy, according to a new draft of regulation released on Saturday.

The draft regulations on personal information protection for large online platforms was released by the Cyberspace Administration of China and the Ministry of Public Security to solicit public opinions.

According to the proposed regulations, personal information collected and generated in China should be stored domestically. If there is a need to transfer the information abroad, platforms should comply with national data export security regulations.

Platforms are required to strengthen technical and managerial measures to prevent and address risks associated with illegal data transfer overseas.

The draft also stipulates that personal information must be stored in data centers that are located in China and meet national security standards.

Moreover, online platform service providers must offer convenient methods and channels for individuals to access, correct, supplement and delete their personal information, as well as to delete their accounts.

When an individual requests the transfer of their personal information to a designated personal information processor, the service provider should finish within 30 working days of receiving the request, the draft said.

In cases where platforms show serious deficiencies in personal information protection, such as repeated violations or significant data breaches affecting large numbers of users, authorities may mandate compliance audits and risk assessments by third-party professional organizations.

The cases include a personal information security incident resulting in the leakage, alteration, loss or destruction of personal information of over 1 million individuals or sensitive personal information of over 100,000 individuals, the draft said.

Platforms that are found incapable of ensuring data security may be required to store data in third-party data centers that comply with regulations, it added.

The draft encourages the use of national network identity authentication services, data labeling technologies and personal information protection certifications to enhance data protection levels.

The public is invited to submit feedback through various channels, and complaints about violations can be reported to authorities, who are required to respond within 15 working days.

The CAC and Ministry of Public Security emphasize the importance of confidentiality for all parties involved, including government departments and third-party organizations, regarding personal privacy, business secrets and other sensitive information encountered during their duties.

Public consultation on the draft regulations is open until Dec 22.