Legislators promised on Friday that China will start drafting its own laws for data privacy and personal information next year.
Why it matters: It signals government resolve to do away with the fragmented landscape of data privacy laws and regulations that exist now, and provide legal certainty.
Details: Official National People’s Congress spokesperson Yue Zhongming did not give details on what the laws might contain.
- The Personal Information Protection Law and Data Security Law featured in the first-category (high-priority) of legislative projects in March, said Yue.
- Yue said that ministry task forces have cracked down on infringement of personal information this year, and that drafting these laws would take China’s personal information protection to a new stage.
Context: Some areas like genetics and online mapping do have clear regulations but China is lacking actionable laws that apply cross-industry.
- “The Cybersecurity Law mentions certain principles in terms of data security and protection of personal information but those high-level principles are simply not good enough when you apply them to reality,” says Samuel Yang, a data privacy and cybersecurity lawyer and partner at AnJie law firm.
- Policymakers revised China’s most detailed set of standards for protecting personal information (GB/T-35273/2017) for the third time this year, but these are not legally binding.
- Yang says that his clients want “more clarity on cross-border data transfer.” That includes what kind of data can be transferred, to what extent they should store data within China, what kind of approval they need and how assessment mechanisms will work.
- “Digital economy in China is developing fast. We have seen many new, non-controversial and controversial technologies like facial recognition. This reality desperately needs a new law,” says Yang.
- Laws go through several rounds of drafting as government calls for input from local governments, academics, and industry. Finalized versions can take years to emerge.