By Liu Xin Source:Global Times Published: 2020/5/12

Many places in China have taken measures to deal with personal information leakage as some individuals’ information has been improperly acquired and experts warned that with the COVID-19 epidemic coming under control in China, personal information that has been collected for prevention work should have encryption to decrease the risk of information leakage. 

Reports of individuals’ personal information being exposed or misused have appeared recently, which raised concerns over the security of personal information. For example, the public security authorities in Qiangdao (should that be Qingdao?), East China’s Shandong Province, released a notice on April 19, saying that more than 6,000 residents’ information, including their name, address, identity number and phone number had been exposed, the Xinhua Daily Telegraph reported. 

In the early stage of fighting against the coronavirus, some places required individuals to register their information with residential communities, online applications or pharmacies, which increased the risk of misuse or leakage of the information, experts said. 

Qin An, head of the Beijing-based Institute of China Cyberspace Strategy, told the Global Times that some places over-collected personal information after the outbreak of the coronavirus. The current issue is how to properly store and manage the information. 

“Two situations should be avoided – information leakage and continuous collecting of residents’ information,” Qin said. 

He noted that since China’s cryptography law has been implemented, all personal information should be stored after encryption to avoid disclosure. 

The public security bureaus in many places in China have dealt with cases involving illegally collecting and disclosing personal information. On March 5, Chinese authorities, including the Ministry of Civil Affairs and the Cyberspace Administration of China, required residential communities to ask for residents’ permission before collecting information for prevention work. 

Authorities in South China’s Guangdong have started supervision of online applications and set requirements for data and privacy protection for organizations that offer applications for prevention, the Xinhua Daily Telegraph reported.

By Cao Siqi and Chen Qingqing Source: Global Times Published: 2020/10/13

As home to the world’s most online users, China on Tuesday unveiled its highly anticipated draft law on personal data protection, a significant step to address the long-held problems of leaks and hacks.

The draft was submitted for first review at the ongoing session of the top legislature meeting on Tuesday. It clarifies the definition of sensitive private data, including race, ethnicity, religion, biometric data, medical and financial data, and personal trajectory.  

It states that those who violate the law could face a fine of up to 50 million yuan ($7.4 million) or 5 percent of its past year’s turnover, which observers said will strike a heavy blow to organizations, enterprises and individuals who have constantly disturbed people’s lives by illegally collecting, using and trading personal information for profit. 

Legal experts said the existing laws do not provide adequate protection for individuals because they do not impose significant punishment on companies engaged in breaches.

Key information infrastructure operators and entities that handle a substantial amount of personal information that need to provide personal information to overseas must undergo security assessment from Chinese authorities. 

If overseas organizations or individuals are found to have damaged Chinese citizens’ rights to private data or involved in personal data activities that harm national security and public interests, they will be put into a blacklist by the Cyberspace Administration of China. 

Wang Sixin, a media law professor at Communication University of China, believes that this specific clause targets overseas internet companies, especially in the US, given some popular social media platforms were found to leak users’ privacy. 

In August 2019, Twitter fixed an issue on its advertising platform that resulted in the company sharing some users’ data with advertising partners without the users’ consent. Earlier the same year, Facebook’s database leaked the phone numbers of 419 million users. 

The draft law has been long awaited and widely welcomed, as the big data industry has been rapidly growing in China, which played a vital role in helping fight the coronavirus epidemic, such as tracking down close contacts to confirmed patients through online tools, and monitoring personal trajectory to quickly identify suspected cases. 

Similarly, based on the EU General Data Protection Regulation, which took effect on May 25, 2018 and replaced the Data Protection Directive, violations could result in a fine of up to €20 million, or 4 percent of the firm’s worldwide annual revenue from the preceding financial year. GDPR regulators have issued hundreds of fines to companies, including Google and Facebook, worth more than €114 million in the first 20 months of GDPR, according to its website. 

Experts suggested Chinese law on personal information protection should also impose specific punishments on overseas organizations or individuals if they are found to leak Chinese citizens’ privacy. They warned that the enforcement of the personal information protection law should be cautious; otherwise, it may harm the development of new technologies, as personal data also has abundant social, economic and governance value.