China began soliciting public comment on Wednesday for draft legislation to place tight limits on the transfer of personal data outside the country and let Beijing retaliate against any “discriminatory” prohibitions by the US.
If passed, the Personal Information Protection Law will become China’s first unified piece of national legislation on the safeguarding of personal data.
Any company seeking to take users’ personal data outside China will undergo screening by cybersecurity authorities, according to the draft. Businesses involved in “critical information infrastructure,” such as telecommunications or finance, and those that handle large quantities of personal information will have to store such data on servers within China and undergo risk assessments before sending it abroad.
The aim is to strengthen protections for China’s more than 900 million internet users as concerns mount over data misuse. It follows efforts by Washington to ban video-sharing platform TikTok and chat app WeChat to “protect national security and the private data” of American users.
Opinions from experts and others will be solicited until mid-November. The law will likely take effect in 2021.
The bill explicitly enables Beijing to take retaliatory steps against countries or regions that impose discriminatory measures against China in this area. Many observers see this provision targeting American companies such as Microsoft and Apple that do business here.
The law would apply to all companies and organizations operating in China, as well as any overseas businesses that handle the data of Chinese nationals here.
The measure will affect the many Japanese companies looking to expand in China, the one bright spot in a global economy battered by the coronavirus pandemic. Retailers that collect information on customers and auto manufacturers that track driving data will face stricter limitations on what they can do with that information.
Companies will generally be required to obtain user consent before collecting personal information, except in emergencies or situations that require secrecy. The law provides for consent to handle “sensitive” data, whose misuse could lead to discrimination or threaten users’ security, with ethnicity, religion, biometric characteristics, medical and financial information, and location tracking among the characteristics specifically named in that category.
Violators face penalties including fines of up to RMB 50 million yuan (USD 7.51 million) or 5% of annual revenue. Authorities may also revoke licenses or permits, or order the operations in question to be shut down.
The purpose of the bill, according to the draft text, is to protect personal information rights as well as provide a legal framework to promote the use of such data. It bans the handling of personal data in ways that harm national security or the public interest.
The legislation, along with a cybersecurity law that took effect in 2017 and a draft data security law published this past July, will provide a legal framework for state control over data as Beijing tightens its grip on China’s internet.
The cybersecurity law requires companies to undergo security assessments before providing consumer data overseas. Regulations based on that legislation took effect this past June stipulate that IT equipment purchases by operators of critical information infrastructure must be reviewed if national security could be affected.
The new measure also represents another salvo in the escalating battle with the US over tech dominance and security. The Standing Committee of the National People’s Congress passed legislation Saturday to restrict exports of advanced technology, taking effect Dec. 1.
This article first appeared on Nikkei Asia. It’s republished here as part of 36Kr’s ongoing partnership with Nikkei.