China wants to fine-tune personal data protection, but doors to government access remain open

The guidelines aim to act as a reference point for “organisations in the processing, cross-border transfer, and protection of sensitive personal information”, the National Cybersecurity Standardisation Technical Committee said in releasing the draft on its website.

China’s sweeping Personal Information Protection Law, in effect since November 2021, and Data Security Law, issued in September that year, are part of a broader drive to develop China’s digital economy amid rising national security concerns. These concerns, according to the state security ministry, include the risk of data leaks, cyberattacks, and data manipulation that impact the economy and military.

China aims to create a comprehensive data management framework with a focus on protecting critical data. This involves imposing stricter limits on how companies collect and utilise sensitive personal information, while promoting the free flow of less sensitive data to unlock its economic potential.

The newly released points are “broadly along the same lines”, said Alfred Wu, an associate professor at the National University of Singapore’s Lee Kuan Yew School of Public Policy. “Currently the top leaders are most concerned about data security and national security.”

Under the PIPL, companies need to get specific, separate consent to access sensitive personal information. Platforms that illegally collect personal information can have their services suspended or terminated by regulators.

The new guidelines give specific examples of data for categories previously listed by the PIPL, noted Emmanuel Pernot-Leplay, a data privacy consultant at Deloitte Cyber Risk in Paris.

“This will help to clarify the rules and clear out some grey zones, as PIPL is often criticised for being too vague,” said Pernot-Leplay, who has a PhD in comparative data protection law from China’s Shanghai Jiao Tong University.

The draft defines sensitive personal information as “personal information that, once leaked or illegally used, may easily lead to infringement of a natural person’s personal dignity or endanger a personal safety or the property of a person”.

It lists eight categories for such sensitive information, including biometrics, religious beliefs, specific identities, medical information, financial accounts, a person’s whereabouts, personal information of minors under the age of 14, as well as marital history, social credit information, undisclosed criminal records and sexual orientation.

“The benefits are both the clarification of this category for companies, as they know better when they need to comply with those specific requirements, and it should improve personal data protection for individuals. Which in turn, may give them more trust in the online financial and health services,” Pernot-Leplay said.

According to Zeng Liaoyuan, an associate professor of information and communications engineering at the University of Electronic Science and Technology of China, the guidelines serve as a manual on handling sensitive information, such as data classification and export issues.

“By following this guide, companies can ensure that their data processing activities are not only compliant with the law but also secure and reliable.”

PIPL has already made it much more challenging and costly for tech companies to collect and utilise consumers’ personal data, and observers have compared its impact to that of the European Union’s General Data Protection Regulation, seen as the world’s toughest privacy and security law.

Pernot-Leplay said the guidelines further confirm that “China has a broader list of sensitive data than other jurisdictions such as the EU”.

For example, China considers financial data and real-time location as sensitive information, while the EU does not, he explained.

According to the guidelines, financial account information includes account numbers and passwords for bank accounts, securities, funds, insurance, and payment trace information that are generated based on account information.

Information on whereabouts includes real-time accurate location, GPS trajectory and flight tickets.

Also, information on specific identities refers to those that “significantly affect personal dignity and social evaluation, especially those specific identity information that may lead to social discrimination”, such as criminal records, disabled people information, and identities of military people or police.

Notably, the guidance emphasises the importance of considering the overall sensitivity of information, recognising that even seemingly ordinary data can become sensitive when combined with other pieces of information, Zeng said.

“By adopting this holistic approach, individual privacy and security can be effectively protected in complex information environments.”

However, there are still loopholes. “China doesn’t consider political opinions as being sensitive data, while it’s clearly one in the EU,” Pernot-Leplay pointed out.

Wu in Singapore said the guidelines were largely aimed at regulating tech giants like Tencent and Microsoft, but there was no clear check on the government’s power to regulate data, whereas “the West is particularly concerned about the potential for government abuse and misuse of personal data”.


Pay with your palm: Tencent launches new payment method in China

Pay with your palm: Tencent launches new payment method in China

Last year, a draft amendment to China’s public security punishments law added a clause allowing the police to collect biological information and samples – including photos, fingerprints, blood and urine – of suspects in minor offences. Such measures were previously limited to investigations into serious crimes, and have raised concerns in the legal community about potential abuse of power by police.

Tuesday’s guidelines described biometrics information as a type of sensitive personal information, which covers genetic information, fingerprints, voice prints, iris scans, facial recognition features and gait.

Even with the detailed guidelines in place, their impact ultimately depended on how well companies and authorities can enforce the rules, given that they are not binding laws, the analysts said.

The authorities would “need to increase their force if they want to actually enforce the new rules, and to make sure the obligations are real and not just on paper”, Pernot-Leplay said, in a call for more resources, talent, monitoring and regulation.

Finance, healthcare and e-commerce companies would need to have robust compliance programmes and staff to implement the rules, he noted. “However, this staff is not the easiest to find. Training will be important.”

Zeng was of the same view. He said industries needed to upgrade their technical infrastructure, such as on data classification, encryption, and access control systems, to fully comply with the guidelines, while staff training was also crucial for correct application. Businesses might also need to adjust their service processes or product features to meet stricter information processing standards, he said.

Effective implementation could be ensured through increased and regular government supervision and monitoring, Zeng added.


This website uses cookies. By continuing to use this site, you accept our use of cookies.