Hong Kong’s Data Protection Law
In recent years, a series of high-profile data breaches in China has intensified public calls for the government to adopt a single law protecting citizens’ personal information. Currently, this responsibility is shared by several statutes, including the official decision of the Standing Committee on the Protection of Online Data, an amendment to criminal legislation and the Cybersecurity Law.
The Hong Kong authorities proposed to amend the law on protecting personal data, which imposes sanctions on technology companies if they cannot prevent the unauthorized publication of personal data of internet users.
Previously, we’ve talked about China’s strict internet censorship. If you missed it, you can read it here.
The Ministry of Industry and Information Technology, China’s top telecommunications regulator, last month ordered the removal of 90 mobile apps from various app stores, citing violations of user rights, as regulators strengthen control over the processing of user data by technology companies after a number of high-profile violations caused a public outcry.
Today we’ll consider what the new law is and what penalties are provided for.
What is the Personal Information Protection Law?
The Personal Information Protection Law is a law aimed at preventing the collection and use of data. According to Liu Junchen, deputy director of the Standing Committee’s Legal Affairs Commission, this law is aimed at preventing enterprises, organizations and individuals from “arbitrarily collecting, illegally receiving, abusing and illegally buying and selling” personal data, as well as using it to “disturb the peace of people’s lives and threaten their health and property.”
It is important to note that it enshrines the principle of informed consent, which means that all subjects processing personal data will have to clearly inform an individual in advance about how they plan to use this information. As well as to request the explicit consent of an individual or his or her legal guardian before doing so.
Individuals will have the right to know how their data is being used and request corrections or deletions, the proposal says, adding that entities processing personal information will not be allowed to collect more than they need to perform the stated tasks, or refuse to provide a product or service if the individual refuses to give or later withdraws his consent.
The law requires companies or individuals engaged in data processing over the internet and other networks to protect data security based on the existing network security system in China, according to article 27, which complies with the Personal Information Protection Law.
What data is covered by the Personal Information Protection Law?
According to article 3 of the law, “data” means any record of information stored in electronic or other formats.
Data related to national security, the so-called “vital force of the national economy,” which includes sectors that significantly affect social and national economic development, such as high-tech and support industries, as well as important issues related to the life support of people and issues of great public interest, are defined as “national core data.”
Following article 21, a stricter management system should be introduced for this category of data.
“In addition, the law allows individual regions, industries and government departments to define their own catalog of important data for protection and instructs them to ensure its security,” the article said.
Also, it created a system of classification of the required level of data protection. It depends on the potential severity of harm caused to national security, public interests, or the legitimate rights and interests of citizens or organizations in the event of alteration, destruction, leakage, or illegal receipt or use of data under the law.
However, it does not specify which types of data are classified as important.
Who will monitor compliance with the national security of data processing?
Following article 24, the State will establish a review system for conducting national security reviews of data processing activities that affect data security. However, it did not specify which state body will be responsible for this task.
“Final decisions on security checks will be made under the law,” it says.
Wang Xixin, a professor of administrative law at Peking University, previously pointed out that the subject of such a security review and the criteria for deciding whether data activities affect national security are unclear in the draft. These two points remain unclear according to the recently published law.
The law did not describe the method of revision in detail, but some proposed a specific mechanism for business, especially for those trans-regional and intersectoral companies.
Xu Ke, executive director of the Internet Rule of Law Research Center at the Beijing University of International Business and Economics, also called to create a dispute resolution mechanism. “If the local authorities make an incorrect or unfair decision on security, the affected enterprises should have the right to an administrative review by a higher authority,” Xu said.
Punishment for non-compliance
This proposed new law appeared after last year’s government crackdown, in which more than 100 online applications were taken offline for collecting unnecessary personal information from users. There were no confidentiality agreements, and they could not adequately describe the volume and nature of their data collection operations.
Those who violate the proposed new law will be ordered to “correct” their behavior, forfeit any illegal income, and receive an official warning. In addition, repeat or serious offenders can be fined 50 million yuan or the equivalent of up to 5% of their income for the previous year, and their business licenses will be canceled or suspended.
The eight-chapter law will provide comprehensive protection for China’s 900 million internet users. The document defines personal information as that which is “recorded electronically or by other means with identified or identifiable individuals, not including anonymized information.”
The draft law includes about 70 articles, covering how much data should be collected, stored, used, processed, transmitted, and publicly disclosed, and on the rights of people who transmit their data and the responsibilities of those who process them.
The reaction of the world community
It is already known that companies such as Facebook, Twitter, Google have announced the possibility that they will stop their activities in Hong Kong if the Chinese government does not change the law.
In addition, many other Chinese corporations are also concerned about the breadth of application of the law and its provisions. Therefore, the Asia Internet Coalition, which unites various internet market players in the region, issued a warning to the government. According to the group, the only way for global tech companies to avoid sanctions under the proposed law would be a complete rejection of IT investments in the region.
The only way to circumvent censorship and prohibitions is to use Utopia P2P — an anonymous decentralized ecosystem with private internet use. It has an arsenal of built-in tools for messaging, chatting, browsing, online payments, etc.
Read about Utopia P2P benefits here.