China’s Legislative Affairs Commission has offered a more detailed look at its proposed Personal Information Protection Law (PIPL). The PIPL is intended to strengthen the country’s lax data protection regulations in the wake of several high profile security breaches and mounting opposition to China’s expanding face-based surveillance infrastructure.
To that end, the PIPL will provide more explicit details about when government authorities can use people’s personal information. According to a Commission spokesperson, the government will need to justify any use of sensitive data. That use must also be proportional to the task at hand. In that regard, the spokesperson said that sensitive information must be “used for specific purposes and only when sufficiently necessary.”
However, the draft version of the PIPL is still quite vague about what kinds of situations would warrant such a response, suggesting that the government would retain the ability to use sensitive data at its own discretion. The lack of clear guidelines is likely to worry privacy advocates given China’s prior abuses of the technology. For example, Alibaba, Huawei, and Megvii recently acknowledged that they have developed facial recognition software that is able to identify Uighur Muslims based on their ethnicity, although all three claimed that that technology has not been deployed in a real-world setting.
The “sufficiently necessary” clause would create exceptions for a number of different categories. The draft version of the PIPL that was released in October specifies that “sensitive data” encompasses everything from broad demographic traits like race, ethnicity, and religion to more personal ones like health records, finances, location, and biometrics.
While the new law may not place meaningful restrictions on the government, it would create much stronger regulations for the private sector. Companies would need to meet stricter data protection requirements, and would also need to obtain consent before collecting and using the biometric information of their customers. The penalties for any violations would similarly be much harsher. Domestic and international businesses that misuse the personal information of Chinese citizens would face fines of 50 million yuan (approximately $7.6 million USD), or five percent of their annual revenue.
A law professor recently won a suit against Hangzhou Safari Park after a court ruled that the Park violated his privacy when it collected facial recognition data without his consent. The case was one of the first of its kind in China.
Source: South China Morning Post
December 21, 2020 – by Eric Weiss