China’s first specialized legislation for the protection of personal information has made new progress. On April 26, the second review draft of the Personal Information Protection Law (Draft) was submitted to the 28th meeting of the 13th National People’s Congress for deliberation.
The draft clearly strengthened the supervision of large Internet platforms, including requiring the establishment of an independent organization mainly composed of external members to supervise personal information processing activities.
Some industry observers worry that the supervision activities of external members may collide with the company’s trade secrets. In order to prevent external supervision from becoming a mere formality, the corresponding supporting regulations need to be improved.
The Personal Information Protection Law (Draft) made its debut in October 2020 and is submitted to the Standing Committee of the National People’s Congress for deliberation.
The first review of the draft made specific provisions on the scope of the law, personal information processing rules, cross-border provision of personal information, personal rights and processor obligations in personal information processing activities, and departments performing personal information protection duties.
It also clarified the personal information processing rules centered on "inform and consent", and required state agencies to comply with no exceptions.
After the initial review, the first review of the draft was published in full on the China National People’s Congress website for public comments. Among them, the handling of sensitive information and the sharing of information with third parties have to obtain individual consent. The draft made professionals in the Internet, big data, artificial intelligence and advertising industry concerned about the draft rule’s implications to their businesses.
China’s public is increasingly concerned about Bytedance, Tencent, Alibaba, Baidu and other Internet giants holding huge amounts of personal information. How to continue to strengthen supervision of the usage of the data has attracted greater attention. The second review of the draft just released made revisions based on opinions solicited from all parties.
Jiang Bixin, deputy chairman of the Constitution and Law Committee of the National People’s Congress, said that some departments and experts suggested that the personal information protection obligations of super-large Internet platforms should be strengthened and supervision should be strengthened.
For this reason, the second review of the draft adds a new Article 57 provision, stating that personal information processors that provide basic Internet platform services to a huge number of users with complex business types should perform the following obligations:
(1) Establish a company mainly composed of external members and an independent organization that supervises personal information processing activities;
(2) Stop providing services to product or service providers on platforms that process personal information in serious violation of laws and administrative regulations;
(3) Regularly publish personal information protection social responsibility reports, and accept social supervision.
Cheng Xiao, deputy dean and professor of Tsinghua University Law School, said that Article 57 applies to entities that meet the three requirements: basic Internet platform services, huge number of users, and complex business types.
This type of Internet platform handles a large amount of personal information and is involved in various businesses such as e-commerce and instant messaging. It is related to public safety and public interests. Therefore, it is necessary to strengthen internal and external supervision.
However, it is still necessary to clarify what type of platform meets the "Basic Internet Platform Services" requirements.
In addition, "an independent organization mainly composed of external members" could also pose challenges, said experts.
"It’s a bit like a perfect corporate governance structure. It is necessary to introduce outside directors, that is, independent directors," Cheng Xiao explained. But it is difficult to measure whether it has been implemented in practice and how the supervision is conducted.
If Article 57 of the second review of the draft is finally implemented, its subsequent implementation still needs to be promulgated with supporting standards and detailed rules.
The second review of the draft also clarified that the national cybersecurity and informatization department should coordinate and promote personal information protection related work, including: formulating specific rules and standards for personal information protection; targeting sensitive personal information and new technologies such as face recognition and artificial intelligence; new applications formulate special personal information protection rules and standards.