Chinese draft data protection law specifies biometrics as sensitive private data
A draft of China’s proposed personal data law has reached the first review stage in the country’s legislature, Global Times reports, defining biometric data as sensitive private data, along with race, ethnicity, religion, medical and financial information and “personal trajectory.”
Violators could be fined up to 50 million yuan (US$7.4 million), or 5 percent of the previous year’s turnover, according to the report. MediaNama reports that the law would require informed consent from data subjects prior to processing, and that consent must be re-obtained if the data’s use changes.
Individuals can also not be denied products or services for declining to share personal data.
Data processors are responsible for defining the limited purpose personal data is collected for, and appointing a person responsible for processing user requests for data disclosure or deletion. Data processors are also responsible for the accuracy of the information they hold and its security, and will be required to perform regular compliance audits, according to MediaNama’s reading of the Mandarin-language press release.
Exceptions are included for emergencies and public security, as well as journalism and opinion polling.
No new regulatory body would be created by the bill, however.
The draft also includes a clause that foreign companies found to have violated the law or harmed national security and public interest will be blacklisted by the country’s Cyberspace Administration.
Global Times cites the opinion of a media law professor at the Communication University of China that the latter clause is directed at companies such as U.S. social media platforms which have been found to have leaked user data.
The state-run publication also compares the draft law to Europe’s GDPR, and reports that experts say it should be enforced cautiously to avoid impeding the development of new technologies.
Chinese professor argues for property rights-based view of data protection
Data are rights are part of human rights, and human rights are derived from property rights, the core of which is control, Cheung Kong Graduate School of Business Economics Professor Xu Chenggang writes in an opinion piece published by Caixin Global. The article is drawn from a joint paper on legal risk to entrepreneurs by Trusmatic Law Firm and the Chinese edition of Fortune magazine.
Tracing the notion from John Locke to contemporary international human rights and property law via Friedrich Hayek, Xu suggests that data rights were built into human rights by the European Union in 2017.
He argues against the notion that individuals should not have control of personal information like medical records, even though the aggregation of those records could yield great benefit, because that data is property, and therefore its use is subject to consent.
“The conditions for the consent are the market principles, which require a voluntary transfer showing the value for the exchange,” Xu writes. “Either the exchange is at a price or voluntary, but it should be based on personal choice and determined by the market.”
This voluntary, market-based approach is what will regulate the large-scale sharing of data that will enable the benefits of big data-driven technologies.