China Passes New Data Privacy Law

In News

Recently, China has passed a data protection law, which will take effect on November 1. 

Major Highlights of China’s New Data Privacy Laws and its impacts  

• Tougher rules on data collection: 
  • The new data protection law sets out tougher rules on how companies collect and handle their users’ information. 
  • It requires reducing data collection and obtaining user consent.
  • The Personal Information Protection Law (PIPL) lays out for the first time a comprehensive set of rules around data collection, processing and protection, that were previously governed by piecemeal legislation.
    • The rules add to Beijing’s tightening of regulation, particularly around data, which could impact the way China’s technology giants operate.
• Resemblance to Europe’s General Data Protection Regulation: 
  • The national privacy law closely resembles the world’s most robust framework for online privacy protections, Europe’s General Data Protection Regulation, and contains provisions that require any organization or individual handling Chinese citizens’ personal data to minimize data collection and to obtain prior consent.
  • However, unlike in Europe, where governments face more public pressure over data collection, Beijing is expected to maintain broad access to data.
• User Protection:
  • The law also aims to protect those who feel strongly about personal data being used for user profiling and by recommendation algorithms or the use of big data in setting unfair prices
  • It will also prevent companies from setting different prices for the same service based on clients’ shopping history.
• Sharing of Data with other countries:
  • The law stipulates that the personal data of Chinese nationals cannot be transferred to countries with lower standards of data security than China — rules which may present problems for foreign businesses. 
• Fine on Companies failing to follow:
  • Companies that fail to comply can face fines to the tune of up to 50 million yuan (around Rs 57 crore) or five per cent of their annual turnover.
• Stock market reaction to the Law:
  • The greatest fallout of China notifying the law was that the stocks of the big tech companies of the country suffered a major slump, prompting renewed concerns among investors.

Similar data protection laws in the world

• Globally there has been a push to create better rules around data protection. 
•  European Union(EU): 
  • Makes citizens more powerful: 
    • In 2018, the European Union’s landmark General Data Protection Regulation came into effect —a regulation that aims to give citizens in the bloc more control over their data. 
    • As per the Regulation, a user can access the personal data being stored by companies and find out where and for what purpose it is being used. 
  • Effect on organizations within and outside EU: 
    • Not only does it affect organizations located within the EU, but will also apply to companies outside the region if they offer goods or services to, or monitor the behaviour of, people in the bloc.
  • Right to be forgotten: 
    • One will also have the right to be forgotten, which means that the user can ask the company to delete one’s data, potentially stopping third parties from accessing it.
• Brazil:
  • First data protection law of Latin America and how will it be enforced:
    • Brazil’s Lei Geral de Proteção de Dados, which came into force in September 2020, is Latin America’s first major data protection law. 
    • As Brazilian companies and service providers scramble to reach compliance, the remaining months of the year will be the testing ground for how Brazil’s data protection authority will enforce the new law.
• Singapore:
  • Newer amendments to make it more encompassing: 
    • At the end of 2020, Singapore amended its Personal Data Protection Act, introducing, among others, mandatory data breach notifications, an expansion of its deemed consent framework, exceptions to consent for legitimate interests, and increased penalties for non-compliance.

Current Indian data protection framework

• Data Protection Rules under Information Technology Act: 
  • Data protection in India is currently governed by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Data Protection Rules”) notified under the Information Technology Act, 2000 (“IT Act”). 
  • The Data Protection Rules impose certain obligations and compliance requirements on organizations that collect, process, store and transfer sensitive personal data or information of individuals such as obtaining consent, publishing a privacy policy, responding to requests from individuals, disclosure and transfer restrictions.
  • The Data Protection Rules further provides for the implementation of certain RSPPs by organizations dealing with sensitive personal data or information of individuals. 
• Personal Data Protection Bill, 2019

• Introduced in Lok Sabha in Dec 2019 (not passed).
• It seeks to provide for the protection of the personal data of individuals.
• Establish a Data Protection Authority for the same.
• The central government can exempt any of its agencies from the provisions of the Act: 
  • in the interest of the security of the state, public order, sovereignty and integrity of India and friendly relations with foreign states, and 
  • for preventing incitement to the commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters. 
  • Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: 
    • prevention, investigation, or prosecution of any offence, or personal, domestic, or journalistic purposes.  
    • However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.

Challenges

• Enforcement challenge: There are many legal and technical challenges in the enforcement of the data protection laws. 
• Right to Information: If the information is of public interest, the right to information of the public prevails over privacy rights. 
• Misuse by individuals: The right to privacy may be misused by individuals. 

 Way Ahead

• Indians have a constitutionally protected fundamental right to privacy as it is intrinsic to Article 21 of the Constitution.

• There is a need to implement the recommendations of the Justice B N Srikrishna Committee Report.
  • restrictions on processing and collection of data, 
  • Data Protection Authority should be established, 
  • right to be forgotten, 
  • data localisation, 
  • explicit consent requirements for sensitive personal data.

Sources: IE