Forwarded from BlackBox (Security) Archiv
China releases draft of major new privacy law: why it matters to everyone online
China has frequently figured in this blog, usually in the context of its censorship, surveillance activities, and wide-ranging abuse of human rights. But there’s another side to the story. Like other people around the world, China’s billion or so Internet users want their privacy protected when they go online. Trying to satisfy that need while preserving state control is a tough problem that the Chinese authorities have been grappling with recently. Back in May 2018, the Personal Information Security Specification took effect.
It offered “granular guidelines for consent and how personal data (called “personal information”) should be collected, used, and shared”, as the introduction to a translation of the new digital rules by New America puts it. Now the Chinese government has followed that up with a draft version of the Personal Information Protection Law (PIPL), a far more comprehensive and rigorous approach to protecting the digital privacy of Chinese citizens. A blog post on New America explains:
"China’s draft PIPL represents a third way between the sectoral U.S. approach, which applies different rules for specific industries or classes of consumers, and the European Union’s comprehensive General Data Protection Regulation (GDPR) framework, which enshrines fundamental rights across contexts. With the draft law, China’s evolving data governance regime emphasizes consumer privacy while also prioritizing national security through data localization measures, cross-border data flow restrictions, and continued surveillance and law enforcement powers."
The New America post points out that the PIPL draws quite heavily on the GDPR, which provides further proof of the influence of the latter legislation, something noted many times before on this blog. In the draft, the definitions of personal information, sensitive information, individual rights, and legal bases for processing, all have similarities to the EU framing. However, China’s requirements for national security mean that there are important differences when it comes to data flows.
Under the GDPR, these are allowed provided privacy is safeguarded. Under the PIPL, the limitations are far greater. China’s existing “Cybersecurity law” requires data held by so-called “critical information infrastructure” operators – essentially the most important digital companies – to be stored in China. The PIPL would require personal data referring to Chinese citizens to be stored within the country, even for some smaller companies. A rigorous assessment by China’s cybersecurity department is needed before any personal data can be sent abroad. In addition, the PIPL would grant the authorities the power to establish a blacklist of overseas companies that are banned from processing Chinese personal data if it is determined they violate China’s national security interests.
Moreover, the PIPL would allow the government to retaliate against entire countries that are deemed to have taken discriminatory regulatory measures against Chinese companies in the field of data protection. This is clearly with a view to counter the growing calls in the West to shut out Chinese companies from processing citizens’ personal data.
https://www.privateinternetaccess.com/blog/china-releases-draft-of-major-new-privacy-law-why-it-matters-to-everyone-online/
#china #draft #privacy #law #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
China has frequently figured in this blog, usually in the context of its censorship, surveillance activities, and wide-ranging abuse of human rights. But there’s another side to the story. Like other people around the world, China’s billion or so Internet users want their privacy protected when they go online. Trying to satisfy that need while preserving state control is a tough problem that the Chinese authorities have been grappling with recently. Back in May 2018, the Personal Information Security Specification took effect.
It offered “granular guidelines for consent and how personal data (called “personal information”) should be collected, used, and shared”, as the introduction to a translation of the new digital rules by New America puts it. Now the Chinese government has followed that up with a draft version of the Personal Information Protection Law (PIPL), a far more comprehensive and rigorous approach to protecting the digital privacy of Chinese citizens. A blog post on New America explains:
"China’s draft PIPL represents a third way between the sectoral U.S. approach, which applies different rules for specific industries or classes of consumers, and the European Union’s comprehensive General Data Protection Regulation (GDPR) framework, which enshrines fundamental rights across contexts. With the draft law, China’s evolving data governance regime emphasizes consumer privacy while also prioritizing national security through data localization measures, cross-border data flow restrictions, and continued surveillance and law enforcement powers."
The New America post points out that the PIPL draws quite heavily on the GDPR, which provides further proof of the influence of the latter legislation, something noted many times before on this blog. In the draft, the definitions of personal information, sensitive information, individual rights, and legal bases for processing, all have similarities to the EU framing. However, China’s requirements for national security mean that there are important differences when it comes to data flows.
Under the GDPR, these are allowed provided privacy is safeguarded. Under the PIPL, the limitations are far greater. China’s existing “Cybersecurity law” requires data held by so-called “critical information infrastructure” operators – essentially the most important digital companies – to be stored in China. The PIPL would require personal data referring to Chinese citizens to be stored within the country, even for some smaller companies. A rigorous assessment by China’s cybersecurity department is needed before any personal data can be sent abroad. In addition, the PIPL would grant the authorities the power to establish a blacklist of overseas companies that are banned from processing Chinese personal data if it is determined they violate China’s national security interests.
Moreover, the PIPL would allow the government to retaliate against entire countries that are deemed to have taken discriminatory regulatory measures against Chinese companies in the field of data protection. This is clearly with a view to counter the growing calls in the West to shut out Chinese companies from processing citizens’ personal data.
https://www.privateinternetaccess.com/blog/china-releases-draft-of-major-new-privacy-law-why-it-matters-to-everyone-online/
#china #draft #privacy #law #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
Privacy News Online by Private Internet Access VPN
China releases draft of major new privacy law: why it matters to everyone online
China has frequently figured in this blog, usually in the context of its censorship, surveillance activities, and wide-ranging abuse of human rights. But