Swingeing fines and the revocation of business permits are the order of the day for China's new data protection law, which stipulates that firms that are guilty of serious offences can pay fines of up to 50m renminbi (US$7.74m), or 5 percent of their annual turnover.
Article 3 makes the law's reach extraterritorial, stating that it applies to events that happen outside the People's Republic as long as they have an effect on domestic consumers, or if their purpose is to look at the activities of domestic consumers.
Article 39 reinforces this by obliging a "personal information processor" to ask for an individual's consent before giving their personal information to anyone outside China.
Article 13 lays out the only reasons for which a payments firm can process a Chinese person's personal information, the chief of these being their consent which they can withdraw at any time. It is possible, however, for a firm to process data purely because it is in the furtherance of a contract to which the individual concerned is a party.
All in all, the legal bases that the statute offers for processing information are somewhat narrower than those found in the European Union's General Data Protection Regulation (GDPR).
According to Xinhua, the Chinese state press agency, the legislature voted last month to adopt this new law to protect personal information.
This happened at a regular legislative session of the Standing Committee of the National People's Congress.
Problem, reaction, solution
Xinhua said: "When pushing information and business marketing to individuals through automated decision-making, personal information processors should provide options that don't target personal characteristics at the same time, or offer ways of rejection, says the law.
"It stipulates that individual consent should be obtained when processing sensitive personal information such as biometrics, medical and health, financial accounts and whereabouts.
"The law also requires suspension or termination of services for apps that illegally process personal data."
Xinhua, and therefore the Chinese government, was concerned about the fact that some platforms collect too much personal information, whereas some businesses install image-acquisition equipment without a by-your-leave from customers and secretly record their faces and other biological characteristics.
The protection of minors
Article 31 obliges every personal information processor to obtain permission from the parents or guardians of any minor under the age of 14 whose information it wants to process. Every firm must also set up a separate set of rules for processing the information of under-14s.
Similarities with the GDPR
As with the GDPR, Article 19 keeps the permitted period of retention of personal information to the minimum.
Article 45 allows a consumer to consult or copy their personal information from a firm that has it. The firm must hand it over "in a timely fashion". Article 47 gives the consumer the right to delete information about themselves.
The International Association of Privacy Professionals, writing on August 24, has detected many similarities between the GDPR and the Chinese law.
Both grant the individual the right to information, the right to access, the right to correction/rectification, the right to erasure, the right to object to and restrict the processing of an individual’s data, the right to data portability (but in China the process has to satisfy conditions stipulated by the Cyberspace Administration of China), the right not to be subject to automated decision-making, the right to withdraw consent and the right to lodge a complaint with a regulator.
Also in line with the GDPR, Article 50 states that "where the personal information processor refuses an individual’s request to exercise his rights, the individual may bring a lawsuit in a people’s court according to law".
The state cyberspace administration is empowered to formulate rules for the protection of personal information, but so are many other unnamed government departments. The statute expects them all to cooperate.
Most provisions of the law can be superseded by other statutes and administrative decisions.
The statute mentions the word "security" 22 times; in most of those instances, it is discussing national or state security and not the security of personal data. Article 26 extols the virtues of spy-cams installed in public places for the purposes of national security. The article obliges every firm to obtain an individual's consent if it wants to collect an image of them or their personal identifiable information, unless it is for "the purpose of maintaining public security".