South China’s Shenzhen passes local law for better protection of personal data

By Yu Sinan, People’s Daily

 

Shenzhen in south China’s Guangdong province, a paragon of the country’s reform and opening-up, is going to put into effect the country’s first local law on data management from Jan. 1, 2022 for better protection of personal data.

 

The Shenzhen Special Economic Zone Data Regulations, released on July 6, requested that data processors shall not refuse to provide core features or services for users who don’t consent to have their personal data processed, as there have been huge complaints from app users about the mobile applications that force them to accept authorization requests.

 

For instance, they are often asked to provide information about their geographical locations when simply installing a flashlight app on their mobile phones, or offer access to their address books when downloading a text editor.

 

People will have to be fully informed of and give their consent for processing of personal data before it is processed, and shall be provided with means of withdrawing their consent at a later date with no unreasonable restrictions or conditions attached, the regulations stipulate.

 

Some of the information collected by apps can be exploited commercially, which is believed to be an important reason for app providers’ insistence on collecting personal information. Personalized recommendations based on user portrait analysis, though benefiting users with targeted and individualized services, could be a trouble for them as well.

 

To address the problem, the regulations state clearly that data processors that intend to conduct user portrait analysis of individuals for the purpose of improving the quality of products or services shall inform the individuals of the specific purpose and main rules of the activity.

 

In addition, users have the right to refuse personalized recommendations based on analyses of their profiles, and data processors shall provide users with effective means of refusal in an accessible way, according to the regulations.

 

The local law is also the first domestic law that addresses related rules for fair market competition concerning data, incorporating special provisions for a series of chaotic phenomena in the data factor market.

 

Experts believe that Shenzhen Special Economic Zone Data Regulations will serve as an example for other cities to follow when it comes to processing personal data.

 

China is home to nearly one billion Internet users, who form a cornerstone of the country’s digital economy. In fact, personal information protection doesn’t necessarily contradict the development of digital economy. The key is to find a balance between the protection and reasonable utilization of personal data.

 

In recent years, China has made a lot of efforts to explore the standardization of data processing.

 

The country’s Cybersecurity Law that took effect on June 1, 2017 includes clear provisions related to various aspects of information management, such as collection of personal information and the obligation of online service providers to protect users’ personal information.

 

Since 2019, four government authorities including Cyberspace Administration of China and Ministry of Industry and Information Technology (MIIT) have carried out a special campaign on the prominent problem of illegal collection and use of personal information by apps for two consecutive years.

 

This March, the four authorities jointly issued a circular to specify the scope of necessary personal information for mobile apps. For example, navigation apps may have access to a user’s location, place of departure and destination, which means collection of other information is illegal for such apps.

 

The circular clearly stipulated that mobile apps cannot deny users’ access to their basic services because users refuse to share unnecessary personal information.

 

Apps must follow two fundamental rules in processing personal data: informing and getting the user’s consent before processing his/her personal data and only collecting and processing the minimum necessary personal information, required a draft released by the MIIT to solicit public opinions, which also included stipulations such as apps shall not check by default or change user settings. Such powerful measures have to some extent rectified illegal collection and use of personal information.