This article is written by Swesh Saurabh, pursuing Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho. The article has been edited by Zigishu Singh (Associate, LawSikho) and Ruchika Mohapatra (Associate, LawSikho).
Are you scared of your personal data being misused by big tech companies? Is there any law in your country that protects you from the misuse of your personal data?
The Republic of China has come with a solution for these threats. Shenzhen, a major sub-provincial city of China and one of the special economic zones of China, has recently approved China’s first local law on data management. This is not surprising because it comes from the special economic zone of Shenzhen which is often called the “silicon valley of Hardware” as there are headquarters of many leading digital companies such as Tencent, Huawei, and the drone company DJI. Shenzhen is also the world’s largest electronic market which is located in Huaqiangbei.
China has billions of internet users and introducing these new and strong data protection laws it satisfies the demand of the users. This regulation was passed in June 2021, but it will come into effect on January 1, 2022. However, the original draft of the law has not been made public yet.
“The regulations clearly define personal data processing activities and effectively strengthen personal data protection,” said Liu Jiachen, head of the city’s government services and data management bureau. Through this article, we’ll explore all that is to know about the new data privacy law approved by Shenzhen.
Need for the law
China has been receiving a large number of complaints from consumers regarding the collection of personal data by the tech companies more than what is required to provide the services. There have been a number of complaints regarding the collection of data without the permission of the consumer and resulting in misuse and mismanagement of data.
China is continuously taking some major steps in the field of cyber security and data protection. For example, in 2017, it passed the cyber security law. Passing Shenzhen’s regulations is one such step. It will provide rules for service providers on how, when and what data they can collect and would aid in the protection of data and privacy of its citizens.
Features of the new regulation
1. There should be clear and reasonable objectives for collecting the data. The consumer should be informed about the purpose of collecting data by the service providers.
It basically means that to provide the core services which a user needs, if there is an absolute need to access the personal data and without it, they aren’t able to provide the services, only then the service provider can seek the personal data of any user.
2. There should be explicit and informed consent of the user before accessing their personal data.
The key items which should be informed to the user before receiving their consent are:
- The name and contact of the entity accessing their data
- The type and scope of the data collected
- The purpose and method for processing the data
- Time limits for storing the data
- Any possible security risks associated with storing personal data and measures taken for data security
- The user’s legal rights and means are available for them to exercise those rights.
In case of any emergency where the service provider is unable to inform the user about the use of their data ahead of time, then after dealing with the emergency the user must be informed about the use of their data. This relief will only be given in exceptional cases.
If the service provider wants to use the “sensitive data”, then in that case it becomes obligatory for the firm to receive the consent of that user. Here “sensitive data” can be defined as the data which if get leaked, will lead to discrimination or could harm their security or property.
Personal data of minors under the age of 14 and adults with limited capabilities to provide consent will come under sensitive data and be treated under these stricter regulations.
3. What generally happens when you deny access permissions to apps which you download to use? You aren’t able to use those applications, Right?
The new regulation consists of a rule i.e. “principle of least privilege” which provides that:
- The data collected by the service providers must be directly related to the core function and they may only collect a minimum amount of data that is required to provide the core functions of the App.
- The apps must establish a mechanism of “minimal access authorization” which limits the amount of data that the service provider’s personnel can access to fulfil a certain task.
- Talking about the consent of the user, if the users do not consent to use their data then the service providers cannot refuse to give services. If the data is necessary to offer the services then only they can refuse.
- It also contains a provision for the government department to establish a reporting and complaint mechanism so that the users can easily register their complaints regarding privacy breaches or violations.
4. When it comes to providing biometric data such as genes, fingerprints, voiceprints, palm prints, auricles, irises and facial features everyone thinks twice or hesitates before providing it. As these are too personal, it has a great chance of being misused. And these technologies are used very often. For example, to access an office building or even while paying for a coffee. The users have been given no other option in some cases too. So even if they don’t want to share these details they have to provide them.
But under the new regulation, it is stipulated that only in cases where biometric data is absolutely necessary to proceed, in such a situation only the biometric details should be mandatory to use the services but in other cases, the service provider must provide an alternative method for accessing services. This will also hinder apps that make it compulsory to provide facial or fingerprint recognition to access their services.
Biometric data may also not be used for any other purpose other than the given purpose without the consent of the user, and explicit consent from a legal guardian is also required for the use of biometric data of minors under the age of 14 or adults with limited capabilities to provide consent.
5. Does it happen to you also that you searched for any product on any online shopping app and then started getting ads of it or recommendations everywhere and even different prices for different users (i.e. Price Discrimination)? This happens because these service providers misuse their user profile data that may include key identifiers, such as their name, location, occupation, salary, and even interests and online behaviour. These data are used by the companies to create personalized recommendations of products and services and also for the engagement in price discrimination, without the consent or knowledge of the user.
The new regulation has addressed this issue and stated that if a service provider needs a user to use a user profile to provide better products and services then they have to clearly inform the user about the uses and rules related to their user profile.
If the user denies the access and use of their user profile then they cannot be restricted to use the services but the service provider must provide them with a clear and accessible channel through which they can use the services.
There is even a fine of up to 50 million Yuan (about $7.74 million) if any entity doesn’t comply with the regulation.
6. The regulations also provide restrictions regarding storage time limit and deletion of data.
Firstly it states that the data should be collected infrequently and only if it’s necessary for the core services. The consent of the user must be taken before that regarding the use of their data. The user shall have the right to withdraw their consent whenever they want to and the service provider must provide a clear channel to the user to do so.
Secondly, if in case the service provider gives personal data to any third party, then they must de-identify that data to the extent that a person cannot be identified by that data.
7. There are provisions for sharing of Public Data as well. The city’s public data system lacks standardization and suffers from ailments such as small sample sizes, poor data quality, a lack of channels for accessing data, and low user participation.
The regulation has provision for the establishment of a data management system and a big data centre to help safely and efficiently store, manage, and consolidate public data.
These data will be made available to the public and they can access it without any charges. This step has been taken with the hope that this public data can be used by the government as well as the public sector for the betterment of the local region in the digital aspect.
Limitations of the regulation
The main issue which is not clearly defined under the regulation is that of data ownership. The regulations propose the implementation of a “comprehensive reform pilot implementation plan” that aims for Shenzhen to improve data property rights systems and explore new mechanisms for data property rights protection and usage.
In the explainer which is attached to the regulations, Mr Lin Zhengmao, deputy director of the Legislative Affairs Committee of the Standing Committee of the Shenzhen Municipal People’s Congress, admits that it is difficult to clearly define ‘data ownership’ through local regulations, and simply offers the general consensus that “personal data have the properties of personality rights” and that “enterprises have property rights over data products and services formed through the investment of high levels of intellectual labour”. This ambiguity will lead to disputes between companies and the new regulation in future.
Effect of the regulation on foreign markets and businesses
This regulation will apply to any public or private entity that uses personal or public data in Shenzhen. Therefore many service providers have to make changes and update their service agreements in order to comply with the regulations.
The companies handling such sensitive data must comply with the strict requirements for data storage and security and establish proper security mechanisms in place.
Foreign investors engaged in cross-border data transfer, in particular of personal data or any data that has been designated as important by the state, must also apply for an exit security assessment and pass a national security review before they can transfer the data abroad.
As we recently heard, In July, regulators opened a cyber security review into ride-hailing giant Didi, just days after its huge U.S. initial public offering. Didi was forced to stop signing up new users and its app was also removed from Chinese app stores. China’s cyberspace regulator alleged that Didi had illegally collected users’ data. So, this new regulation could cause some difficulties for the companies too who get investment from the U.S.
In India, there is no such regulation to date, but a Bill named “Personal Data Protection Bill, 2019” was published. The bill is being analyzed by the Joint Parliamentary Committee (JPC) in consultation with experts and stakeholders. But the committee’s report is yet to come.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: