Draft regulation expected to bolster data security
A draft regulation on protecting internet data security guarantees the implementation of necessary laws and will play a big role in ensuring internet entities shoulder their responsibilities, experts said.
The draft management regulation, issued on Sunday by the Cyberspace Administration of China, the country's top internet regulator, specifies the provisions of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, and interprets principles in the laws by listing examples and situations.
"The details clearly answer what internet entities, including enterprises and users, should do and shouldn't do in data handling, which will make law enforcement more practical," said Wang Sixin, a professor of internet law at Communication University of China.
The draft regulation requires those handling data to delete personal data or remove identifying information within 15 working days in some situations, such as when receiving a user's request to stop online services or cancel an account, which is a requirement laid out in the Personal Information Protection Law.
Wang said the 15-day time limit is essential to make sure users' rights are protected and to provide a way for cyber footprints to be eliminated.
"In this way, data processors can no longer refuse or delay removing personal information on the grounds that there is no clear time limit in the law," he said.
The draft document will be further improved following more consultations, Wang said.
The administration has posted the 75-article draft regulation on its website, and is inviting public feedback until Dec 13.
While establishing a category-and class-based data protection system, data processors are also ordered to set up an emergency response mechanism to limit the damage caused by potential data security incidents in accordance with the draft regulation.
Meanwhile, data processors should conduct a risk assessment of the necessity and safety of personal identity authentication under the draft, which clarifies that biometric information, including facial features, voices and fingerprints, cannot be the only means of identifying people's identities.
Additionally, online platform operators with enormous data or resources involving State security, economic growth or public interests need to apply for a security review if they are ready to merge, reorganize or be divided, according to the draft.
It also clarifies that such a security review is also a legal requirement for data processors that deal with personal information of more than 1 million people and plan to go public abroad.
Zuo Xiaodong, vice-president of the China Information Security Research Institute, said that is necessary, "as data processors handling data of more than 1 million users may bring greater effects to society, so they have to shoulder more responsibilities in data protection".
"The document, if passed, will make it easy for the public to understand the laws and will also be a practical guidebook for administrators to make full play of the laws," Zuo added.
