China is moving to reinforce personal data safeguards and support the orderly growth of the platform economy through a newly issued draft regulation made public on Saturday.
The proposed “Regulations on Personal Information Protection for Large Online Platforms”, published by the Cyberspace Administration of China and the Ministry of Public Security for public comment, outline a series of heightened requirements for how major platforms must handle user information.
Under the draft rules, any personal data gathered or produced within China must be stored inside the country. If a platform needs to transfer data overseas, it must follow national rules governing cross-border data security. Platforms are also instructed to implement stronger technical and managerial controls to detect and prevent unlawful data transfers abroad.
The document further requires that personal information be housed in Chinese data centers that satisfy national security criteria.
In addition, online platform operators must provide simple and accessible ways for users to view, correct, update, or delete their personal data, as well as to close their accounts. When a user asks that their personal information be sent to another designated data handler, the platform must complete the handover within 30 working days.
If a platform has serious shortcomings in data protection such as repeated offenses or major data incidents impacting large numbers of users authorities may order the platform to undergo compliance audits and risk evaluations by accredited third-party institutions.
The draft defines major violations to include data security incidents that lead to the exposure, alteration, loss, or destruction of personal data belonging to more than 1 million individuals, or sensitive data involving more than 100,000 people. Platforms that fail to guarantee data security may also be compelled to store information in approved third-party data centers.
The proposal encourages broad adoption of national network identity verification tools, data-labeling mechanisms, and official personal information protection certifications to bolster data-security practices.
Members of the public can submit comments through multiple channels. Authorities must respond to reported violations within 15 working days. The CAC and the Ministry of Public Security also stress that all parties involved including government bodies and third-party agencies must strictly maintain confidentiality regarding private, commercial, and other sensitive information encountered in the course of their work.
According to the CAC’s announcement on its official WeChat account, public consultation on the draft will remain open until Dec 22.