Draft threatens heavy penalties for repeated or massive data incidents

China aims to enhance the protection of personal information, ensuring the legal rights of individuals and promoting the healthy development of the platform economy, according to new draft regulations released on Saturday.

The draft "regulations on personal information protection for large online platforms" were released by the Cyberspace Administration of China and the Ministry of Public Security to solicit public comments.

According to the draft regulations, personal information collected and generated in China should be stored domestically. If there is a need to transfer the information abroad, platforms should comply with national data export security regulations.

Platforms are required to strengthen technical and managerial measures to prevent and address risks associated with illegal overseas data transfers.

The draft also stipulates that personal information must be stored in data centers that are located in China and meet national security standards.

Moreover, online platform service providers must offer convenient methods and channels for individuals to access, correct, supplement, and delete their personal information, as well as to delete their accounts.

ALSO READ: Officials urge public to refrain from 'box-opening'

When an individual requests the transfer of their personal information to a designated personal information processor, the service provider should complete the transfer within 30 working days of receiving the request, the draft said.

In cases where platforms show serious deficiencies in personal information protection, such as repeated violations or significant data breaches affecting large numbers of users, authorities may mandate compliance audits and risk assessments by third-party professional organizations.

Infractions include a personal information security incident resulting in the leakage, alteration, loss, or destruction of the personal information of over 1 million individuals or sensitive personal information of over 100,000 individuals, the draft said.

Platforms that are found incapable of ensuring data security may be required to store data in third-party data centers that comply with regulations, it added.

The draft encourages the use of national network identity authentication services, data labeling technologies, and personal information protection certifications to enhance data protection levels.

READ MORE: AI support at heart of cybersecurity revision

The public is invited to submit feedback through various channels, and complaints about violations can be reported to authorities, who are required to respond within 15 working days.

The CAC and Ministry of Public Security emphasize the importance of confidentiality for all parties involved, including government departments and third-party organizations, regarding personal privacy, business secrets, and other sensitive information encountered during their duties.

Public consultation on the draft regulations is open until Dec 22, according to the statement CAC released on its official WeChat account.

Contact the writers at zhaoyimeng@chinadaily.com.cn