China: Regional laws round-up
In China, the federal legislation is only part of the picture, with knowledge of recent regional laws also necessary for a full understanding of the data privacy landscape across the country. OneTrust DataGuidance provides an overview of various developments in this area.
Regulations on the Administration of Intelligent Connected Vehicles in the Shenzhen Special Economic Zone
The Regulations on the Administration of Intelligent Connected Vehicles in the Shenzhen Special Economic Zone ('the Shenzhen Regulation on Vehicles') was passed at third trial by the Standing Committee of the Shenzhen Municipal People's Congress on 5 March 2022. The Standing Committee noted that the Shenzhen Regulations on Vehicles will be the first regional legislation to regulate the management of intelligent connected vehicles. The Shenzhen Regulations on Vehicles provides that related enterprises must obtain data security testing and certification to ensure data integrity, confidentiality, and availability. More specifically, the Shenzhen Regulations on Vehicles establishes that in the event of loss or damage of national security data and users' personal information, applicable enterprises must take measures to promptly notify users and report the circumstances to the Municipal Internet Information Department.
In addition, the Shenzhen Regulation on Vehicles establishes specific provisions relating to different types of data, noting that intelligent networked vehicles can obtain desensitised data such as road traffic violations and traffic accidents on application and with the consent of the traffic management department. Likewise, the Shenzhen Regulation on Vehicles prohibits the collection, processing, and use of personal data involving national security.
More generally, the Shenzhen Regulation on Vehicles encourages sharing of data information, communication networks, and road infrastructure, except data which may include personal privacy, public safety, or national security.
Shenzhen Special Economic Zone AI Industry promotion regulations
The Shenzhen Special Economic Zone Artificial Intelligence ('AI') Industry Promotion Regulations ('the Shenzhen AI Regulations') was released for public comment on 14 July 2021. The Shenzhen AI Regulations are the first regional regulations aimed specifically at AI, applying to the city's activities related to AI technology research and the use of AI to provide products and services.
The Shenzhen AI Regulations provide that AI refers to the use of artificial methods as well as technologies, computers, or equipment controlled by them to learn and analyse the collected external data, perceive the environment, acquire knowledge, deduce, and conduct research, and development for simulation purpose. Further, the Shenzhen AI Regulations specify that organisations involved in AI research must abide by ethical and safety norms in relation to AI and carry out ethical review and risk assessments of services provided.
Assessments should focus on ethical risks including:
- whether the behaviour and impact and AI exceed the pre-set, understandable, and controllable scope, and the risk of negatively affecting social value and other aspects;
- unreasonable use, including risks caused by abuse and misuse;
- infringing or having a negative impact on the basic rights of citizens including personal, property, privacy among other things;
- whether the judgement of a specific group affects fairness and justice, causing the risk of rights infringement or negative impact; and
- the negative impact on social trust and social value due to AI services.
Finally, the Shenzhen AI Regulations note that applicable organisations must set up ethical risk positions or use professional organisations to carry out assessments such as those set out above.
Chongqing Data Regulations
The Chongqing Municipal People's Government voted on 30 March 2022 to pass the Chongqing Data Regulations which will enter into effect on 1 July 2022. The Chongqing Data Regulations outline requirements for the processing of personal information which follow the principles of legality, legitimacy, and necessity, covering among other things, data processing, data resources, and legal responsibility. The Chongqing Municipal People's Government noted that although establishing systems provided for in the Data Security Law of the People's Republic of China ('DSL'), the Chongqing Data Regulations provide that each data processor is responsible for its own security. The Chonqging Data Regulations also specify that violation of an open use agreement with the Chongqing Big Data Development Bureau ('the Bureau'), failure to report usage of data to the Bureau, or use of public data beyond the agreed scope or use will result in corrective measures or fines.
One of the main focuses of the Chongqing Data Regulations is the classification of data types, defining public data as data which is generated, collected, and produced by public management and service agencies in the process of performing their duties in accordance of the law. Simultaneously, public data is divided into four levels, public data, restricted data, sensitive data, and classified data according to the operations dependent on data characteristics, with the level of security required also dependent on the data type.
Fujian Big Data Development Regulations
The Fujian Provincial People's Congress announced, on 16 December 2021, that it had passed the Fujian Provincial Big Data Development Regulations. The Fujian Big Data Regulations set out provisions governing data collections with features including a large capacity, multiple types, fast access speed, and high potential application. Further, the Fujian Big Data Regulation establish that data collection should follow the principles of legality, legitimacy, and necessity, disclosing the collection rules to the person whose data is being collected alongside the express purpose, method, scope of collection, and the consent of the person.
In addition, the Fujian Big Data Regulations also classifies the different types of public data, namely unconditional sharing, conditional sharing, and temporary non-sharing data, though it does not clarify the differences between the data types. Nonetheless, the Fujian Big Data Regulations details that all kinds of data obtained in accordance with the law, may be traded, exchanged, or used if the data processed cannot be used to identify the applicable data subject.
Moreover, the Fujian Big Data Regulations extensively covers data security requirements, providing that data activities involving personal information, must comply with applicable laws and regulations, noting that the personal information collected must be de-identified or anonymised, the entire processing operation be recorded, and the personal information collected not be disclosed or tampered with. Finally, the Fujian Data Regulations highlight that no unit or individual may collect, disseminate, leak, tamper with, or trade data involving national interests, public security, military scientific research and production, trade secrets and personal information, among other things.
Finally, the Fujian Big Data Regulations also provides for specific sanctions, for:
- failure to collect, aggregate, share, open, and develop public data in accordance with the Fujian Big Data Regulations;
- failure to realise the interconnection and sharing of government information systems in accordance with regulations;
- tampering, forging, or leaking data;
- failure to perform data security protection duties; and
- other acts in violation of the provisions of the regulation.
Sichuan – draft Social Credit Regulations
The Sichuan Provincial Development and Reform Commission requested on 25 February 2022, public comments on the draft Sichuan Province Social Credit Regulations. The draft Sichuan Social Credit Regulations address social credit information management and provide credit subjects with rights. The Sichuan Social Credit Regulations also provide that credit subjects have the right to know the collection, storage, sharing, disclosure, inquiry, and application of their social credit information. Further, the Sichuan Social Credit Regulations stipulate that credit subjects are entitled to know the sources of credit information, as well as the reasons for changes in credit reports.
On credit information, the Sichuan Social Credit Regulations provide that for legal persons the unified social credit code should be used as the unique identifier for association matching of credit subjects. Where the unified social credit code is unavailable, the Sichuan Social Credit Code outlines that other identity documents, including household registration books or passports can be used for identification.
Nonetheless, the Sichuan Social Credit Regulations provide a series of restrictions on the use of personal information, namely that where the collection of market credit information involves personal information of natural persons, the credit subject must consent, and be informed of the content and method of collection, the use of information, and the rights and obligations credit subjects enjoy. More specifically, the Sichuan Social credit Regulations detail religious beliefs, genes, fingerprints, blood type, disease, and medical history information, alongside other information prohibited by applicable laws and regulations cannot be used for market credit purposes. Finally, the Sichuan Social Credit Regulations specify that if a credit subject believes there to be an error or omission in their own credit information, they may file an objection application to the applicable credit information provider, who must respond in a timely manner.
The Sichuan Social Credit Regulations remain in draft form.
Shanxi Province Social Credit Regulations
The Standing Committee of the Shanxi Provincial People's Congress announced, on 28 February 2022, that the Shanxi Province Provincial Social Credit Regulations would enter on 1 March 2022. In general, the Standing Committee noted that the Shanxi Social Credit Regulations, providing for the construction of a regional social credit system, the management and use of credit information, and the protection of the rights and interests of credit subjects. The Standing Committee highlighted that the Shanxi Social Credit Regulations confirm social credit information to be objective data and materials that can be used to identify, analyse, and judge the credit status of credit entities, including public credit information and non-public credit information. In addition, within the principles of the Shanxi Social Credit Regulations, the construction of social credit systems should protect the legitimate rights and interests of credit subjects.
Further to this, the Standing Committee stipulated that the Shanxi Social Credit Regulations, with due regard to the provisions of the Personal Information Protection Law of the People Republic of China, and the DSL, provide for, among other things, the right to privacy during the collection, storage, use, transmission and deletion of social credit information.
Concerning the collection of social credit information itself, the Standing Committee noted the Shanxi Social Credit Regulations the collection of public credit information on legal persons must use the unified social credit code as a unique identifier for association matching, with the collection. Regarding natural persons, the Shanxi Social Credit Regulations provides that resident identification ('ID') number will be used for associated matching, and if not available another valid ID number must be used.
Inner Mongolia Regulations on Administration of public credit information
The Inner Mongolia Autonomous Region Public Credit Information Management Regulations was passed by the Standing Committee of the Thirteenth People's Congress of the Inner Mongolia Autonomous Region on 30 March 2022. The Standing Committee highlighted that the Public Credit Regulations, among other things, must follow the principles of legality, security, objectivity, truthfulness, accuracy, and timeless in safeguarding national and social public interests, the rights and interests of credit subjects, and protect personal privacy. Furthermore, the Public Credit Regulations prohibit the collection of information including, among others, nationality, race, religious belief, gene, fingerprint, blood type, personal biometrics, disease, medical history, income, and tax payment.
Regarding the provision of credit information, the Public Credit Regulations note that public credit providers must verify the legality of information provided, alongside its authenticity and accuracy. Equally, in the event public credit information is changed, the public credit provider must notify the applicable public body in writing and such information must be changed or cancelled within five days of receiving notification. On credit information, the Public Credit Regulations specify ID numbers must be used as the associated matching identifier, and if none are available, others valid ID numbers must be used.
Guangdong Social Credit Regulations
The Standing Committee of the 13th People's Congress of Guangdong Province passed on 25 March 2021, the Regulations on Social Credit of the Guangdong Province which will enter effect on 1 June 2021. In particular, the Guangdong Social Credit Regulations highlights that the collection of market credit information involving the personal information of natural persons must be subject to the consent of the credit subject, and that the credit subject must be informed of the collection content, method, information use, and their rights, with the exception of that which should be disclosed in accordance with laws and regulations. Where minors personal credit information is concerned, the consent of the minors' parents or guardian must be obtained.
In addition, the Guangdong Social Credit Regulations establish that the application of personal social credit information must have a clear and reasonable purpose and be limited to the minimum scope to achieve the purpose of collecting such personal information. Likewise, the Guangdong Social credit Regulations detail credit subject rights establishing that credit subjects have the right to inquire about their own social credit information for no fee.
Further, the Guangdong Social Credit Regulations specify that personal information collected for market credit purposes must not include income, deposits, negotiated securities, commercial insurance, real estate information, and information relating to the taxes of natural persons. However, such information may be collected if credit subjects are clearly informed of the possible adverse consequences of providing such information, and provide written consent to providing such information and the purpose of collecting such information.
Beijing Social Credit Regulations
The Beijing Municipal Bureau of Economy and Information Technology requested, on the 24 February 2021, public comments on the Beijing Social Credit Regulations. Centrally, the Beijing Social Credit Regulations, in addition to establishing a number of rights for credit subjects, including the right to know, object, and delete information, requires credit service institutions to obtain consent and clearly inform credit subjects of the content, method, and purposes of collected credit information. Furthermore, the Beijing Social Credit Regulations note that if credit subjects believe there are errors or omissions in the collection, disclosure, and use of social credit information, or violations of their rights and interests to personal privacy and/or business secrets, they may file an objection application to applicable authorities. Although, the relevant authorities under the Beijing Social Credit Regulations must conduct identity verification within three days of receiving credit subject requests, and on correction of requests, notify credit subject within two days. Regarding credit subject objections to use of personal information, the Beijing Social Credit Regulations establishes the information objected to must be deleted in a timely manner and the reasons for deletion recorded. However, where credit subject objection requests require inspection or review, the time required for deletion is not considered.
The Beijing Social Credit Regulations delineate that social credit information will be divided into public credit information and non-public credit information, the former of which will be published on a Public Credit Information Catalogue managed by the Beijing Municipal Bureau of Economy and Information Technology.
The Beijing Social Credit Regulations have now been compiled with relevant opinions from the public added.
Jiangxi Social Credit Regulations
The Information Office of the Provincial Government and the Provincial Development and Reform Commission of Jiangxi announced that the Jiangxi Social Credit Regulations came into force on 1 March 2022. The Jiangxi Social Credit Regulations provide for, among other things, social credit information management the protection of credit subjects rights and interests, and legal responsibilities. Further, the Information Office outlined that the Regulations provide for the definition and classification of social credit information, stipulating the collection, sharing, and application of public credit information and market credit information.
More specifically, the Jiangxi Social Credit Regulations detail the relevant information that describes the basic information of credit subjects as including age, gender, business scope, and business location of unincorporated organisations where applicable. Although, the Jiangxi Social Credit Regulates note that the name and ID number of natural persons, or name of legal entities, is used as the primary identifier for social credit purposes.
On the other hand, the Jiangxi Social Credit Regulations provide that the collection of certain information for social credit purposes is prohibited, including financial data such as information regarding natural persons income, real estate, and tax amounts. Likewise, the Jiangxi Social Credit Regulations notes that the collection of information on religious beliefs, genes, fingerprints, blood type, disease, and medical history for social credit purposes, are also prohibited.
Harry Chambers Privacy Analyst