China’s principal internet regulator, the Cyberspace Administration of China (“CAC”), announced this week that China will move forward new legislation to combat the improper collection, use, and sale of personal information. The new legislation, announced during an interview of a senior CAC official by state-owned Xinhua News, is reportedly being drafted by CAC, the Ministry of Industry and Information Technology (“MIIT”), and the Ministry of Public Security (“MPS”). A draft has not yet been released.
CAC, the country’s top cyberspace gatekeeper (and a dual-hatted Party/government organ), was established in 2011 by China’s State Council to streamline and strengthen internet regulation. Due to the lack of adequate enforcement resources, one of CAC’s key responsibilities is to coordinate with different ministries on internet-related matters and supervise and provide guidance to other ministries, including MIIT. Among other things, internet data breaches fall under CAC’s broad jurisdiction.
China does not have a comprehensive personal information protection law, and more than a dozen patchwork and industry-specific sets of rules have been promulgated in recent years. A more comprehensive draft Personal Information Protection Law, drafted by scholars in 2006 and submitted to the State Council in 2008, has not moved forward. In the last two years, several delegates to the National People’s Congress have called for a comprehensive law to unify the country’s disparate personal information protection rules. While the fate of such a comprehensive law is unclear, there are increasing signs that the Chinese government will enact additional legislation and regulations in the not-too-distant future regarding how businesses collect, use, protect, and transfer personal information.
Material for this post was supplied by Sheng Huang and Ashwin Kaja of Covington & Burling LLP.