LOFTER for ipad —— 让兴趣,更有趣

点击下载 关闭

LOFTER-网易轻博

miit

14浏览    3参与
Qingrong Zhu

PaRR Special Report•Article 5

China needs universal cyberspace legislative framework to align with US and EU

•The ultimate goal of US internet governance is freedom
•EU gives personal data same weight as personal dignity
•China will strengthen data localization in future data protection laws

China needs to create a universal legislative...

China needs universal cyberspace legislative framework to align with US and EU

•The ultimate goal of US internet governance is freedom
•EU gives personal data same weight as personal dignity
•China will strengthen data localization in future data protection laws

China needs to create a universal legislative framework and standards governing cyberspace to align with other jurisdictions including theUS and the European Union (EU), said Liu Jinrui, an associate researcher at the Institute of Law of China Law Society.

Liu acts as an informal adviser to lawmakers in relation to cybersecurity related rule making processes in China, and made the remarks at a legal conference held in Beijing recently.

Liu said that, as an originator of the internet, the US has taken the lead in internet regulation and engaged in promoting internet freedom and deregulation.

"Countries who follow in the steps of US with advanced technological development also prefer unregulated internet communications," said Liu.

However, today internet rule making is no longer dominated by one country, according to Liu.

The PRISM scandal was a watershed, Liu said, referring to disclosure of the covert surveillance program that allowed the US National Security Agency (NSA) to collect data from various internet giants.

In the wake of that scandal, the US ceded control over the Internet Corporation for Assigned Names and Numbers (ICANN), an organization responsible for the control of domain names, and transitioned the functions of the organization to the global multi-stakeholder community, Xu Ke, the executive director of the Digital Economy and Law Innovation Research Center at the University of International Business and Economics, said at the same panel. 

According to Liu, the ultimate goal of US internet governance is freedom. Restriction of the free flow of data is considered as restricting the free market and even freedom of speech and expression. In the EU, information and personal data have been given the same weight as personal dignity. "It became a human rights issue," said Liu. 

In China, data localisation, as well as security assessment of outbound data transfers specified in Article 37 of China's Cybersecurity Law(CSL), are measures adopted to ensure national security. However, "it is confusing to place the protection of personal rights and the safety measures for national security under one law," Liu added.

Facing the rise of big data, the EU has tightened its restrictions, whereas the US has loosened its grip, Liu said. "China shall make a judgment on its regulatory direction and opt for its preferred legislative model," he said. 

Xu said that data localisation was likely to become embroiled in a global "tit-for-tat" contest.

"China, US and the EU are engaged in a global contest to expand their authority in data regulation," Xu said.

Although China prefers the approach of adopting a multilateral mechanism and the participation of multi-stakeholders in global internet regulation, "China will seek to further strengthen data localization in its future data protection laws," Xu added.

by Qingrong Zhu in Beijing

* This article was included in the PaRR's Special Report: Cybersecurity & Data Privacy published on 29 August 2019. 

Qingrong Zhu

PaRR Special Report•Article 4

China's proposed cross-border data transfer rules to be 'substantially revised' after US trade negotiations

•China tightens grip on data flows as US lifts restrictions
•Trade talk aims at principle issues including data flows

The second draft of China's Information Security Technology–Guidelines for...

China's proposed cross-border data transfer rules to be 'substantially revised' after US trade negotiations

•China tightens grip on data flows as US lifts restrictions
•Trade talk aims at principle issues including data flows

The second draft of China's Information Security Technology–Guidelines for Data Cross-Border Transfer Security Assessment (the 'draft guidelines') will be "substantially revised or even completely abolished" as a foreseeable outcome of the China-US trade negotiations, according to a person familiar with the matter and a Beijing-based senior lawyer engaged in data compliance. 

The draft guidelines were designed to instruct network operators and relevant authorities to assess the purposes and security risks before an outbound transfer of personal and important data. Based on the second draft, network operators are required to ensure the legality, legitimacy and necessity of data transfer, as well as to minimize the risks of leakage, destruction, manipulation, or abuse of data after outbound transfer. 

The drafting process commenced at the beginning of 2017. The first draft was released on 27 May of the same year to solicit public opinions. Three months later, the second draft was released on 25 August for a second comment period. However, no substantial progress on the draft guidelines has been achieved since that time.

According to the person familiar with the matter, the current pause in the process of finalizing of the draft guidelines is due to the uncertainty in the ongoing trade negotiations between China and the US.

While China is tightening its grip on cross-border data transfers with security assessment demands, the US is lifting restrictions to promote free cross-border data flows, said the person familiar with the matter, referring to the United States-Mexico-Canada Agreement (USMCA) which discourages data localization and data flow restrictions with strong language.

The USMCA does not allow for prohibitions or restrictions on cross-border transfers of data including personal information (Article 19.11), or stipulating the location of computing facilities (i.e., computer servers) in a territory for business operation (Article 19.12), said the person familiar with the matter, adding that these requirements run contrary to China's approach to data regulation. 

The person familiar with the matter said the divergence between China and the US on cross-border data transfer is one of the "important issues of principle," referring to a statement made by China's Vice Premier Liu He on 11 May. At the time, Liu said: "While cooperation is the only right choice for China and the US, Beijing will not yield on important issues of principle".

The real purpose behind the trade talks is to negotiate principles issues, Wang Xinkui, chairman of Shanghai WTO Affairs Consultation Centre, said during a digital economy and trade seminar at Shanghai Academy of Science recently.

Speaking to members of international organizations and global experts, Wang said that current debate on tariffs are "a means but not (an) end." China's restrictions on free flow of business data and location of computing facilities, as well as requirements of safety assessments, are borne out of necessity of China's development and public policy, Wang said, adding that these restrictions are relevant to the topic of foreign access to China's cloud computing markets, which will be discussed in future negotiations. 

In addition, the person familiar with the matter said that personal data and important data will be treated differently; while regulations on personal information will be aligned with international practices, important data will fall into a distinct category in which Chinese regulators will insist on sovereignty. 

The Cyberspace Administration of China (CAC) declined to comment.

by Qingrong Zhu in Beijing

* This article was included in the PaRR's Special Report: Cybersecurity & Data Privacy published on 29 August 2019. 

Qingrong Zhu

PaRR Special Report•Article 1

China trade associations encouraged to take role in personal information protection legislation, says CAC official

•Scope of personal information important to achieve balance in legislation
•User consent requirement to be lifted in cases of missing children, news reports
•Handling of indirect identifiable...

China trade associations encouraged to take role in personal information protection legislation, says CAC official

•Scope of personal information important to achieve balance in legislation
•User consent requirement to be lifted in cases of missing children, news reports
•Handling of indirect identifiable information still a matter of debate

Trade associations should take a more active role in helping legislators identify exceptional situations in terms of personal information protection while ensuring companies comply with relevant laws and rules, according to Li Min, deputy director of the legal affairs division of the Bureau of Policy and Regulations under the Cyberspace Administration of China (CAC).

Li made the comments at a 'Personal Information Protection' sub-conference during the three-day 2019 China Internet Conference hosted by the Internet Society of China in Beijing recently. The conference brought together members of the Internet Society of China, the Ministry of Industry and Infomation Technology, the Communications Administration of Hebei province, as well as representatives from internet enterprises.

According to Li, defining the scope of 'personal information' is the prime task of China's legislation covering personal information protection, which is among the legislative agenda items to be taken up by the Standing Committee of the 13th National People's Congress in the current term. It has yet to be decided whether the new law will adopt the existing definition under the supplementary Article 76 (5) of the Cybersecurity Law (CSL), or seeks to refine and amend the term, Li added.

Under Article 76 (5) of the CSL, personal information refers to all types of information recorded in electronic or other forms that, taken alone or together with other information, is sufficient to identify a natural person's identity, including but not limited to information such as the full name, birth date, national identification number, personal biometric information, address, and telephone number of a natural person.

A broad definition of the term containing more regulatory subjects will result in strict regulation, whereas a narrow scope of the term will lead to a more tolerant approach in policy making, said Li, highlighting that the relevant legislation needs to tackle both the protection of personal information while leaving certain space for companies to develop.

Identifiable information

Personal information, also known as 'personal data' or 'privacy', generally refers to the information that can directly or indirectly identify an individual, said Li.

While directly identifiable information such as names and national identification numbers can be immediately associated with a specific person, indirect identifiable information alone is insufficient to identify an individual, said Li.

However, whether the indirect identifiable information falls into the category of personal information is a matter of some debate. Li gave location information collected by apps as a real life example. He said an individual who regularly visits a governmental building during office hours is likely to be identified as a government employee.

Defining scope

According to Li, existing opinions regarding the scope of personal information generally fall into three categories. The opinion reflecting a broad view calls for equal protection for both directly and indirectly identifiable information, whereas the contrary view suggests excluding the indirectly identifiable information from the scope of personal information, Li said.

The moderate opinion suggests that the indirectly identifiable information, in combination with other pieces of information, can be deemed as personal information. 

"We need to draw an appropriate scope to keep a balance between development and regulation," Li said.

Exemptions, special cases

Li told the conference that legislation on personal information protection should provide exemptions to allow industry development. Obtaining user consent prior to collecting personal information becomes questionable under special circumstances, for example, the information collected through open source channels, search for missing children, as well as news reports, said Li.

"It is unfeasible to adopt a sweeping approach in personal information protection," said Li, adding that classification and grading of personal information can be helpful in applying different rules to special cases.

According to Li, sensitive personal information including genetic data and health records is worthy of the strictest protection, whereas juveniles should receive different protection levels from adults. How big power should government agencies be given in terms of collecting and using personal information is an issue that needs further discussion, Li said.

by Qingrong Zhu in Beijing

* This article was included in the PaRR's Special Report: Cybersecurity & Data Privacy published on 29 August 2019. 

LOFTER

让兴趣,更有趣

简单随性的记录
丰富多彩的内容
让生活更加充实

下载移动端
关注最新消息