Shanghai’s proposed new data regulations step up requirements for consent in relation to the usage of personal data, creating potential compliance risk for big data usage.
The Shanghai Standing Committee recently conducted a review of the draft version of the “Shanghai Municipal Data Regulations (Draft)” (上海市数据条例（草案）).
The Draft Regulations comes amidst greater efforts by the Chinese government to regulate data usage, and build upon the previously issued “Personal Information Protection Law” (个人信息保护法).
Key areas of emphasis for the Regulations include consent for data collection, facial regulation provisions, and the categorisation of low-risk data that is permitted to cross borders.
With regard to consent, article 17 stipulates that natural persons enjoy the right to knowledge of any collection, usage, processing and transactions involving data concerning their personal information.
The provisions of the article further stipulate that the processing of any personal data which is public should satisfy the publicised purpose of such data, and any further usage beyond this scope requires the consent of individuals.
Xia Hailong (夏海龙), a lawyer with Shenlun Law, said to 21st Century Business Herald that if approved these provisions could create compliance risk for enterprises whose main operations involve the use of big data for the smart acquisition and targeting of customers, or enterprise information inquiries.
“For inquiries involving the industrial and commercial information of enterprises, the personal information it includes is made openly public by natural persons, and the goal of this is the non-commercial goal of satisfying the requirements of the Company Law,” said Xia.
“Once this information is commercialised for usage, there is a good likelihood that it could be considered to exceed the goal of being made public, and still require the fulfilment of notification duties.”
The Regulations further outline standardised usage of facial recognition technology, on the grounds that biometric information that is sensitive personal data, and call for the formulation of a low-risk cross-border flow data catalogue.