If data controllers illegally process personal data in China or of Chinese residents elsewhere in the world, they may have to cough up CN¥50 million (~₹ 55 crore) or 5% of annual revenue in fines, according to China's draft Personal Information Protection Law. Also, if other countries take punitive actions against China in the field of personal data protection, China will retaliate in kind. This Bill is currently being deliberated upon by the National People's Congress (the Chinese parliament) and will regulate how the personal data of more than 900 million internet users in China is processed and stored. The draft was released on October 21. We have used DigiChina's translation to summarise the Bill which has 8 chapters and 70 articles. The Bill covers only data related to natural persons; it does not cover anonymised data. It makes informed consent mandatory for data processing, imposes obligations on data controllers, and proposes restrictions on sending data processed in China outside the country. This Bill has been long awaited and is the latest in a litany of legislation related to cyberspace. The others are the controversial Cybersecurity Law (enacted in June 2017) and the draft Data Security Law. China had also amended its criminal law in 2015 and criminalised illegal sale of personal data to a third party. What kind of processing does the Bill apply to? It applies to all individuals and organisations who process personal data within the borders of China. The language of this article is ambiguous. It…
