It’s mildly ironic that the state which has deployed mass facial-recognition and surveillance measures for citizens is also looking to protect those same citizens’ personal data…:
[…] Proposed changes in China’s Personal Information Security Specification would disallow data collection for the performance of a contract.
This activity was allowed previously. But under this proposal, prior consent will be required, as it is for data collection for legitimate interests.
“In other words, two of “most significant grounds for processing under GDPR (other than consent) are not allowed in China,” writes Griffen Thorne, an attorney based in the Los Angeles office of law firm Harris Bricken, on China Law Blog.
Thorne elaborates: “U.S. or E.U. companies doing business in China will not be able to rely on having entered into contracts with Chinese citizens to process their data. They will now need to painstakingly explain all of the ways in which they will use the data and get consent for using it, unless one of the other few very narrow exceptions applies.”