by Hu Wen

On August 20， the 30th meet- ing of the Standing Committee of the 13th National Peoples Congress passed the Personal Information Protection Law of the Peoples Republic of China （the law）， which will come into force on November 1， 2021. Following the Cyber Security Law in 2016 and the Data Security Law in June 2021， the Personal Information Protection Law further clarifies the principles for the collection and disposal of personal information， marking the establishment of a comprehensive legal safeguard system for information security in China.

In recent years， China has been active in data and privacy protectionrelated legislation and law enforcement， enforcing these in many many high-risk industries and scenarios.

Clarifying and strengthening domestic needs for data security

The Personal Information Protection Law is clear in identifying the need for data security domestically， with a fine higher than that in the EU.

In the era of big data， cloud computing and other information integration technology， the time is right for China to promote personal information protection legislation. According to Deloitte Touche Tohmatsu， as of June 2021， more than eight out of ten countries and regions around the world have been or are in the process of formulating personal information protection laws and rules. China is one of these， designing a differentiated system based on existing thinking.

As analysts from Guosheng Securities said， this law is important， as it clarifies that anyone using personal information should obtain consent of the relevant individual in advance， and if anything is to change about the use of information the individual needs to be informed again. At the same time， those hot issues like blanket authorization and mandatory consent， the law specifically requires that individual consent should be obtained for handling of sensitive personal information， providing personal information to others or making it public， transferring personal information across borders， etc.， and clarifies that it is forbidden to excessively collect personal information， as well as to refuse to provide products or services to individuals who do not consent. Besides， the law gives individuals the right to withdraw their consent， in which case individuals personal information collection should be stopped， and existing personal information should be deleted.

As more and more companies use big data to analyze and evaluate consumers for commercial marketing， some begin illegally utilizing the information about consumers economic status， consumption habits， and sensitivity to prices， etc.， to mislead and defraud them by applying discriminatory and differential prices and so on. The most typical breach was “big data-enabled price discrimination against existing customers” which triggered a heated debate. As to such activities， the law clearly stipulates that decisions made automatically based on customers personal information should be transparent， fair and just， and that it is not allowed to apply unreasonable differential treatment to individuals in terms of prices and other transaction conditions.

The law classifies information such as biometric information， religious beliefs， specific identity markers， medical and health care， financial accounts， and whereabouts and trajectories as sensitive personal information， and requires that sensitive personal information can be handled only if it is for a specific purpose and in sufficient necessity， and under strict protection measures， and that an impact assessment should be conducted beforehand and the individual should be informed of the necessity as well as possible results.

Serious violations of the law shall be ordered to be corrected by provincial and above departments assuming the responsibility of personal information protection， while law-breaking companies will be punished by confiscating illegal income， and paying fines of up to RMB 50 million or no more than 5% of the previous years turnover， be ordered to suspend and/or rectify relevant businesses， or even be revoked permission or license for relevant businesses by competent authorities after being officially notified.

Great potential for the corporate data security market

As the law comes into force， there is great potential for various industries involving personal information in China.

Financial data is of commercial value naturally and needs to be regulated. Derivative personal information， obtained from analysis， summarizing， and deduction of sensitive personal information related to financial transactions， is of great value for risk control and businesses. As hospitals adopt Internet technology into medical and healthcare activities， data sharing and circulation has become necessary， but isolation and other static protection measures are not enough to prevent risks inflowing data. Therefore， medical data， which includes patients privacy and is getting diversified in types and forms， has become an increasingly serious challenge for data security， and Internet-enabled hospitals need to analyze and prevent data security risks through a dynamic and changing perspective. Meanwhile， as intelligent vehicle industry and Internet of Vehicles develop， AI technology represented by autonomous driving is getting more popular， and data processing capacity is continuously improved， causing increasingly prominent auto data security challenges and risks， especially in the effective utilization of auto data and protection of national security and the legitimate rights and interests of individuals.

Automotive data processors should take their responsibility to protect personal information and the legitimate rights and interests of individuals. Prior to the dispose of automotive data that contains personal information， relevant individuals should be informed in a prominent manner， and the consent should be obtained. Otherwise， the disposal should comply with other circumstances specified in the law and administrative regulations. It should obtain separate consent of relevant individuals for the disposal of sensitive personal information， meet specific requirements of strictly limiting the purposes， making prompts when collecting data and terminating collection， or following laws， administrative regulations and mandatory national standards. Automotive data collection can only include biometric features such as fingerprints， voice prints， faces， heart rhythms and so on for the purpose of improving driving safety.

The size of the data security service marketis expected to reach RMB 10 billion

In recent years， China intensively issued and carried out laws and regulations such as the Data Security Law， Regulations on Security Protection of Critical Information Infrastructure and the Personal Information Protection Law. Just from the perspective of privacy， which is a part of data security， based on Gartners prediction， in 2023 more than 80% of companies worldwide will face at least one law or regulation of data protection focusing on privacy， and in 2024 this market will exceed USD 15 billion for expenditure inprivacy data protection and compliance technology.

Data security computing modules are commonly used in big data service scenarios， and added to AI computing platforms， to provide security， storage and computing services based on data as AI applications. So， taking the revenue of AI platforms as the upper limit of privacy computing output value， according to IDC， in 2020 the size of big data market in China was about USD 10.42 billion， of which the software market contributed USD 2.65 billion， and about USD 400 million by AI platforms. IDC forecasted that from 2018 to 2024 the AI industry would have a compound annual growth rate of 39%， meaning revenue of AI platforms is expected to reach USD 1.5 billion in 2024， while these data security solutions may contribute up to RMB 10 billion.

Privacy computing technology solves the problem that flowing data is available but not visible， helps to settle down the contradiction between data protection and utilization， and has now been widely applied in fields like finance， medical care and government affairs.

Industry experts emphasized the need to take into account both data application and security when trying to explore data value， balance efficiency and risk， and make use of data under the premise of ensuring security.

KPMG expected that the data security technology and service market couldreach RMB 10 billion in 2023， and as IT architecture goes to the cloud， this will contribute RB 100 billion to data security SaaS business in the long run.

Taking the consumption loan scenarios as an example， assuming in 2030 the penetration rate of credit risk modeling will reach 60% using federated learning in financial institutions and a service fee rate of 1% is applied， and short-term consumption credit market in China maintains an annualized compound growth rate of 8% by 2030 which was RMB 9.92 trillion in 2019， meaning the market size will reach RMB 21.42 trillion in 2030. Revenue of data security business is expected to reach RMB 12，850 billion. When taking into account scenarios such as the Internet as well as medical and governmental big data， the potential is even greater.

According to Guosheng Securities， typical data security application scenarios usually contains three parties. First is the Internet as the users， and in the future Cyberspace Administration of China and other regulatory authorities in China may lead the platform construction， with third-party enterprises that have shareholders of state-owned enterprises and technical reserves to provide technology and operations. As the users of data， Internet-based companies have to consider the service features and payment capacity， so they have urgent needs for compliance， including minimizing data collection and avoiding abuse. As to the data providers， like banking industry and medical institutions in federated modeling， they should prevent original data from going out， and send encrypted information to the intermediate party. In addition， these privacy computing technology service providers should build computing systems for customers， including deploying service nodes at business operators， data collectors and trusted third parties.