On May 28^th, the National Network Information Office released its Draft Data Security Management Measures (the “Draft”) for public comments. The Draft states that internet business operators must not use reasons such as improvement of service quality, enhancement of user experience, directed push content or development of new products to force or mislead personal information subjects to agree to the collection of their personal data, through means such as default permissions or bundled functions, etc.

Regarding data collection, the Draft states that when internet business operators gather and utilize personal data through products such as websites and apps, rules for collection and utilization should be formulated and published. The Draft also states that when data security incidents occur, such as personal data leakages, damages or losses, or when risk of data security incidents becomes significantly higher, internet business operators should immediately take remedial action.

Source: National Network Information Office