China passes new data privacy protection law, to effect from Nov. 1

0
253
Chinese President Xi Jinping (C), Vice President Wang Qishan, Politburo Standing Committee member Zhao Leji, National People's Congress (NPC) Standing Committee Chairman Li Zhanshu, Premier Li Keqiang, Politburo Standing Committee member Wang Huning and Vice Premier Han Zheng arrive for the closing session of the Chinese People's Political Consultative Conference (CPPCC) at the Great Hall of the People in Beijing, China March 10, 2021. REUTERS/Carlos Garcia Rawlins

China’s National People’s Congress on Friday officially passed a law designed to protect online user data privacy and will implement the policy starting November 1, according to state-media outlet Xinhua.

The law’s passage completes another pillar in the country’s efforts to regulate cyberspace and is expected to add more compliance requirements for companies in the country.

China has instructed its tech giants to ensure better secure storage of user data, amid public complaints about mismanagement and misuse which have resulted in user privacy violations.

The law states that handling of personal information must have clear and reasonable purpose and shall be limited to the “minimum scope necessary to achieve the goals of handling” data.

It also lays out conditions for which companies can collect personal data, including obtaining an individual’s consent, as well as laying out guidelines for ensuring data protection when data is transferred outside the country.

The law also calls for handlers of personal information to designate an individual in charge of personal information protection, and calls for handlers to conduct periodic audits to ensure compliance with the law.

The second draft of the Personal Information Protection law was released publicly in late April.

The Personal Information Protection Law, along with the Data Security Law,mark two major regulations set to govern China’s internet in the future.

The Data Security law, to be implemented on September 1, sets a framework for companies to classify data based on its economic value and relevance to China’s national security.

The Personal Information Protection Law, meanwhile, recalls Europe’s GDPR in setting a framework to ensure user privacy.

Both laws will require companies in China to examine their data storage and processing practices to ensure they are compliant, according to experts.

The laws arrive amid a broader regulatory tightening on industry from Chinese regulators, which have rattled companies large and small.

In July, China’s Cyberspace Administration of China (CAC), its top cyberspace regulator, announced it would launch a probe into Chinese ride-haling giant Didi Global Inc for allegedly violating user privacy.

On Tuesday, China’s State Administration for Market Regulation (SAMR) passed a sweeping set of rules aimed at improving fair competition, banning practices such as fake online reviews.

In January, the government-backed China Consumers Association issued a statement criticizing tech companies for “bullying” consumers into making purchases and promotions.

Since then, regulators have routinely reprimanded companies and apps for violating user privacy.

On Wednesday, China’s Ministry of Industry and Information Technology accused 43 apps for illegally transferring user data and called on them to make rectifications before August 24.