China’s National People’s Congress officially passed a law to protect the privacy of online users on Friday and will implement the policy from November 1, according to state-run media agency Xinhua.
The passage of the law completes another pillar of the country’s efforts to regulate cyberspace and is expected to add more compliance requirements for businesses in the country.
China has directed its tech giants to ensure better secure storage of user data amid public complaints of mismanagement and abuse that have resulted in user privacy violations.
The law stipulates that the handling of personal data must have a clear and appropriate purpose and be limited to the “minimum scope necessary to achieve the objectives of the data handling”.
It also sets out the conditions under which companies can collect personal data, including obtaining an individual’s consent, as well as guidelines to ensure data protection when transferring data abroad.
The law also requires that processors of personal data designate a person who is responsible for protecting personal data and requires processors to conduct regular audits to ensure compliance with the law.
The second draft of the Personal Data Protection Act was published publicly at the end of April.
The Personal Data Protection Act, along with the Data Protection Act, marks two important regulations that will govern China’s Internet in the future.
The Data Protection Act, which comes into effect on September 1, provides a framework for companies to classify data based on its economic value and relevance to China’s national security.
The Personal Data Protection Act, meanwhile, is reminiscent of the European GDPR by establishing a framework to ensure user privacy.
According to experts, both laws require companies in China to review their data storage and processing practices to ensure they are compliant.
The laws come amid broader industry regulatory tightening by Chinese regulators that has rocked businesses both large and small.
In July, China’s Cyberspace Administration of China (CAC), its top cyberspace regulator, announced that it would launch an investigation into Chinese ride-haling giant Didi Global Inc for alleged invasion of user privacy.
On Tuesday, China’s State Administration for Market Regulation (SAMR) passed a comprehensive set of rules to improve fair competition and prohibit practices such as fake online reviews.
In January, the government-backed China Consumers Association issued a statement criticizing technology companies for “intimidating” consumers into shopping and promotions.
Since then, regulators have routinely reprimanded companies and apps for violating user privacy.
On Wednesday, China’s Ministry of Industry and Information Technology accused 43 apps of illegally submitting user data and asked them to make corrections before August 24th.
© Thomson Reuters 2021