China’s National People’s Congress on Friday officially passed a law designed to protect the privacy of online user data and will implement the policy from Nov. 1, according to state media outlet Xinhua.
The passing of the law completes a new pillar in the country’s efforts to regulate cyberspace and is expected to add more compliance requirements for businesses in the country.
China has instructed its tech giants to ensure better secure storage of user data amid public complaints of mismanagement and abuse that have led to violations of user privacy.
The law states that the processing of personal information must have a clear and reasonable purpose and be limited to the “minimum scope necessary to achieve the purposes of the processing of data”.
It also sets out the conditions under which companies may collect personal data, including obtaining an individual’s consent, as well as guidelines for ensuring data protection when data is transferred abroad.
The law also calls for personal information handlers to designate a person responsible for protecting personal information, and calls on handlers to conduct periodic audits to ensure compliance with the law.
The second draft of the Personal Data Protection Act was made public at the end of April.
The Personal Data Protection Act, along with the Data Security Act, highlight two important rules that will apply to the Internet in China in the future.
The data security law, to be implemented on September 1, establishes a framework for companies to classify data based on its economic value and relevance to China’s national security.
The law on the protection of personal data is a reminder of the European GDPR by creating a framework to guarantee the privacy of users.
Both laws will require companies in China to examine their data storage and processing practices to ensure they comply, experts said.
The laws come amid a broader tightening of industry regulations by Chinese regulators, which has left companies big and small in confusion.
In July, the Chinese Cyberspace Administration of China (CAC), the leading cyberspace regulator, announced it would launch an investigation into Chinese ride-taking giant Didi Global Inc for allegedly violating user privacy.
On Tuesday, China’s State Administration of Market Regulation (SAMR) passed a comprehensive set of rules aimed at improving fair competition, banning practices such as false online reviews.
In January, the government-backed China Consumers Association released a statement criticizing tech companies for “bullying” consumers into making purchases and promotions.
Since then, regulators have routinely reprimanded companies and apps for violating users’ privacy.
China’s Ministry of Industry and Information Technology accused 43 apps of illegally transferring user data on Wednesday and called on them to make corrections before Aug. 24.
© Thomson Reuters 2021