WSJ: China Passes One of the World’s Strictest Data-Privacy Laws
China’s once-freewheeling internet faces new rules protecting personal data, as the world’s largest online population awakens to privacy concerns
China has approved a sweeping privacy law that will curb wide-ranging data collection by technology companies, but that policy analysts say is unlikely to limit the state’s widespread use of surveillance.
China’s top legislative body, the Standing Committee of the National People’s Congress, passed the Personal Information Protection Law at a meeting in Beijing on Friday, according to the state-run Xinhua News Agency.
The law will take effect Nov. 1, Xinhua said. The full text of the final version hasn’t yet been released.
The national privacy law, China’s first, closely resembles the world’s most robust framework for online privacy protections, Europe’s General Data Protection Regulation, and contains provisions that require any organization or individual handling Chinese citizens’ personal data to minimize data collection and to obtain prior consent.
However, unlike in Europe, where governments face more public pressure over data collection, Beijing is expected to maintain broad access to data.
Though new privacy rules could allow China’s central government to control how lower-level agencies use and share data, nothing suggests “anything resembling legal limits on government surveillance,” said Karman Lucero, a fellow at the Yale Law School Paul Tsai China Center.
“Chinese civil society still has very limited means of ‘watching the watchmen,’” he added.
China’s new privacy framework comes as frustration grows within the government and in Chinese society over online fraud, data theft and data collection by domestic technology giants. For years, loose rules on accessing data allowed domestic companies to quickly develop and adopt new products and technology, but also fueled a black market for consumer data.
The new privacy law is part of a tighter regulatory regime for Chinese tech companies. Over the past year, Beijing has clamped down on the tech sector on matters including data security and anticompetitive practices, such as by imposing multibillion-dollar fines on companies that force vendors to sell exclusively on their platform—which used to be par for the course in China’s winner-takes-all market.
Author: Eva Xiao, WSJ
China passes data privacy law amid clampdown on tech sector
China’s National People’s Congress on Friday officially passed a law designed to protect online user data privacy and will implement the policy starting November 1, according to state-media outlet Xinhua.
The law’s passage completes another pillar in the country’s efforts to regulate cyberspace and is expected to add more compliance requirements for companies in the country.
The law states that handling of personal information must have clear and reasonable purpose and shall be limited to the “minimum scope necessary to achieve the goals of handling” data.
It also lays out conditions for which companies can collect personal data, including obtaining an individual’s consent, as well as laying out guidelines for ensuring data protection when data is transferred outside the country.
The law also calls for handlers of personal information to designate an individual in charge of personal information protection, and calls for handlers to conduct periodic audits to ensure compliance with the law.
The second draft of the Personal Information Protection law was released publicly in late April.
The Personal Information Protection Law, along with the Data Security Law, mark two major regulations set to govern China’s internet in the future.
The Data Security law, to be implemented on September 1, sets a framework for companies to classify data based on its economic value and relevance to China’s national security.
The Personal Information Protection Law, meanwhile, recalls Europe’s GDPR in setting a framework to ensure user privacy.
Both laws will require companies in China to examine their data storage and processing practices to ensure they are compliant, according to experts.
The laws arrive amid a broader regulatory tightening on industry from Chinese regulators, which have rattled companies large and small.
In July, China’s Cyberspace Administration of China (CAC), its top cyberspace regulator, announced it would launch a probe into Chinese ride-haling giant Didi Global Inc for allegedly violating user privacy.
On Tuesday, China’s State Administration for Market Regulation (SAMR) passed a sweeping set of rules aimed at improving fair competition, banning practices such as fake online reviews.
China passes major data protection law as regulatory scrutiny on tech sector intensifies
- China has passed the Personal Information Protection Law (PIPL), which lays out for the first time a comprehensive set of rules around data collection.
- The rules add to Beijing’s tightening of regulation, particularly around data, which could impact the way China’s technology giants operate.
- A final version of the law has not been published but a previous draft included rules around requiring consent for data protection and punishments for companies that did not comply.
China passed a major data protection law on Friday setting out tougher rules on how companies collect and handle their users’ information.
The rules add to Beijing’s tightening of regulation, particularly around data, which could impact the way China’s technology giants operate.
The Personal Information Protection Law (PIPL) lays out for the first time a comprehensive set of rules around data collection, processing and protection, that were previously governed by piecemeal legislation.
After several drafts, the PIPL was passed by China’s legislature on Friday, according to state media. However, the final version of the law has not yet been published.
A previous draft of the law said that data collectors must get user consent to collect data and users can withdraw that consent at any time. Companies that process data cannot refuse to provide services to users who don’t agree to having their data collected — unless that data is necessary for the provision of that product or service.
There are also strict requirements for transferring Chinese citizens’ data outside the country.
Companies that fall foul of the rules could be fined.
Beijing ramps up tech scrutiny
The PIPL comes as China’s regulatory scrutiny on the country’s technology companies intensifies. With the PIPL, alongside the country’s Cybersecurity Law and Data Security Law, China has beefed up its data regulation.
“The release of the PIPL completes the trifecta of China’s foundational data governance regime, and will usher in a new age of data compliance for tech companies,” said Kendra Schaefer, Beijing-based partner at Trivium China consultancy.
Globally there has been a push to create better rules around data protection. In 2018, the European Union’s landmark General Data Protection Regulation came into effect. That regulation aims to give citizens in the bloc more control over their data.
Beijing has been growing concerned about the amount of data companies are collecting — particularly in the internet sector, and the potential implications of that.
In July, regulators opened a cybersecurity review into ride-hailing giant Didi, just days after its huge U.S. initial public offering. Didi was forced to stop signing up new users and its app was also removed from Chinese app stores. China’s cyberspace regulator alleged that Didi had illegally collected users’ data.
China’s technology giants are bracing for further restrictions.
Tencent, the owner of the popular WeChat messaging app, warned on Wednesday that further regulations could be coming for the technology industry.
This year, regulators also introduced anti-monopoly rules for the so-called platform economy and regulations on unfair competition in the internet sector.
Author: Arjun Kharpal, CNBC