China has passed a sweeping data protection law that is set to impose strict control measures on the private sector’s handling of personal data, building on an already expansive crackdown on the country’s tech sector that has rattled global stock markets.
The personal information protection law, passed through the Chinese Communist Party’s ceremonial legislature on Aug. 20, will require organizations and individuals to have a clear and reasonable purpose to “collect, use, process, transfer, trade, provide, or publicize other people’s personal information,” according to the text released by the National People’s Congress. It also requires companies to obtain individuals’ consent before collecting their personal data.
Taking effect on Nov. 1, the law also lays out strict requirements for exporting data of Chinese users outside of the country. Handlers of personal information must store the collected data locally and obtain consent from Chinese authorities before it takes any information overseas, it said.
The law also prohibits the handing over of personal data to foreign judicial and law enforcement authorities. In addition, foreign individuals and companies engaging in data mining that could harm China’s national security or public interests could be denied access to personal data and their names will be announced in public, according to the law.
Its passage followed a months-long regulatory crackdown on an array of tech companies, including those in the fields of e-commerce, personal finance, social media, gaming, and education. China is also set to implement a data security law in September, requiring companies that process “critical data” to conduct regular risk assessments and submit reports.
News of the new data protection law tanked shares in e-commerce giant Alibaba by 2.6 percent in Hong Kong. Chinese online grocer Pinduoduo sank 1.2% in pre-market trading on the U.S.-based Nasdaq.
The law has drawn comparisons to the EU’s General Data Protection Regulation, a comprehensive framework designed to give European citizens more control over their data. The Chinese version, however, placed no limits on the ruling regime’s pervasive access to corporate data and surveillance on its citizens.
Hua Po, a China affairs analyst based in Beijing, said that the term “data protection” was only a pretext for the authorities to strengthen their control in the virtual sphere.
The regime is growing nervous about the amount of power being wielded by tech firms, Hua said, so it wants to take all the data from the private businesses into its own hands.
The law also says it applies to firms processing Chinese user data overseas, whether for the purpose of providing service or products, assessing users from China, and other circumstances outlined by law.
It also warned of reciprocal measures against “any countries or regions that take discriminatory ban, restriction, or other similar measures toward the People’s Republic of China regarding personal information protection.”
Companies that violate the law could incur up to 1 million ($153,810) in fines. For repeated offenders, the fine would rise by tenfold or up to 5 percent of the revenue from the previous season.
Chinese regulators have intensified scrutiny on cyberspace in recent months. On Tuesday, China’s State Administration for Market Regulation put out a draft regulation aimed at tackling unfair competitive behaviors, banning practices such as fake customer reviews and other misleading commercial promotions.
The Ministry of Industry and Information Technology, which manages China’s telecommunications and software sectors, also reprimanded 43 apps on Wednesday for illegally transferring user data.
Luo Ya contributed to this report.