Section Background
Articles 20th August 2021

New Data Privacy Law Passed in China

Binary code on a blue background with a legal scale symbol

On the 20th August 2021, China’s National People’s Congress officially passed a law designed to protect private online user data. This will be implemented starting 1st November 2021. A draft of the proposed law was made public in April 2021, giving businesses time to adjust and make the necessary changes. Here we will take a look at what this new law is, what is means for businesses, and what could happen in the future.

 

What is the new law?

The Personal Information Protection Law (PIPL) is a comprehensive set of rules surrounding personal data. The new law is a tougher ruling for business use but means more privacy for consumers. The law states that a clear purpose must be outlined by businesses as to how they will use and handle personal data.

The regulations also state new conditions for which companies can collect and store personal data, and has created new guidelines for ensuring data protection when data is transferred outside the country.

It is reported that Beijing has been growing concerned with how internet-based companies in particular are collecting and using data, without much consequence to the companies.

The PIPL along with the Data Security Law (DSL) mark two major regulations set to govern China’s internet in the future. The DSL, to be implemented on 1st September 2021, sets a framework for companies to classify data based on its economic value and relevance to China’s national security.

In July 2021, the Cyberspace Administration of China (CAC), its top cyberspace regulator, announced it would launch a probe into Chinese smart transportation giant Didi Global Inc for allegedly violating user privacy.

Recently, China’s State Administration for Market Regulation (SAMR) passed a sweeping set of rules aimed at improving fair competition, banning practices such as fake online reviews.

As both the PIPL and DSL come in to effect soon and have similar interests, both laws will require companies in China to examine their data storage and processing practices to ensure they are compliant, according to experts.

The PIPL will require handlers of personal information to designate an individual in charge of personal information protection, and calls for handlers to conduct periodic audits to ensure compliance with the law.

 

What does this mean for businesses?

This means businesses in China will have to comply with the law’s requirements, in the country’s efforts to regulate the cyberspace. Tech giants will need to ensure their user data storage is secure after public complaints about mismanagement and misuse of personal data.

In January 2021, the government-backed China Consumers Association (CCA) issued a statement criticizing tech companies for “bullying” consumers into making purchases and promotions. Since then, regulators have routinely reprimanded companies and apps for violating user privacy. China’s Ministry of Industry and Information Technology accused 43 apps for illegally transferring user data and called on them to make rectifications before 24th August 2021.

 

What does this mean for the future?

The new laws are much like the General Data Protection Regulation (GDPR) rules laid out by the Europe, which were implemented in May 2018. As they are very alike, China can go forward operating in a similar way.

Business will have to move fast to implement the necessary changes and comply with the new data privacy laws, or potentially face a fine up to 2 million yuan.