China has passed a broad data protection law that will impose strict controls on the private sector’s handling of personal data, adding to the country’s already extensive crackdown on the country’s tech sector, which has roiled global stock markets.
According to the text released by the National People’s Congress, the personal information protection law, which was passed by the Chinese Communist Party’s ceremonial legislature on Aug. 20, will require organizations and individuals to have a clear and reasonable purpose to “collect, use, process, transfer, trade, provide, or publicize other people’s personal information.” It also requires businesses to obtain individuals’ consent before collecting personal information.
The law, which goes into effect on November 1, also establishes stringent requirements for exporting data from Chinese users outside of the country. Personal information handlers must store collected data locally and obtain permission from Chinese authorities before sending any information overseas, according to the report.
The law also forbids the disclosure of personal information to foreign judicial and law enforcement authorities. Furthermore, foreign individuals and companies engaged in data mining that may endanger China’s national security or public interests may be denied access to personal data, and their identities will be made public, according to the law.
Its approval came after a months-long regulatory crackdown on a wide range of tech companies, including those in e-commerce, personal finance, social media, gaming, and education. In September, China will also implement a data security law that will require companies that process “critical data” to conduct regular risk assessments and submit reports.
Shares of e-commerce behemoth Alibaba fell 2.6 percent in Hong Kong following news of the new data protection law. Pinduoduo, a Chinese online grocery retailer, fell 1.2 percent in pre-market trading on the Nasdaq in New York.
The law has been compared to the European Union’s General Data Protection Regulation, a comprehensive framework designed to give European citizens more control over their data. The Chinese version, on the other hand, placed no restrictions on the ruling regime’s widespread access to corporate data and surveillance of its citizens.
According to Hua Po, a Beijing-based China affairs analyst, the term “data protection” is merely a pretext for the authorities to tighten their grip on the virtual sphere.
According to Hua, the regime is concerned about the amount of power wielded by tech firms, so it wants to seize control of all data from private companies.
The law also states that it applies to firms processing Chinese user data outside of China, whether for the purpose of providing services or products, assessing Chinese users, or other circumstances specified by law.
It also threatened retaliatory measures against “any countries or regions that impose discriminatory bans, restrictions, or other similar measures on the People’s Republic of China in the area of personal information protection.”
Companies that violate the law face fines of up to $1 million ($153,810). For repeat offenders, the fine would be tenfold, or up to 5% of the previous season’s revenue.
In recent months, Chinese regulators have increased their focus on cyberspace. On Tuesday, China’s State Administration for Market Regulation issued a draft regulation aimed at combating unfair competitive behavior, including the prohibition of practices such as fake customer reviews and other misleading commercial promotions.
On Wednesday, the Ministry of Industry and Information Technology, which oversees China’s telecommunications and software sectors, reprimanded 43 apps for illegally transferring user data.