Thursday, 18 April 2024
  • Published on 6 September 2021
  • 1313 Views
  • Print

China passes new personal data protection law

5 min read

China’s new sweeping national Personal Information Protection Law will come into effect on 1 November 2021. It will give authorities muscles to enforce compliance to perhaps the world’s toughest set of regulations on the use of personal data by companies as well as the state.

Chinese big tech companies such as Baidu, Alibaba and Tencent have long been viewed in equal measure of scorn and envy by industry peers, especially in the West, for their unfettered access to and use of customer data because of relatively lax domestic data privacy and protection legislations. By leveraging advanced analytical and automated decisioning tools, they have been able to rapidly amass gigantic user adoption, customer bases and transform themselves into dominant data driven behemoths that they are today. The situation will come full circle when the new law becomes effective.

It sets out six broad areas, chiefly the preservation of data owners’ right to informed consent on access to and use of their data as well as to ensure mobility of the data. It also safeguards “sensitive information” from being accessed and stipulates greater transparency in the use of advanced analytic and automated decision-making technology for the processing of data, prohibiting application of analysis to effect discriminatory outcomes.

The law will apply uniformly across all companies and institutions operating in the country, including foreign owned ones and government agencies. It will be enforced jointly with the Cyberspace Administration under the State Council and can mete out penalties that range from maximum fines of RMB 50 million ($7.72 million) or up to 5% of revenue of violating companies to suspension of business and ultimately to revocation of operating licences.

Together with the Cybersecurity Law introduced in 2017 as well as the Data Security Law and the Regulation for Safe Protection of Critical Information Infrastructure which just came into force on 1 September, China’s data protection and security framework will extend to the use and transfer of data across borders. Critical information infrastructure operators for public communications, information systems, energy, water, transport, finance, health care and other public services are required to keep data in the country and must undertake a security assessment in order to transfer data overseas. Companies are also not allowed to share or transfer “important data” overseas, including to foreign judicial authorities or law enforcement agencies without approval from Beijing and may face fines of between $800,000 and $1.5 million.

Re-disseminated by The Asian Banker from the State Council of China.

Diary of Activities
Shenzhen & Hong Kong Innovation Study Tour 2024
20 - 22 May 2024
The Asian Banker Summit 2024
23 May 2024
Future of Finance China 2024
21 June 2024
Finance Vietnam 2024
18 July 2024
Finance Thailand 2024
25 July 2024
TABLive
Suresh Ramamurthi on AI in banking: “AI and tokenisation will drive financial revolution”
15 April 2024
Axis Bank transitions to microservices and multi-cloud technology to be future-ready
3 April 2024
Chairman of Korea Federation of Banks emphasises industry ethics and innovation
28 February 2024