China’s new sweeping national Personal Information Protection Law will come into effect on 1 November 2021. It will give authorities muscles to enforce compliance to perhaps the world’s toughest set of regulations on the use of personal data by companies as well as the state.
Chinese big tech companies such as Baidu, Alibaba and Tencent have long been viewed in equal measure of scorn and envy by industry peers, especially in the West, for their unfettered access to and use of customer data because of relatively lax domestic data privacy and protection legislations. By leveraging advanced analytical and automated decisioning tools, they have been able to rapidly amass gigantic user adoption, customer bases and transform themselves into dominant data driven behemoths that they are today. The situation will come full circle when the new law becomes effective.
It sets out six broad areas, chiefly the preservation of data owners’ right to informed consent on access to and use of their data as well as to ensure mobility of the data. It also safeguards “sensitive information” from being accessed and stipulates greater transparency in the use of advanced analytic and automated decision-making technology for the processing of data, prohibiting application of analysis to effect discriminatory outcomes.
The law will apply uniformly across all companies and institutions operating in the country, including foreign owned ones and government agencies. It will be enforced jointly with the Cyberspace Administration under the State Council and can mete out penalties that range from maximum fines of RMB 50 million ($7.72 million) or up to 5% of revenue of violating companies to suspension of business and ultimately to revocation of operating licences.
Together with the Cybersecurity Law introduced in 2017 as well as the Data Security Law and the Regulation for Safe Protection of Critical Information Infrastructure which just came into force on 1 September, China’s data protection and security framework will extend to the use and transfer of data across borders. Critical information infrastructure operators for public communications, information systems, energy, water, transport, finance, health care and other public services are required to keep data in the country and must undertake a security assessment in order to transfer data overseas. Companies are also not allowed to share or transfer “important data” overseas, including to foreign judicial authorities or law enforcement agencies without approval from Beijing and may face fines of between $800,000 and $1.5 million.
Re-disseminated by The Asian Banker from the State Council of China.