- China has passed the Personal Information Protection Law (PIPL), which lays out for the first time a comprehensive set of rules around data collection.
- The rules add to Beijing’s tightening of regulation, particularly around data, which could impact the way China’s technology giants operate.
- A final version of the law has not been published but a previous draft included rules around requiring consent for data protection and punishments for companies that did not comply.
GUANGZHOU, China — China passed a major data protection law on Friday setting out tougher rules on how companies collect and handle their users’ information.
The rules add to Beijing’s tightening of regulation, particularly around data, which could impact the way China’s technology giants operate.
The Personal Information Protection Law (PIPL) lays out for the first time a comprehensive set of rules around data collection, processing, and protection, that were previously governed by piecemeal legislation.
After several drafts, the PIPL was passed by China’s legislature on Friday, according to state media. However, the final version of the law has not yet been published.
A previous draft of the law said that data collectors must get user consent to collect data and users can withdraw that consent at any time. Companies that process data cannot refuse to provide services to users who don’t agree to have their data collected — unless that data is necessary for the provision of that product or service.
There are also strict requirements for transferring Chinese citizens’ data outside the country.
Companies that fall foul of the rules could be fined.
Beijing ramps up tech scrutiny
The PIPL comes as China’s regulatory scrutiny on the country’s technology companies intensifies. With the PIPL, alongside the country’s Cybersecurity Law and Data Security Law, China has beefed up its data regulation.
“The release of the PIPL completes the trifecta of China’s foundational data governance regime, and will usher in a new age of data compliance for tech companies,” said Kendra Schaefer, Beijing-based partner at Trivium China consultancy.
Globally there has been a push to create better rules around data protection. In 2018, the European Union’s landmark General Data Protection Regulation came into effect. That regulation aims to give citizens in the bloc more control over their data.
Beijing has been growing concerned about the amount of data companies are collecting — particularly in the internet sector, and the potential implications of that.
In July, regulators opened a cybersecurity review into ride-hailing giant Didi, just days after its huge U.S. initial public offering. Didi was forced to stop signing up new users and its app was also removed from Chinese app stores. China’s cyberspace regulator alleged that Didi had illegally collected users’ data.?