| 23 May 2024, Thursday |

China passes new personal data privacy law, to take effect Nov. 1

According to state news agency Xinhua, China’s National People’s Congress passed a law on Friday to protect internet user data privacy, which will go into effect on November 1.

The approval of the bill completes another pillar in the country’s efforts to control cyberspace, and it is expected to increase compliance requirements for businesses in the country.

In the wake of public outcry over data mismanagement and misuse that has resulted in user privacy violations, China has issued instructions to its tech titans to ensure better secure storage of customer data.

The law states that handling of personal information must have clear and reasonable purpose and shall be limited to the “minimum scope necessary to achieve the goals of handling” data.

It also lays out conditions for which companies can collect personal data, including obtaining an individual’s consent, as well as laying out guidelines for ensuring data protection when data is transferred outside the country.

The law further calls for handlers of personal information to designate an individual in charge of personal information protection, and for handlers to conduct periodic audits to ensure compliance with the law.

The second draft of the Personal Information Protection law was released publicly in late April.

The Personal Information Protection Law, along with the Data Security Law

The Data Security law, to be implemented on Sept. 1, sets a framework for companies to classify data based on its economic value and relevance to China’s national security.

The Personal Information Protection Law, meanwhile, recalls Europe’s GDPR in setting a framework to ensure user privacy.

Both laws will require companies in China to examine their data storage and processing practices to ensure they are compliant, according to experts.


mark two major regulations set to govern China’s internet in the future.

The laws arrive amid a broader regulatory tightening on industry from Chinese regulators, which have rattled companies large and small.

In July, China’s Cyberspace Administration of China (CAC), its top cyberspace regulator, announced it would launch an investigation into Chinese ride-hailing giant Didi Global Inc for allegedly violating user privacy.

On Tuesday, China’s State Administration for Market Regulation (SAMR) passed a sweeping set of rules aimed at improving fair competition, banning practices such as fake online reviews.

In January, the government-backed China Consumers Association issued a statement criticizing tech companies for “bullying” consumers into making purchases and promotions.

Since then, regulators have routinely reprimanded companies and apps for violating user privacy.

On Wednesday, the Ministry of Industry and Information Technology accused 43 apps of illegally transferring user data and called on them to make rectifications before Aug. 24.

On the same day of Xinhua’s announcement of the data privacy law’s passage, the National People’s Congress published an op-ed from state media outlet People’s Court Daily praising the legislation. It called for entities that use algorithms for “personalized decision making” such as recommendations to first obtain user consent.

“Personalization is the result of a user’s choice, and true personalized recommendations must ensure the user’s freedom to choose, without compulsion,” the op-ed read.

“Therefore, users must be given the right to not make use of personalized recommendation functions.”

  • Reuters