China passes data security law to protect personal information

Zhu Shenshen
Law requires companies to minimize data collection and obtain prior consent and will take effect in November.
Zhu Shenshen

China passed a national private information protection law on Friday, the country's first, to prevent businesses collecting sensitive personal data and to crack down on crimes like online fraud and data theft.

The law, which takes effect in November, will improve data security and management in the world's second-biggest economy with over 1 billion netizens. It may bring challenges and changes for top tech giants which highly depend on data-driven business, industry officials said.

The Standing Committee of the National People's Congress, China's top legislative body, passed the Personal Information Protection Law on Friday. It passed after three rounds of reviews involving at least six major changes based on opinions from the public and experts.

Under the law, individuals and organizations handling personal information will be required to minimize data collection and obtain prior consent, especially for sensitive personal data covering biometrics, medical health, financial accounts and travel history.

Companies that fail to comply can face fines of up to 50 million yuan (US$7.6 million) or 5 percent of their annual turnover. Serious violators run the risk of losing their business licenses and being forced to shut down.

The law aims to protect those who "feel strongly about personal data being adopted for user profiling, algorithm recommendations or the use of big data in setting (unfair) prices," a spokesman for the National People's Congress said previously, reported by Xinhua news agency.

The new law is ranked up with those of other major economies, like Europe's General Data Protection Regulation (GDPR). It's "one of the world's strictest data-privacy laws," the Wall Street Journal reported.

The law changes the current "decentralized legislation situation" on data protection in China.

It completes "triangle" laws that mandate personal information protection and corporate data compliance and safeguard national data sovereignty, along with the Cyber ​​Security Law and the Data Security Law, said Hui Zhibin, professor and director of the Center for Internet Studies at Shanghai Academy of Social Sciences.

Hui is a researcher on long-term data security and privacy protection and was an expert contributor to the draft law.

Compared with Europe's GDPR, China's law is more comprehensive and elaborate, such as allowing minimum scope for data-processing purposes; defining minor personal information included in sensitive information and strict punishment and penalties for violation, Hui told Shanghai Daily.

China has the world's largest Internet population and smartphone user base.

In the first quarter, China's biggest online security firm, 360, received 606 smartphone crime reports with each victim losing 14,611 yuan on average. They suffered fraudulent activity on finance, dating, online shopping and job-seeking services, through the use of leaked personal information, the company said.

Tech giants are also accused of collecting personal information for profit in an environment without strong limits or rules.

Internet giant Tencent announced it would hold an online seminar tonight to talk about the new law and how people could optimize services.

Douyin and its parent ByteDance have upgraded their systems and added options to allow users to close the "customized recommendation." To obey the new law and increase personal information protection, the company will continue optimizing its products, Douyin said on Friday.

In recent years, the Chinese public has increasingly called for tightening data collection. Internet users sometimes described their online activity as "running naked."

In 2018, Baidu CEO Robin Li said the public is willing to "trade privacy for convenience, safety or efficiency."

The comments sparked controversy and pushback from many netizens, who said "free service has its cost, a very high cost (for privacy leakage)."

Special Reports