China has passed a law that, according to, authorities say "further perfects" existing arrangements for the protection of personal data, The Register reports.
The new "Personal Information Protection Law of the People's Republic of China" comes into effect on November 1, 2021. It comprises eight chapters and 74 articles that are said to outline strict yet vague measures on how and when data is collected and managed, individuals' rights, and who ultimately owns data.
In a statement (translated by The Register from Mandarin using automated tools) the Cyberspace Administration of China (CAC) said,
“On the basis of relevant laws, the law further refines and perfects the principles and personal information processing rules to be followed in the protection of personal information, clarifies the boundaries of rights and obligations in personal information processing activities, and improves the work systems and mechanisms for personal information protection.”
The document reportedly outlines standardised data-handling processes, defines rules on big data and large-scale operations, regulates those processing data, addresses data that flows across borders and outlines legal enforcement of its provisions. It also clarifies that state agencies are not immune from these measures.
The CAC asserts that consenting to the collection of data is at the core of China's laws and the new legislation requires continual up-to-date fully informed advance consent of the individual. Parties gathering data cannot require excessive information nor refuse products or services if the individual disapproves. The individual whose data is collected can withdraw consent, and death does not end the information collector's responsibilities or the individual's rights; it only passes down the right to control the data to the deceased subject's family.
Information processors must also take "necessary measures to ensure the security of the personal information processed" and are required to set up compliance management systems and internal audits.
To collect sensitive data, such as biometrics, religious beliefs, and medical, health and financial accounts, information needs to be necessary, for a specific purpose and protected. Prior to collection, there must be an impact assessment, and the individual should be informed of the collected data's necessity and impact on personal rights.
It is noteworthy that the law seeks to prevent companies from using big data to prey on consumers - setting transaction prices, for example - or mislead or defraud consumers based on individual characteristics or habits. Additionally, large-scale network platforms must establish compliance systems, publicly self-report their efforts and outsource data-protective measures.
If data flows across borders, the data collectors must establish a specialised agency in China or appoint a representative to be responsible. Organisations are required to offer clarity on how data is protected and its security assessed.
Storing data overseas does not exempt a person or company from compliance with any of the Personal Information Protection Laws.
In the end, supervision and law enforcement fall to the Cyberspace Administration and relevant departments of the State Council. The penalties for failure were not listed but historically the CAC has come down hard on those who are loose with customer data.
For example in July 2021, China's Uber analogue DiDi was removed from local app stores because it was not compliant with data rules. The removal occurred less than a week after DiDi IPO'd in the US.
In May 2021, the CAC ordered 105 apps - including LinkedIn, Bing, Douyin, TikTok and Baidu - to stop improperly collecting and using people's personal data.
Source: The Register
(Links via original reporting)
China has passed a law that, according to, authorities say "further perfects" existing arrangements for the protection of personal data, The Register reports.
The new "Personal Information Protection Law of the People's Republic of China" comes into effect on November 1, 2021. It comprises eight chapters and 74 articles that are said to outline strict yet vague measures on how and when data is collected and managed, individuals' rights, and who ultimately owns data.
In a statement (translated by The Register from Mandarin using automated tools) the Cyberspace Administration of China (CAC) said,
“On the basis of relevant laws, the law further refines and perfects the principles and personal information processing rules to be followed in the protection of personal information, clarifies the boundaries of rights and obligations in personal information processing activities, and improves the work systems and mechanisms for personal information protection.”
The document reportedly outlines standardised data-handling processes, defines rules on big data and large-scale operations, regulates those processing data, addresses data that flows across borders and outlines legal enforcement of its provisions. It also clarifies that state agencies are not immune from these measures.
The CAC asserts that consenting to the collection of data is at the core of China's laws and the new legislation requires continual up-to-date fully informed advance consent of the individual. Parties gathering data cannot require excessive information nor refuse products or services if the individual disapproves. The individual whose data is collected can withdraw consent, and death does not end the information collector's responsibilities or the individual's rights; it only passes down the right to control the data to the deceased subject's family.
Information processors must also take "necessary measures to ensure the security of the personal information processed" and are required to set up compliance management systems and internal audits.
To collect sensitive data, such as biometrics, religious beliefs, and medical, health and financial accounts, information needs to be necessary, for a specific purpose and protected. Prior to collection, there must be an impact assessment, and the individual should be informed of the collected data's necessity and impact on personal rights.
It is noteworthy that the law seeks to prevent companies from using big data to prey on consumers - setting transaction prices, for example - or mislead or defraud consumers based on individual characteristics or habits. Additionally, large-scale network platforms must establish compliance systems, publicly self-report their efforts and outsource data-protective measures.
If data flows across borders, the data collectors must establish a specialised agency in China or appoint a representative to be responsible. Organisations are required to offer clarity on how data is protected and its security assessed.
Storing data overseas does not exempt a person or company from compliance with any of the Personal Information Protection Laws.
In the end, supervision and law enforcement fall to the Cyberspace Administration and relevant departments of the State Council. The penalties for failure were not listed but historically the CAC has come down hard on those who are loose with customer data.
For example in July 2021, China's Uber analogue DiDi was removed from local app stores because it was not compliant with data rules. The removal occurred less than a week after DiDi IPO'd in the US.
In May 2021, the CAC ordered 105 apps - including LinkedIn, Bing, Douyin, TikTok and Baidu - to stop improperly collecting and using people's personal data.
Source: The Register
(Links via original reporting)