China passes major data protection law as regulatory scrutiny on tech sector intensifies

GUANGZHOU, China — China passed a major data protection law on Friday setting out tougher rules on how companies collect and handle their users’ information.

The rules add to Beijing’s tightening of regulation, particularly around data, which could impact the way China’s technology giants operate.

The Personal Information Protection Law (PIPL) lays out for the first time a comprehensive set of rules around data collection, processing and protection, that were previously governed by piecemeal legislation.

After several drafts, the PIPL was passed by China’s legislature on Friday, according to state media. However, the final version of the law has not yet been published.

A previous draft of the law said that data collectors must get user consent to collect data and users can withdraw that consent at any time. Companies that process data cannot refuse to provide services to users who don’t agree to having their data collected — unless that data is necessary for the provision of that product or service.

There are also strict requirements for transferring Chinese citizens’ data outside the country.

Companies that fall foul of the rules could be fined.

Beijing ramps up tech scrutiny

The PIPL comes as China’s regulatory scrutiny on the country’s technology companies intensifies. With the PIPL, alongside the country’s Cybersecurity Law and Data Security Law, China has beefed up its data regulation.

“The release of the PIPL completes the trifecta of China’s foundational data governance regime, and will usher in a new age of data compliance for tech companies,” said Kendra Schaefer, Beijing-based partner at Trivium China consultancy.

Globally there has been a push to create better rules around data protection. In 2018, the European Union’s landmark General Data Protection Regulation came into effect. That regulation aims to give citizens in the bloc more control over their data.

Beijing has been growing concerned about the amount of data companies are collecting — particularly in the internet sector, and the potential implications of that.

In July, regulators opened a cybersecurity review into ride-hailing giant Didi, just days after its huge U.S. initial public offering. Didi was forced to stop signing up new users and its app was also removed from Chinese app stores. China’s cyberspace regulator alleged that Didi had illegally collected users’ data.

China’s technology giants are bracing for further restrictions.

Tencent, the owner of the popular WeChat messaging app, warned on Wednesday that further regulations could be coming for the technology industry.

This year, regulators also introduced anti-monopoly rules for the so-called platform economy and regulations on unfair competition in the internet sector.