China’s National People’s Congress (NPC) on Friday passed its new Personal Information Protection Law (PIPL), which is designed to restrict Chinese tech giants from data collection, processing, and protect online user data privacy, according to a CNBC report.
The PIPL law, which takes effect on November 1, 2021, expands the ruling Communist Party’s clampdown on unscrupulous data collection by app developers by putting legal restriction on collection of user data. However, the policy is unlikely to affect the ruling party’s pervasive surveillance.
The law, which lays out a comprehensive set of rules around data collection for the first time specifically targets how private companies should handle user data.
While the final draft of the law has not been published yet, previous draft of the law said that companies need to get user consent to collect, use and share information, as well as offer them a way to opt out at any time.
If users refuse to agree to the data collection rules that is not necessary for the working of a product or service, in such an instance, the companies cannot deny services to such users.
The law aims to protect those who “feel strongly about personal data being used for user profiling and by recommendation algorithms or the use of big data in setting [unfair] prices,” a spokesman for the NPC told state news agency Xinhua earlier this week.
It will also foil companies from setting different prices for the same service based on the shopping history of the customer.
More so, the law makes it very difficult for companies to transfer the personal data of Chinese nationals to other countries having lower standards of data security than China. Any company that is found to be breaking the rules could face fines of up to 50 million yuan ($7.7 million) or 5% of their annual revenue.
“Data localization requirements are not new or unique to China, but in terms of practical impact for companies here, there is no question that ‘letter of the law’ compliance is more cumbersome now than before,” said Nathaniel Rushforth, cybersecurity and data counsel at DaWo Law Firm Shanghai.
“We should expect to see more frequent and substantial enforcement actions against all companies in China,” he said.