China Passes Strict New Data Privacy Law
The Chinese government today announced that it will institute a strict new data privacy law on November 1. Dubbed the Personal Information Protection Law (PIPL), it is said to be among the most stringent data privacy laws in the world.
Passed by the National People’s Congress earlier today, PIPL requires organizations to obtain the consent of Chinese citizens before collecting their personal information. Companies must also give citizens the option not to be targeted for marketing purposes or to have marketing based on personal characteristics.
The law also requires that there must also be a “clear and reasonable purpose” for handling personal information, and organizations must aim for the “minimum scope necessary to achieve the goals of handling” data, according to a Reuters story.
PIPL, which was first proposed in 2020, applies to all companies that work with Chinese citizens, including foreign and domestic entities. Chinese citizens in recent years have begun to complain about the mismanagement and abuse of their personal information at the hands of Chinese companies.
Chinese citizens succumb to scams and fraud at rates similar to people in other countries. A 2015 survey by the Internet Society of China found that 76% of Chinese users had received fraudulent information from sources purporting to be banks, Internet companies, or television stations offering prizes, according to a 2016 story in the Wall Street Journal. Over half have received scam calls, while one-third said they have lost money after receiving fraudulent calls, text messages, or emails, the story said.
PIPL is the third of three new laws that Chinese lawmakers have passed in recent years. The Chinese Data Security Law, which is set to go into effect on September 1, sets a framework for companies to classify data based on its importance, including “national core data,” “important data,” and “general data.” The country’s Cybersecurity Law, which went into effect in 2017, requires network operator to store select data within the country, and allows the government to conduct spot-checks of data and network operations.
PIPL resembles the European Union’s General Data Protection Regulation (GDPR) in some respects. However, it differs in one major way, which is that Chinese authorities are expected to maintain access to people’s personal information. Multi-national companies that want to sell their products and services to Chinese citizens, however, would do well to pay attention to the new law, says Charles Farina, head of innovation at Adswerve.
“If brands and marketers weren’t paying attention to all the new legislation popping up in the U.S. and around the world, they absolutely must do so now, especially since China influences one of the largest markets in the world,” Farina tells Datanami via email. “Brands that operate or advertise to Chinese citizens must solidify their first-party data strategies so that they are compliant” with the new law.