China’s top legislative body, the Standing Committee of the National People’s Congress, passed the Personal Information Protection Law at a meeting in Beijing on Friday, according to the state-run Xinhua News Agency.
The law will take effect Nov. 1, Xinhua said. The full text of the final version wasn’t released upon passage.
The national privacy law, China’s first, closely resembles the world’s most robust framework for online privacy protections, Europe’s General Data Protection Regulation, and contains provisions that require any organization or individual handling Chinese citizens’ personal data to minimize data collection and to obtain prior consent.
However, unlike in Europe, where governments face more public pressure over data collection, Beijing is expected to maintain broad access to data.
Though the new privacy rules could allow China’s central government to control how lower-level agencies use and share data, nothing suggests "anything resembling legal limits on government surveillance," said Karman Lucero, a fellow at the Yale Law School Paul Tsai China Center.
"Chinese civil society still has very limited means of ‘watching the watchmen,’ " he added.
China’s new privacy framework comes as frustration grows within the government and in Chinese society over online fraud, data theft and data collection by domestic technology giants. For years, loose rules on accessing data allowed domestic companies to quickly develop and adopt new products and technology, but also fueled a black market for consumer data.
The new privacy law is part of a tighter regulatory regime for Chinese tech companies. Over the past year, Beijing has clamped down on the tech sector on matters including data security and anticompetitive practices, for example imposing a multibillion-dollar fine on Alibaba Group Holding Ltd. for forcing vendors to sell exclusively on its e-commerce platform—a practice that used to be par for the course in China’s winner-takes-all market.
After several years in which tech companies largely had free rein to access consumer data, the new privacy law is a "sign of the market maturing," said Neil Liang, co-founder of The CareVoice, a Shanghai-based tech startup, who has been following changes in the regulatory landscape for tech companies’ user data policies.
Costs will likely increase, as tech companies must dedicate more resources to compliance, similar to what his firm had to do to adapt to Europe’s GDPR framework a few years ago, said Mr. Liang.
But the new rules could also provide new opportunities for third parties who help companies with data management, he added.
China’s new privacy law, which unifies previously piecemeal legislation on personal information protection, also tackles a number of concerns that have come to light in recent years, such as the proliferation of facial recognition.
In urban residential compounds around China, where cameras equipped with facial-recognition technology are used to verify residents and visitors, complaints from tenants have spurred local governments to take action, such as banning the collection of biometric data without consent. Last month, China’s highest court instructed building managers to offer alternatives for residents who don’t want to submit to facial recognition.
According to the latest draft of China’s privacy law, facial recognition cameras installed in public places must be marked with prominent alerts and only be used to maintain public security.
The new law will also seek to address the issue of algorithmic discrimination, which has drawn increasing public concern, especially in cases where online platforms offer different prices to different users based on their online behavior.
The latest draft, which requires automated decision-making to be transparent and fair, also instructs companies to give individuals the option to opt-out of personalized marketing.
Violating the new privacy law could come at a high cost for companies. Illegal activities that are considered serious could result in a fine of up to $7.7 million, or up to 5% of the preceding year’s business income, according to the law’s latest draft.
If companies are compliant with Europe’s GDPR, "they are going to be fine complying with the Chinese privacy law," said Alexa Lee, senior manager of policy at the Information Technology Industry Council, a Washington-based trade association of high-tech companies.
But national security-related provisions in the law, such as one enabling the blacklisting of overseas data handlers who endanger China’s national security or public interest, could be driven by considerations unrelated to privacy, such as U.S.-China relations, she said. "That is an area companies can’t predict and they cannot control."
Separately, Chinese regulators on Friday also published new rules requiring companies that process auto data to enhance data security and protect personal information collected from vehicles. The rules require important data, including sensitive military and government locations, to be stored in China, and also set principles for reducing unnecessary collection and sharing of data.
The new rules on auto data, published by five Chinese ministries led by China’s cyberspace authority, will take effect on Oct. 1.