THE NEXT STEP in codifying new data protection and privacy standards has passed China’s legislature. The National People’s Congress Standing Committee enacted the Personal Information Protection Law on August 20. It will take effect on November 1.
It follows the recently passed Data Security Law, which will take effect on September 1.
Once fully implemented, the two new laws together will significantly impact data protection compliance requirements for businesses and data flows between China and the outside world. As with all Chinese legislation, authorities might enforce the law opportunistically for political reasons to penalise foreign firms or their governments.
The text of the final draft of the Personal Information Protection Law has not yet been released. Based on earlier drafts, it will resemble the EU’s General Data Protection Regulation (GDPR) in the level of the demands and restrictions it places on firms and other organisations that collect personal data, but without creating a fundamental right to privacy.
The law should improve the protection of individuals from misuse of their personal data by businesses and lower-level government officials, who have been known to sell it illegally or abuse it for private purposes.
However, these protections will be overriden if relevant stat organs need to acquire the data for specificed purposes, most notably domestic security.