China’s new data protection law set to come into effect

China’s comprehensive set of personal data protection laws are on track to come into effect on November 1st this year, with enterprises needing to adapt to these new regulations.

A wide range of topics are covered by the “Personal Information Protection Law of the People’s Republic of China” including rules for processing sensitive personal data, defining penalties for data breaches and setting out the rights of data subjects.

The Cyberspace Administration of China (CAC) is the body that will enforce the law and, if their previous actions against firms that fall short of data security expectations are a sign of the future, penalties will be substantial for lawbreakers.

“The Personal Information Protection Law effectively safeguards, protects, and develops the legitimate rights and interests of the broad masses of people in cyberspace, so that the broad masses of people can enjoy a greater sense of gain, happiness, and security in the development of the digital economy,” the CAC said in a statement.

Dozens of apps were told by CAC to change the way they collect personal customer data, including major multinational businesses such as TikTok, Bing and LinkedIn. International firms that store data overseas will not be exempt from complying with these new laws. The eight chapters and 74 articles contained within the law are essential reading for organisations that do business in China.

Big data is also mentioned in the law, with companies not allowed to use these technologies to mislead consumers by using individual characteristics to set transaction prices. Compliance systems, too, must be set up to monitor major network platforms, with results needing to be publicly reported. If a breach is found to be “serious”, fines of up to RMB 50 million (US$7.5 million) or 5% of annual turnover can be made against organisations.