China has passed sweeping new rules about the collection and use of personal data as Beijing toughens its regulation of the country’s tech companies.
The Personal Information Protection Law — which was approved Friday by the Standing Committee of the National People’s Congress, and which will take effect November 1 — prohibits “illegally collecting, using, processing, transmitting, disclosing and trading people’s personal information,” according to state-run Xinhua News Agency.
Before this, China had no law in place specifically dealing with the collection and use of such data. Law enforcement had relied on legal provisions scattered across existing laws to handle cases related to data privacy.
The full text of the law is not yet public, but Xinhua reported that, among other things, it “clarifies” rules governing the “processing” and “provision” of personal information across borders.
News of the law comes as some Chinese tech firms, including ride-hailing company Didi, have been accused of mishandling user data in recent months. Shortly after Didi went public in the United States, Chinese regulators accused it of “illegally collecting and using personal information.” Beijing has cited risks that the misuse of data poses to national security as regulators crack down on companies that list overseas.
Xinhua also reported that the law will create stronger regulation of China’s public surveillance system, requiring the disclosure and labeling of hardware used in identifying people in public places. Collected data can only be used for maintaining public safety, the news agency said. China operates a vast network of cameras, backed by advanced facial recognition and AI-driven technology, to control crime but also to check identities in subways, schools and office buildings.
The law also stipulates that companies cannot use personal data to target individuals for marketing, according to state broadcaster CCTV. And firms must provide easy ways for users to opt out of targeted marketing.
CCTV also reported that sensitive personal information — such as biometrics, health care and financial accounts — should only be processed with the individual’s consent.
Should a company illegally handle personal information, their services could be suspended or terminated, according to the law. Those who refuse to make corrections will be handed a fine of up to 1 million yuan ($153,000).
The news rocked Chinese tech stocks on Friday, adding to what has already been another disastrous week. JD.com (JD), Xiaomi and Alibaba (BABA) fell 2% or more in Hong Kong. Health information affiliates of JD, Alibaba (BABA) and Ping An Insurance (PIAIF) were among the worst performers, all plunging 13% or more.
This week, Hong Kong’s Hang Seng Tech Index — which tracks the 30 largest tech firms that trade in the city — has fallen more than 10%. That’s the index’s worst weekly performance since February.
– Laura He contributed to this report.