China has passed a sweeping data protection law that is set to impose strict control measures on the private sector’s handling of personal data, building on an already expansive crackdown on the country’s tech sector that has rattled global stock markets.
The personal information protection law, passed through the Chinese Communist Party’s ceremonial legislature on Aug. 20, will require organizations and individuals to have a clear and reasonable purpose to “collect, use, process, transfer, trade, provide, or publicize other people’s personal information,” according to the text released by the National People’s Congress. It also requires companies to obtain individuals’ consent before collecting their personal data.
Taking effect on Nov. 1, the law also lays out strict requirements for exporting data of Chinese users outside of the country. Handlers of personal information must store the collected data locally and obtain consent from Chinese authorities before it takes any information overseas, it said.
The law also prohibits the handing over of personal data to foreign judicial and law enforcement authorities. In addition, foreign individuals and companies engaging in data mining that could harm China’s national security or public interests could be denied access to personal data and their names will be announced in public, according to the law.
Its passage followed a months-long regulatory crackdown on an array of tech companies, including those in the fields of e-commerce, personal finance, social media, gaming, and education. China is also set to implement a data security law in September, requiring companies that process “critical data” to conduct regular risk assessments and submit reports.
News of the new data protection law tanked shares in e-commerce giant Alibaba by 2.6 percent in Hong Kong. Chinese online grocer Pinduoduo sank 1.2% in pre-market trading on the U.S.-based Nasdaq.