A Chinese mobile phone user in Shanghai. China has passed the Personal Information Protection Law (PIPL), which lays out for the first time a comprehensive set of rules around data collection.
Qi Yang | Moment | Getty Images
GUANGZHOU, China — China passed a major data protection law on Friday setting out tougher rules on how companies collect and handle their users’ information.
The rules add to Beijing’s tightening of regulation, particularly around data, which could impact the way China’s technology giants operate.
The Personal Information Protection Law (PIPL) lays out for the first time a comprehensive set of rules around data collection, processing and protection, that were previously governed by piecemeal legislation.
After several drafts, the PIPL was passed by China’s legislature on Friday, according to state media. However, the final version of the law has not yet been published.
A previous draft of the law said that data collectors must get user consent to collect data and users can withdraw that consent at any time. Companies that process data cannot refuse to provide services to users who don’t agree to having their data collected — unless that data is necessary for the provision of that product or service.
There are also strict requirements for transferring Chinese citizens’ data outside the country.
Companies that fall foul of the rules could be fined.
The PIPL comes as China’s regulatory scrutiny on the country’s technology companies intensifies. With the PIPL, alongside the country’s Cybersecurity Law and Data Security Law, China has beefed up its data regulation.
“The release of the PIPL completes the trifecta of China’s foundational data governance regime, and will usher in a new age of data compliance for tech companies,” said Kendra Schaefer, Beijing-based partner at Trivium China consultancy.