China has passed one of the most restrictive data protection laws in the world, tightening control over how personal information is collected and used by companies in the country.
The Personal Information Protection Law lays out a comprehensive set of rules around data collection, processing, and protection, the Associated Press reported Friday. Previously, regulations on user data were spread out through patchwork legislation.
It specifically targets how private companies handle user data. The law doesn't appear to affect the Chinese government's surveillance efforts.
The law is set to take effect on Nov. 1. It gives specific standards for what type of information private companies in China can collect, as well as standards related to the storage of that data. However, the full text of the law hasn't been made available, the AP reported.
Additionally, the law mandates that companies get user consent before they collect data and also requires companies to offer customers the ability to withdraw consent at any time. It also bars companies from denying services to customers who refuse to hand over their information.
Shares of Chinese companies like Alibaba sank on news of the law's passage. The new data protection bill also closely follows antitrust actions taken against companies like Tencent and Alibaba.
The law reflects a new economic strategy from Beijing, which includes wanting technology giants to make money from the digitalization of public services rather than social media data, Rebecca Arcesati, an analyst at the Mercator Institute for China Studies, told the AP.
Although the legislation is similar to the European Global Data Protection Regulation (GDPR), it differs in that it doesn't mention anything about limiting the ability of the ruling party or the government to access user information in China.
Violating the law's regulations could also carry a steep price tag for companies, including fines up to $7.7 million or up to 5% of the company's business income in the previous year.
Although the law largely targets Chinese-based companies, it does include provisions that dictate how foreign companies can handle Chinese citizens' data. The Wall Street Journal reported Friday that most companies that are compliant with the GDPR will already be mostly ready for the Chinese law.
It's likely that the regulation will mostly affect companies that deal heavily in customer data. Apple, for its part, has taken steps to minimize the data it collects on users. The Cupertino tech giant also complies with Chinese regulations, including rules that require iCloud data to be stored on domestic servers.