China Enacts Sweeping New Data Privacy Law

On November 1, 2021, China’s new GDPR-like data privacy law goes into effect. With far-reaching scope and harsh penalties for noncompliance, the Personal Information Protection Law is expected to greatly curb data collection by businesses operating in China, reports the Wall Street Journal.

The law applies to any entity handling the personal data of Chinese citizens and aims to rein in online fraud, data theft, and the black market for consumer data in China. The law will require businesses and individuals to obtain prior consent before collecting data, with provisions for consumers to withdraw consent and request a return of their personal data. Of particular interest are the law’s transparency mandates on facial recognition technology and algorithmic discrimination. 

Costs of compliance are likely to mirror those under the GDPR. The latest draft calls for fines of up to $7.7 million, or up to 5% of the preceding year’s income, for illegal activities. Non-compliant businesses could also be forced to stop some of their business.

Commentators, however, don’t think the law will realistically limit the Chinese government’s widespread use of surveillance.

The Robins Kaplan Privacy Pulse blog features privacy and cybersecurity litigation topics including the latest news in cybersecurity law and policy, privacy legislation, and other related cyber topics making headlines.