China has passed a law protecting personal data, according to state media Xinhua (via Reuters).
The Personal Information Protection Law (PIPL) will take effect on November 1.
It was suggested last year by China's communist leaders as a way to curb unscrupulous data collection in commercial spheres.
According to Xinhua, the new law requires app developers to give users choices about how their data is used. This includes whether they want to not be targeted for marketing purposes, or if they wish to market based on personal characteristics.
The law also requires data processors must obtain consent from individuals to process sensitive data such as financial and medical information, biometrics, and health data.
Apps that unlawfully collect user data could have their services suspended or terminated.
Companies from Western countries that do business in China and process personal data of citizens must comply with extraterritorial laws. This means foreign companies will have to deal with regulatory requirements, such as reporting to Chinese supervisory agencies and assigning local representatives.
The core elements of China's new data protection system mirror the requirements of European Union law. The General Data Protection Regulation (GDPR), which provides citizens with comprehensive rights to personal data, includes a similar high bar for consenting to process special category data such as health data. However, there are other differences in the classification of personal information that is most sensitive according to the respective data laws.
The GDPR also has an extraterritorial scope.
However, China's data protection law will be applied in a different context due to the fact that the Chinese state has a huge data-gathering operation to monitor and police the behavior its citizens.
The PIPL may have placed limits on the ability of Chinese government departments to collect data about citizens state organs. However, draft versions of the law covered these issues. This is merely window dressing to allow for the Chinese Communist Party's state security apparatus to continue data collection while consolidating its centralized control.
It remains to be seen if the CCP will use the new data protection rules as a way to further regulate the domestic tech sector, or tame its power.
It has taken a variety of measures to crack down on the sector, including using regulatory changes to gain leverage over Tencent and other giants. Beijing, for instance, filed a civil lawsuit against Tencent earlier this month claiming that WeChats' youth mode on its messaging app WeChats does not conform to laws protecting minors.
The PIPL gives the Chinese regime more options to impose restrictions on tech companies in China.
It is not wasting time attacking data-mining techniques that are now commonplace among Western tech giants, but could face increasing friction if they are used by Chinese companies.
Reuters reports that the National Peoples Congress celebrated the passing of the law today with an op-ed published by Peoples Court Daily, a state media outlet. It praises the legislation and calls on entities to use algorithms for personalized decision making like recommendation engines to get user consent first.
The op-ed states: Personalization is the result a users choice. True personalized recommendations must allow the users freedom of choice without any compulsion. Users must have the option to refuse personalized recommendations.
Algorithmic targeting is also a growing concern outside of China.
As the EU is currently negotiating new digital regulations to expand its regulatory power, regulators and lawmakers have called for stricter restrictions on behavioral advertisement.
Regulating Internet traffic is the new geopolitical battlefield as countries compete for control of the future data flows in order to meet their economic, political, and social goals.
