China passes data privacy law, tightens control over companies

On Friday, China approved a strict data privacy law, but concerns about the Communist Party government accessing data remain. Meanwhile, the U.S. has not yet enacted a federal data privacy law. 

A man walks past the offices of Chinese e-commerce firm Alibaba in Beijing, Aug. 10, 2021. Under a law approved Friday by its ceremonial legislature, China is tightening control over data about the public gathered by companies.

Mark Schiefelbein/AP

August 20, 2021

China is tightening control over information gathered by companies about the public under a law approved Friday by its ceremonial legislature, expanding the ruling Communist Party’s crackdown on internet industries.

The law would impose some of the world’s strictest controls on private-sector handling of information about individuals but appears not to affect the ruling party’s pervasive surveillance or access to those corporate data.

Its passage follows anti-monopoly and other enforcement actions against companies including e-commerce giant Alibaba and games and social media operator Tencent that caused their share prices to plunge.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

The law, which takes effect Nov. 1, follows complaints that companies misused or sold customers’ data without their knowledge or permission, leading to fraud or unfair practices such as charging higher prices to some users.

The law curbs what information companies can gather and sets standards for how it must be stored. The full text wasn’t immediately released, but earlier drafts would require customer permission to sell data to another company.

Alibaba shares lost 2.6% in Hong Kong after news of the law’s passage. Tencent sank after the announcement but ended up 1%. Pinduoduo, an online grocer, was down 1.2% in pre-market trading on the U.S.-based Nasdaq.

The law is similar to Europe’s General Data Protection Regulation, or GDPR, which limits collection and handling of customer data. But unlike laws in Western countries, earlier drafts of the Chinese legislation say nothing about limiting ruling party or government access to personal information.

The ruling party has been accused of using data gathered about Uyghurs and other members of predominantly Muslim ethnic groups in the northwestern region of Xinjiang to carry out a widespread campaign of repression.

Chinese authorities are “concerned at the volume of data big tech has in respect of the population and the power they can provide,” said Paul Haswell of law firm Pinsent Masons. He called the measure China’s version of the GDPR.

Most organizations, however, should be prepared after Chinese authorities imposed other restrictions on data oversight, Haswell said.

In April, Alibaba was fined a record $2.8 billion for anti-competitive practices.

This month, the government said online education companies are no longer allowed to receive foreign investment or operate as for-profit businesses.

The United States Congress has been discussing creating a federal data privacy law for the country for several years. In both the Senate and House of Representatives, members have developed privacy legislation.

In the Senate, Washington Democrat Sen. Maria Cantwell, chair of the Committee on Commerce, Science and Transportation, has proposed privacy legislation called the Consumer Online Privacy Rights Act (COPRA). The top Republican on the committee, Sen. Roger Wicker of Mississippi also has introduced a privacy bill, the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act). Senator Wicker signed onto a bicameral letter by Republicans last month urging the president to take action on the issue. 

In the absence of a new federal standard, states have taken action. Last year, the California Consumer Consumer Privacy Act (CCPA) took effect. Virginia and Colorado have also enacted laws. 

This story was reported by The Associated Press.