As China toughens its stand on Big Tech and international companies, the new Personal Information Protection Law (PIPL) law now requires global businesses that process information from China, to obtain user consent and establish a data map.
The Chinese legislation, that came into force last month, outlines data processing requirements for companies based outside of China, which included “passing a security assessment conducted by state authorities”, reports ZDNet.
“Multinational corporations (MNCs) that move personal information of the country also will have to obtain certification on data protection from professional institutions,” said Eileen Yu, a contributor to the media outlet.
China is in the midst of a large-scale crackdown on big tech companies – both those from the US and its own native giants.
Designed as a Chinese data-protection law, it introduces a range of regulations about how data can be collected and stored, with the threat of potentially massive fines of up to 5 per cent of a company’s annual turnover.
The Chinese government has described the legislation as necessary to address the “chaos” created, in which online platforms had been excessively collecting personal data.
Like the EU’s General Data Protection Regulation (GDPR), “companies would need to obtain consent before collecting and using data from customers under PIPL”.
However, the Chinese law does not include legitimate interests or purposes as a condition for data processing, while GDPR does.
“The exclusion of legitimate purposes could mean that MNCs would have to seek the consent of all employees in China, if they had not already done so, before their HR departments were permitted to process the employee’s personal information,” the report noted.
According to the new Chinese data protection law, violators that fail to comply with orders to rectify the breach will face fines of up to 1 million yuan ($150,000), while the person responsible for ensuring compliance can be fined between 10,000 yuan ($1,500) and 100,000 yuan ($15,000).
For “serious” cases, Chinese authorities also dish out fines of up to 50 million yuan ($7.5 million) or 5 per cent of the company’s annual turnover for the previous fiscal year, according to the report.
A few global firms, that still have operations in China, are leaving the country after the new personal data law came into force.
Yahoo became the latest US tech company to end its presence in mainland China as tougher regulations were imposed.
The firm said in November that its decision was due to an “increasingly challenging business and legal environment” in the country.
Yahoo’s move followed behind Microsoft’s announcement in October that it was removing LinkedIn — its business-focused social network — from China, something it also blamed on “a significantly more challenging operating environment and greater compliance requirements”.