China has approved what may prove to be the most robust data privacy regulation in any country to date. The Personal Information Protection Law, which will take effect on November 1, is perceived as a sweeping privacy law seeking to curb companies’ efforts (especially technology companies) to collect personally identifiable data.
The new law will require companies to have a clear and reasonable purpose for the collection and processing of personal data and any such handling of personal data must be limited to the “minimum scope necessary to achieve the goals of handling” data. The law also provides a variety of requirements for obtaining consent as well as ensuring the security of data when transferred outside of the country.
Given the connection to China that much of the global economy has, it is expected that this law will undoubtedly influence the data storage and processing practices (and the auditing of those practices) that companies implement well beyond just their operations in China.
Nixon Peabody’s Cybersecurity and Privacy Team will continue to monitor developments of the new law as companies ramp up to its effective date.