China's top legislature has passed a law to protect personal information, effective November 1, in an effort to further regulate cyberspace with more compliance requirements for companies in the country.
The Personal Information Protection Law came against the backdrop of public complaints about mismanagement and misuse which have resulted in user privacy violations. The draft was submitted to the Standing Committee of the National People's Congress for its third reading on Tuesday and was voted to pass on Friday.
It clarifies the rules for personal information processing and cross-border provision, and the obligations of personal information processors, and states that no organization or individual may illegally collect, use, process or transmit personal information, or illegally trade, provide or disclose personal information.
Handlers of personal information must have a clear and reasonable purpose and shall be limited to the minimum scope necessary to achieve the goals of processing data, according to the law.
The law also calls for handlers of personal information to designate an individual in charge of personal information protection, and calls for handlers to conduct periodic audits to ensure compliance with the law.
The Personal Information Protection Law, along with the Data Security Law, are two major laws set to govern China's internet in the future.
The Data Security Law, to be implemented on September 1, sets a framework for companies to classify data based on its economic value and relevance to China's national security.