English Hindi


Prelims Capsule

Defence & Security

China passes World’s Strictest Data Privacy Laws – Triggers $1 Trillion Chinese Tech Stock Meltdown

China passes World’s Strictest Data Privacy Laws – Triggers $1 Trillion Chinese Tech Stock Meltdown


  • GS 3 || Security || Internal Security Threats || Cyber Security

Why in the news?

  • China has approved a sweeping privacy law that will curb data collection by technology companies, but that policy analysts say is unlikely to limit the state’s widespread use of surveillance.
  • The Personal Information Protection Law lays out for the first time a comprehensive set of rules around data collection, processing, and protection that were previously governed by piecemeal legislation.


  • New law was passed in the backdrop of China facing an uptick in internet scams. Companies like ride hailing, giant Didi and gaming behemoth Tencent in regulators’ have been accused of over misuse of personal data in recent months.

Aim of the new law

  • The new law was passed to protect those who “feel strongly that their data is being used for user profiling and by recommendation algorithms or in setting prices”. The new law will prevent companies from setting different prices for the same service based on clients’ shopping history.
  • New law has been modelled on the basis of the European Union’s General Data Protection Regulation. This EU law is considered as the world’s strictest online privacy protection laws.

Major Highlights of China’s New Data Privacy Laws and its impacts  

  • Tougher rules on data collection
    • The new data protection law establishes stricter guidelines for how businesses collect and use information about their customers.
    • It necessitates a reduction in data collection and the acquisition of user consent.
    • For the first time, the Personal Information Protection Law (PIPL) establishes a comprehensive set of rules governing data collection, processing, and protection, which were previously governed by piecemeal legislation.
    • The rules add to China’s tightening of regulation, particularly around data, and may have an impact on how China’s technology behemoths operate.
  • User ProtectionThe law also aims to protect those who are concerned about personal data being used for user profiling and recommendation algorithms, as well as the use of big data in setting unfair prices.
    • It will also prohibit companies from charging different prices for the same service based on customers’ shopping history.
  • Resemblance to Europe’s General Data Protection Regulation
    • The national privacy law closely resembles Europe’s General Data Protection Regulation, the world’s most robust framework for online privacy protections, and includes provisions requiring any organization or individual handling Chinese citizens’ data to limit data collection and obtain prior consent.
    • However, unlike in Europe, where governments are under increased public pressure to collect more data, Beijing is expected to maintain broad access to data.
  • Sharing of Data with other countries
    • The law stipulates that the personal data of Chinese nationals cannot be transferred to countries with lower standards of data security than China— rules which may present problems for foreign businesses.
  • Penalties for noncompliance-Companies that fail to comply may face fines of up to 50 million yuan (approximately Rs 57 crore) or 5% of their annual turnover.
  • The Stock Exchange’s Reaction to the Law- The most significant impact of China notifying the law was a significant drop in the stocks of the country’s major technology companies, prompting renewed investor concern.

Similar data protection laws in the world

  • European Union(EU)
    • The landmark General Data Protection Regulation of the European Union went into effect in 2018 — a regulation that aims to give citizens in the bloc more control over their data.
    • According to the Regulation, a user can access personal data stored by companies and learn where and why it is being used.
    • Impact on organizations both inside and outside the EU-It applies not only to organisations within the EU, but also to companies outside the region that offer goods or services to, or monitor the behaviour of, people in the bloc.
  • Right to be forgotten- One will also have the right to be forgotten, which means that the user can ask the company to delete one’s data, potentially stopping third parties from accessing it.
  • Singapore: Newer amendments to broaden its scope
    • Singapore amended its Personal Data Protection Act at the end of 2020, introducing, among other things, mandatory data breach notifications, an expansion of its deemed consent framework, consent exceptions for legitimate interests, and increased penalties for noncompliance.
  • Brazil: Latin America’s first data protection law, and how will it be enforced
    • Brazil’s Lei Geral de Proteção de Dados, which goes into effect in September 2020, is Latin America’s first significant data protection law.
    • As Brazilian businesses and service providers scramble to comply, the remaining months of the year will be a test of how Brazil’s data protection authority will enforce the new law.


  • China has always been accused of harnessing big tech to accelerate repression in northwestern Xinjiang province and elsewhere. New rules are also expected to further rattle China’s tech sector.

Current Indian data protection framework

  • Data Protection Rules under the Information Technology Act: Currently, data protection in India is governed by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Data Protection Rules”), which are notified under the Information Technology Act, 2000 (“IT Act”).
    • The Data Protection Rules impose certain obligations and compliance requirements on organizations that collect, process, store, and transfer sensitive personal data or information of individuals, such as obtaining consent, publishing a privacy policy, responding to individual requests, and imposing restrictions on disclosure and transfer.
  • The Data Protection Rules further provides for the implementation of certain RSPPs by organizations dealing with sensitive personal data or information of individuals.
  • Personal Data Protection Bill, 2019
    • It was Introduced in Lok Sabha in Dec 2019 (not passed).
    • It seeks to provide for the protection of the personal data of individuals.
    • Establish a Data Protection Authority for the same.
    • The central government may exempt any of its agencies from the Act’s provisions in the interests of state security, public order, Indian sovereignty and integrity, and friendly relations with foreign states, and for preventing incitement to commit any cognizable offense (i.e. arrest without a warrant) relating to the foregoing matters.
    • Personal data processing is also exempt from Bill’s provisions for certain other purposes, such as Preventing, investigating, or prosecuting any crime, or for personal, domestic, or journalistic purposes Such processing, however, must be for a specific, clear, and lawful purpose, with certain security safeguards in place.

Mains model question

  • For the digital well-being of people in India, strong data protection and privacy laws are critical. Examine.