Broadly worded law taking force from Wednesday seeks to tighten leash on China's tech giants and what they do with information from their hundreds of millions of users.
China's new data security law has come into force in what is seen as the latest effort by Beijing to tighten oversight of the country's mammoth tech sector.
The broadly worded law taking effect from Wednesday seeks to tighten the leash on China's tech giants and what they do with information from their hundreds of millions of users.
It also comes as fears grow over data security with government departments becoming increasingly dependent on cloud storage services.
Beijing has also flagged national security concerns as justification for the law. As Chinese tech firms look to branch out overseas, authorities fear domestic data will end up in foreign hands.
What it does
The law lays down the responsibilities of all companies and organisations handling data.
It stipulates fines of up to 10 million yuan ($1.55 million) for a range of offences including leaks and failing to verify the identity of buyers or sellers of information.
Its scope is broad, and includes data stored and handled within China's borders as well as data abroad that could harm China's national security or the rights of its citizens.
Crucially, organisations and individuals are forbidden to hand over information to overseas law enforcement authorities without Beijing's permission.
This signals "there will be much tighter control over cross-border data transfer", Angela Zhang, associate professor of law at the University of Hong Kong, told AFP news agency.
The law also affords Beijing the right to retaliate against any foreign government using "discriminatory" measures against China in the data and tech sectors.
Detailed rules for the implementation of the law have not been published.
The legislation also identifies a new "core" category of data "related to national security, the lifeline of the national economy, major aspects of the people's livelihood, and major public interests", which will be subject to stricter scrutiny.
There are mounting fears in Beijing over the potential security risks of Chinese data ending up in foreign hands.
The new law comes months after Beijing cited national security concerns for a probe into US-listed tech giant Didi Chuxing.
Companies including larger Chinese tech firms will be "expected to shoulder more responsibilities in fulfilling data security protection obligations, and to carry out regular risk assessments of their data processing activities", Zhang said.
The law takes effect as pressure mounts on Chinese tech companies to fall in line after years of breakneck growth.
China has previously attempted to stop major corporations from listing abroad, citing data security concerns.
On Friday, The Wall Street Journal reported that China's stock market regulator plans to block tech firms handling large amounts of sensitive user data from launching IPOs overseas.
The government launched cybersecurity probes earlier this year into a number of US-listed tech firms including Didi and truck-hailing platform Full Truck Alliance.
The data security law could "create further regulatory hurdles for data-rich Chinese tech companies seeking to list overseas", Zhang told AFP.
The data security law is part of a set of legislation that will shape China's digital economy for decades.
These laws are being rolled out as "the tech sector becomes a key arena amidst US-China rivalry, and may help extend China's influence in shaping tech policies across the globe," Kenn Yee, a policy analyst at consultancy Access Partnership, told AFP.
The country recently also passed a personal information protection law, set to become effective in November, aimed at curbing the collection of user data by companies.
And a controversial cybersecurity law in place since 2017 codifies restrictions on what internet users can publish online –– including anything that damages "national honour", "disturbs economic or social order" or is aimed at "overthrowing the socialist system".