China has unveiled a comprehensive set of draft regulations designed to significantly tighten control over how personal information is collected and handled online. This initiative, reported by Bloomberg News, aims to impose stricter rules on organizations that gather, store, and use personal data from internet users.
Key Provisions of China's Draft Data Rules
The Cyberspace Administration of China released the draft framework on Saturday, 2 November 2024. The proposal will be open for public consultation until 9 February 2026. The regulations introduce several critical mandates for app operators and platforms.
One of the central requirements is that applications must clearly inform users about data collection rules and obtain their explicit, informed consent. Data usage must be limited strictly to essential purposes. Furthermore, app operators will be held directly accountable for security, compliance, and overseeing any third-party software development kits they use.
The draft calls for enhanced protection for sensitive groups and data types. It proposes granular permission settings, bans on excessive data collection, and strict safeguards for minors and biometric information. A notable rule limits app access to device hardware; for instance, camera and microphone permissions can only be active when a user is directly using related functions like taking a photo or recording audio, and must cease immediately afterward.
Drivers Behind the Regulatory Push
This regulatory push is a response to growing public privacy concerns and alleged misuse of online data within China. The government seeks to reform how organizations handle personal information. This move follows recent enforcement actions, including a case in September 2024 where Beijing imposed penalties on LVMH's Dior brand in Shanghai for data privacy violations.
An investigation revealed that Dior's Shanghai unit failed to encrypt collected personal data. The luxury brand was also cited for sharing this information with its headquarters in France without obtaining proper user consent.
Parallels with India's Data Protection Framework
China's proposal arrives just months after India implemented its own landmark data privacy regime. India's Digital Personal Data Protection (DPDP) Act, 2023, formally came into effect in November 2025, establishing a citizen-centric legal framework.
Under India's DPDP rules, companies have been given a transition period of 12 to 18 months from the implementation date to achieve full compliance. Key requirements include:
- Appointing data protection officers and consent managers.
- Implementing systems for obtaining express user permission.
- Reporting data breaches within a strict 72-hour window.
- Mandatorily securing parental consent for users under 18 years of age.
- Restricting the use of certain data for targeted advertising, a change long advocated by the industry.
Both nations are now actively constructing robust digital governance systems. While China's draft focuses on detailed operational controls for apps and platforms, India's DPDP Act emphasizes individual rights and establishes clear obligations for data fiduciaries. These parallel developments highlight a global shift towards greater accountability in the digital ecosystem, aiming to balance technological innovation with the fundamental right to privacy.
