A draft data protection law that sets terms similar to Europe’s General Data Protection Regulation (GDPR) is now set to go into effect in China on November 1. The Personal Information Protection Law does almost nothing to curb the state’s unfettered access to data stored within the country, but does sharply limit the ways in which tech firms can handle and share it.
New Chinese data protection law creates data handling classifications, mandates regular audits
The new data protection law has been in draft form since early this year, but is now set to be implemented in just over two months. It comes as part of a package of regulation aimed primarily at the country’s domestic tech firms, born from a mix of antitrust concerns and efforts to limit their power.
Among other items, the new data protection law establishes principles of minimization, calling for the “minimum scope necessary to achieve the goals of handling” in any given situation. Tech firms must also demonstrate a clear and reasonable purpose in collecting personal information. And the end user has “opt out” rights when data is collected for marketing purposes, including the ability to be excluded from targeted advertising systems or those that collect personal information. Algorithms used for “personalized decision making” will similarly require consent from the end user.
The new data protection law also establishes standards for collecting consent from end users when personal data is collected, and establishes new guidelines for companies that need to transfer data outside national borders. Existing legislation requires the personal data of Chinese citizens to be stored on servers inside of the country, and any movement of it outside national borders is subject to a government review process.
Tech firms that handle personal data will also need to appoint someone to be responsible for personal information protection, somewhat akin to the data protection officer (DPO) position required by the EU’s GDPR. These individuals will also be required to oversee periodic audits to ensure that companies are in compliance with the data protection law.
The new law also defines sensitive personal information that is subject to special handling requirements, categories that are roughly equivalent to those given extra protection under the GDPR: biometric identification data, medical records, health information, financial accounts and location data for some of the major examples.
Fines for violating the new data protection law can run up to 50 million yuan (about $7.7 million) or 5% of a company’s annual revenue; business licenses and permission to operate can also be temporarily or permanently revoked.
Increased responsibilities for tech firms
While China’s regulation package is primarily aimed at domestic tech firms, the data protection law will apply equally to foreign companies that operate in the country. This will add substantial compliance considerations for organizations, likely requiring the localization of all data on Chinese citizens. Those looking to transfer data overseas will be forced to engage more (and face the scrutiny of) Chinese government agencies.
The new data protection law draws together some disparate terms from existing law and adds new ones to create the first central and comprehensive regulation the country has seen. Tech firms previously had wide latitude to handle personal data however they saw fit, a situation that was not uncommonly abused. Early in 2021, the government-backed China Consumers Association accused a number of the major domestic tech firms (such as Tencent and ByteDance) of “bullying” consumers in a variety of ways from manipulating negative reviews and search results to running intentionally confusing sales promotions offering misleading prices.
Previous drafts of the data protection law have been published online, but the full and final terms are not entirely clear yet. It is a safe bet that it will not restrict government access to whatever information (personal or otherwise) companies are collecting in the country. However, it does surpass the level of data handling regulation for private companies in a number of other developed countries.
Ilia Kolochenko, Founder/CEO and Chief Architect at ImmuniWeb, sees it as a relatively big win for Chinese consumers: “Asia is a central place of rapidly evolving privacy and data protection legislation, spanning from leading data protection regimes like in Singapore to countries like India or Hong Kong that now consider major improvements of their privacy legislation to be consonant with the GDPR model. PIPL is long-awaited legislation in China that, in my opinion, will bring a lot of benefits both for Chinese companies and consumers … Violations of PIPL may trigger harsh monetary penalties going up to 5% of the past year annual turnover, being even bigger than the GDPR ones. We will, of course, need to observe PIPL enforcement actions and nascent jurisprudence to compare China’s data protection regime with other countries.”
The passage of this new data protection law also highlights the issue of enforcement emerging in some other areas, most notably in Ireland. While these laws may look good on paper, they are ultimately toothless if regulators opt to defer to tech firms when it is time to render a verdict. The Chinese government has spent 2021 thus far demonstrating that it is serious about backing up its new laws, hitting retail giant Alibaba with a massive $2.8 billion fine in April for anticompetitive practices and blocking leading rideshare app Didi from taking on new customers for an indeterminate period of time over national security concerns related to its foreign IPO.
Cillian Kieran, Founder & CEO of Ethyca, points out that this may put additional pressure on the United States to finally come up with a federal-level data privacy bill: “China’s success in passing PIPL casts an unflattering light on the gap where federal US privacy law could—and should—be. In addition to another major power implementing data protection law, the unique requirements of China’s law are further evidence that data management and governance must become proactive priorities for teams worldwide. Passive assumptions that “we’re doing the right thing” simply won’t be sufficient when requirements continue to grow across global jurisdictions. At stake are not only large regulatory fines, but the opportunity to participate in one of the planet’s largest economies.”