Flag with the Alibaba Group logo flying along with the national flag of China showing data protection rules aimed at tech giants

New Data Protection Rules From Chinese Government Targeted Squarely at Limiting Power of Tech Giants

While the CCP government reserves practically unlimited right to access the personal information of Chinese citizens, technology companies have been subject to fairly stringent data protection rules for some time now. Those rules are now being strengthened in a way that seems to be aimed specifically at tech giants that are in the business of running social media and e-commerce platforms.

The new Personal Information Protection Law (PIPL) creates the country’s first comprehensive set of data protection rules. The move follows the issuance of new antitrust rules also seemingly aimed specifically at tech giants. Among other limitations, the new data protection rules force Chinese companies to obtain government permission before transferring data outside of the country and grant individuals a right to access personal information held by data processors. It also establishes maximum fines that are among the largest in the world.

China’s new data protection rules could prompt major changes at tech firms

The new data protection rules mostly apply to tech giants based in China, such as Alibaba and Tencent. The regulatory moves come as part of a general crackdown on the country’s tech sector that dates back to late 2020, believed to be tied to antitrust and privacy concerns among the population and perception of defiant attitudes on the part of the heads of some companies (most notably Alibaba’s Jack Ma, who has kept a very low profile during this period as his company has been subject to an antitrust investigation). China is also seeking to keep pace with a global trend toward strong data protection rules, modeled primarily on Europe’s General Data Protection Regulation (GDPR).

A draft of PIPL was first published last year, put forward as a way to draw together and strengthen several existing data protection rules. In February the government finalized anti-monopoly rules that address certain specific practices common to the tech giants, such as forcing third-party merchants to sell only through one platform and applying the massive amount of personal data they vacuum up to manipulate markets. A dozen of the country’s largest tech giants issued very similar statements vowing to comply with the new antitrust rules very shortly after they were announced.

PIPL has several key elements that will now be law in the country. When tech giants collect user data, they will first need to collect user consent and will have to allow users to withdraw that consent. A refusal of consent is also not a valid reason for a refusal of service, and individuals can request their data at any time. There are also new and stringent rules for the transfer of citizen personal data outside of the country, which includes first obtaining the permission of the government.

Violations of the new data protection rules could cost Chinese companies a lot of money. PIPL establishes a maximum fine of up to 50 million yuan ($7.6 million) or 5% of the company’s annual turnover, an amount that is larger than the maximum allowed under the GDPR. The government can also order violators to halt some of their operations.

Growth of Chinese tech giants may slow

Some analysts believe that the new data protection rules will slow down the formerly explosive growth of the country’s tech giants and internet platforms, something that may pose a short-term economic cost but plays into China’s long-term geopolitical plans. The country seeks to become a technology superpower on par with the United States, establishing models and legal frameworks that it hopes will be adopted around the world.

In March, the government narrowed the scope of “necessary” personal information that mobile apps are allowed to collect. The data processing law had previously been broad enough that app publishers could collect a “bundled consent” that provided access to virtually anything they wanted. What is considered “necessary” is now tied to the function of the app; for example, a food delivery app has permission to collect a contact phone number and a delivery address while a video platform or news app would not.

Though China’s tech giants have experienced incredible domestic growth in the last few years, all but Bytedance’s TikTok have struggled to inspire trust and see significant gains outside of Southeast Asia. Some experts posit that the Chinese tech market is already saturated and that these rates of growth cannot be sustained without global expansion, something that the new data protection rules may be intended to help facilitate. Even with strong new privacy laws in place, Chinese apps will likely always be tough to sell in the United States and the nations that are closely allied to it. But the Chinese tech giants have their eyes on other regions that market data indicates have ample room for tech growth, such as Latin America and Africa.