China’s new data protection law maintains full state access to private information, but places restrictions on tech companies comparable to EU GDPR
A data protection bill that defines terms similar to the European General Data Protection Regulation (GDPR) is now due to go into effect in China on November 1. Privacy law does next to nothing to restrict unhindered state access to data stored in the country, but severely limits the means by which tech companies can manage and share it.
China’s New Data Protection Law Creates Data Processing Classifications, Imposes Regular Audits
The new data protection law has been in draft form since the start of this year, but is now expected to be implemented in just over two months. It is part of a set of regulations aimed primarily at the country’s domestic tech companies, born out of a mixture of antitrust concerns and efforts to limit their power.
Among other things, the new data protection law establishes minimization principles, calling for the “minimum scope necessary to achieve the processing objectives” in a given situation. Tech companies must also demonstrate a clear and reasonable purpose in collecting personal information. And the end user has “opt-out” rights when data is collected for marketing purposes, including the ability to be excluded from targeted advertising systems or those that collect personal information. The algorithms used for “personalized decision making” will also require the consent of the end user.
The new data protection law also sets standards for collecting end-user consent when personal data is collected, and establishes new guidelines for companies that need to transfer data across national borders. Existing legislation requires personal data of Chinese citizens to be stored on servers inside the country, and any movement of such data across national borders is subject to a government review process.
Tech companies that process personal data will also need to appoint someone responsible for protecting personal information, much like the Data Protection Officer (DPO) position required by EU GDPR. These individuals will also be required to oversee periodic audits to ensure that companies are in compliance with data protection law.
The new law also defines sensitive personal information subject to special processing requirements, categories roughly equivalent to those that enjoy additional protection under the GDPR: biometric identification data, medical records, health information, financial accounts and location data for some of the main examples.
Fines for violating the new data protection law can be up to 50 million yuan (approximately $ 7.7 million) or 5% of a company’s annual turnover; business licenses and operating authorizations can also be temporarily or permanently revoked.
Increased responsibilities for technology companies
While China’s regulatory package primarily targets domestic tech companies, the data protection law will also apply to foreign companies operating in the country. This will add substantial compliance considerations for organizations, likely requiring the localization of all data on Chinese citizens. Those looking to move data overseas will be forced to further engage (and face the scrutiny) of Chinese government agencies.
The new data protection law pulls together some disparate terms from existing law and adds new ones to create the first central and comprehensive regulation the country has ever seen. Technology companies used to have a lot of leeway to treat personal data as they saw fit, a situation that was not uncommon to abuse. In early 2021, the government-backed China Consumers Association accused a number of large domestic tech companies (such as Tencent and ByteDance) of “bullying” consumers in a variety of ways, ranging from manipulating reviews to negatives and search results with the execution of intentionally confusing sales promotions. offer deceptive prices.
Previous data protection bills have been posted online, but the full and final terms are still not entirely clear. Chances are, this won’t restrict government access to information (personal or otherwise) that businesses collect in the country. However, it exceeds the level of regulation of data processing for private companies in a number of other developed countries.
Ilia Koloshenko, Founder / CEO and Chief Architect of ImmuniWeb, sees it as a relatively important victory for Chinese consumers: India or Hong Kong who now consider major improvements to their privacy laws to be compliant to the GDPR model. PIPL is a long overdue legislation in China that I believe will bring many benefits to both Chinese businesses and consumers… than the GDPR. We will, of course, have to look at PIPL enforcement measures and emerging case law to compare China’s data protection regime with other countries. “
The adoption of this new data protection law also highlights the issue of enforcement which arises in other areas, notably in Ireland. While these laws may look good on paper, they’re ultimately toothless if regulators choose to defer to tech companies when it’s time to hand down a verdict. So far, the Chinese government has spent 2021 demonstrating determination to support its new laws, hitting retail giant Alibaba with a massive $ 2.8 billion fine in April for anti-competitive practices. and preventing the main ride-sharing app Didi from accepting new customers indefinitely. time on national security issues related to its overseas IPO.
Cillian Kieran, founder and CEO of Ethyca, points out that this could put additional pressure on the United States to finally come up with a data privacy bill at the federal level: the privacy law could and should be. In addition to another great power implementing data protection law, the unique requirements of Chinese law are further proof that data management and governance must become proactive priorities for teams around the world. The passive assumptions that “we’re doing the right thing” will simply not be enough when the demands continue to grow in global jurisdictions. At stake is not just heavy regulatory fines, but the opportunity to participate in one of the largest economies on the planet.