China tech policy: Shenzhen’s new data law another signal of intent to rein in Big Tech
- The Shenzhen Regulation will be the first local data law in China and it has been under discussion for a year
- The draft makes it clear that a person has the right to say no to data collection requests and has the right to know, copy, correct and delete data held online
Shenzhen is moving forward with a new draft law aimed at protecting personal data, in another signal of China’s ambition to rein in Big Tech and build a robust data management regime that balances privacy protection with appropriate business use.
Under discussion for a year as authorities grapple with key issues such as data ownership and rights, the Shenzhen Special Economic Zone Data Regulation will be the first local data law in China. The latest draft, published by the Shenzhen legislature this week for public feedback until June 15, imposes new restrictions on how Big Tech can gather and utilise user data with enhanced punishment for violations.
The draft proposes a hefty penalty of up to 50 million yuan (US$7.7 million) for companies that engage in algorithmic price discrimination, where a platform offers different prices to different users based on how much it thinks they are willing to pay. This has become a common practice among China’s travel booking platforms, which has angered both consumers and the authorities.
“The hefty fine is similar to those under the national Personal Information Protection Law (PIPL), but it is the first time that the local legislature has attempted to impose similar fines under local laws,” said James Gong, who is of counsel to law firm Herbert Smith Freehills.
The regulation also makes it clear that an individual has the right to say no to data collection requests and has the right to know, copy, correct and delete his or her personal information online, in a clear sign that the authorities have a preference for consumer protection over corporate profitability.
In particular, it explicitly bans apps from profiling users under the age of 18 and serving them with personalised recommendations, a rule that could challenge the business model of apps that use this type of algorithm, including ByteDance’s Douyin, the Chinese version of TikTok.
“This is one of the biggest innovations of the latest draft,” said Yuan Lizhi, partner at Jingtian & Gongcheng law firm. But Yuan added that implementation of the new regulations remains unclear.
For instance, many apps do not differentiate between users based on age, and identifying a user’s age could lead to major changes in the logic of products, which would increase costs. Collecting age information from users also poses extra risks for data security, said Yuan.
Shenzhen’s data rules come as China continues to grapple with data protection amid an increasingly digitalised economy. Beijing last year officially recognised data as a new factor of production along with land, labour, capital and technology.
The bold new rules also represent a willingness by Chinese authorities to use legal tools to clip the wings of Big Tech.
“It requires companies to place even more attention on the importance of data compliance,” said Shenkuo Wu, law professor and executive director at the International Center of Cyber Law at Beijing Normal University.
“Companies operating in Shenzhen will be subject to the Shenzhen Regulation, which has extensive implications given the large number of internet and high-tech companies [there],” said Gong.
Two major national laws, PIPL and the Data Security Law, are both expected to be rolled out this year, setting the framework for China’s nationwide data governance regime. Meanwhile, the municipal authorities in Shenzhen, Shanghai and Beijing are all making their own local data regulations.
“With national laws set to be rolled out soon, local data laws may be placed in an awkward position,” Yuan said. “There are risks in being too innovative, but on the other hand, playing it safe would be meaningless.”
An earlier version of Shenzhen’s draft regulation drew controversy last year when it was first released to the public. It was even more aggressive in defining the state as the owner of public data, triggering criticism from the industry that Shenzhen had overstepped its authority as a local regulation. The new draft does not contain this controversial language.
Shenzhen’s new rules also take a stab at setting out a framework for a data trading market. In a first, the regulation stipulates that a person has “personality rights” over their personal data, while data processors have “proprietary rights” to data products and services formed by legally processing that data.
“National level data laws are focused on establishing legal frameworks, but haven’t touched heavily upon the circulation, development and use of data,” Yuan said. “Local governments can help accumulate legal experiences in that regard.”