China’s privacy law borrows a page from Europe’s GDPR but it goes further as Beijing shores up data security
- China’s new personal data law is one of the strictest in the world, drawing inspiration from Europe’s GDPR but going further
- Beijing has moved to tighten controls on how Big Tech uses data and curtail how private data is moved overseas
While China’s newly enacted Personal Information Protection Law (PIPL) contains many of the elements of the EU’s General Data Protection Regulation (GDPR) in terms of protecting private data from prying eyes, it goes a step further by guarding it within borders, legal experts say.
Much like the GDPR, which came into effect in 2018 and imposed red lines on how companies handle personal data within Europe, China’s PIPL is also set to have a far-reaching impact on how businesses collect and use data in China after it becomes effective November 1 – and it will also restrict cross-border data transfers.
Michael Tan, a partner at Taylor Wessing law firm in Shanghai, says PIPL will be a powerful tool when it comes to curtailing abusive data practices by Big Tech. “Many successful business cases [in China] have actually been structured on serious breaches of privacy and the data rights of others, previously unnoticed when dressed up by fancy terms like data mining, artificial intelligence, or innovation,” said Tan.
A key stipulation of the Chinese law, like GDPR, will be to empower individuals to decide whether or not to hand over their personal information to data processors. Both laws stipulate that personal information data has to be collected and processed according to a transparent and rigid protocol.
“The PIPL integrates the general principles of the GDPR and China’s distinctive national conditions as a developing country,” said Catherine Zheng, a partner at Deacons law firm.
Seha Yatim, senior policy manager at political consultancy Access Partnership, said the European regulation was heavily shaped by privacy hawks “who rode on the [Edward] Snowden debacle to push their agenda,” referring to the former US National Security Agency contractor who shook the world by unveiling the extent of US government surveillance in 2013.
Meanwhile, China’s push for data privacy aligns with its “interest to dominate emerging technologies that rely heavily on data usage,” said Yatim.
However, China’s law is stricter than the European regulation when it comes to cross-border data transfers. PIPL stipulates that data processors of critical information infrastructure and large amounts of personal information must store this data within China. Subsequently, any proposal to move this data overseas must first undergo a security review by China’s data authorities.
“Using ride-hailing giant Didi Chuxing as an example, we can see that the Chinese government has focused heavily on national security aspects [after launching a cybersecurity review], and they will intervene in any potential transfers of personal data which are inconsistent with the law,” said Deacons’ Zheng.
China has gradually been building up a data management regime since it passed the Cybersecurity Law in 2017, and in addition to PIPL is set to roll out its Data Security Law next week. The national effort is aimed at creating a consistent legal framework to help Beijing fuel its digital economy but at the same time safeguard its national security.
Governments around the world have been grappling with how to rein in Big Tech as data becomes an increasingly important economic resource. The EU has pursued its own vision of digital sovereignty by trying to create a single market for data within the bloc. In a recent headline-grabbing case, Luxembourg’s data watchdog last month imposed a record-breaking US$887 million fine on US e-commerce giant Amazon.com for alleged violations of GDPR.
Amazon said the regulatory decision was baseless and it intended to defend itself “vigorously in this matter”.
Xiaomeng Lu, director of geo-technology at risk consultancy Eurasia Group, said that China’s cyberspace sovereignty has a strong element of national security whereas “the EU’s digital sovereignty has a stronger bend towards the promotion of technologies that reflect European values and principles”.
Meanwhile, China’s PIPL has a longer extraterritorial reach – according to the law any overseas entity that processes the private data of Chinese citizens is subject to the law if the data is being harvested to sell a product or service to a Chinese person, to analyse and assess the behaviour of a Chinese person, as well as for “other purposes”.
PIPL also includes clauses that allow China to adopt countermeasures against countries that it deems have acted in a discriminatory way against China with respect to personal information protection, or to have harmed the rights and interests of Chinese data subjects and China’s national security and public interest.
“The extraterritorial application of the law is meant to address the type of app bans used by the US last year to target TikTok and WeChat,” said Eurasia Group’s Lu. “It can activate this clause in case Washington takes similarly drastic action against Chinese entities in future.”