The Chinese digital sphere is insulated by the ‘Great Firewall’, which jealously guards the country’s online domain. But within it, control has been less exacting than it should have have been, leading to reports of rampant violation of online privacy and questionable data practices. Now, the country has cracked the whip on unscrupulous use of data with a new privacy law. Here’s what you need to know.
What Does China’s Data Privacy Law Say?
The final version of the regulations — called the Personal Information Protection Law (PIPL) — was passed by China’s National People’s Congress in August but has not been released yet. Set to reportedly come into effect on November 1, the law is similar to most private data protection regimes around the world, including the landmark General Data Protection Regulation (GDPR) of the European Union (EU).
Like the EU law, and the one that is in the works in India, PIPL not only covers Chinese entities but also any firm located outside the country that uses or stores data of Chinese citizens.
According to news agency Reuters, the law spells out the conditions for the collection of private data and lays “out guidelines for ensuring data protection when data is transferred outside the country". It also introduces provisions for obtaining users’ consent for data collection.
Much like the Indian Personal Data Protection (PDP) Bill — that is being examined by a joint committee of Parliament — the Chinese law mandates companies to “designate an individual in charge of personal information protection". The PDP Bill talks about a data protection officer who, among other things, will “act as the point of contact for the data principal (who is the owner of the data) for the purpose of raising grievances".
PIPL also lays down that companies may not deny services to people who refuse to share certain data, unless collecting such data is crucial to its business.
Why Has It Been Brought In?
China had in June this year passed what is known as its Data Security Law (DSL) which, experts say, “addresses data of all types with perhaps more emphasis on the handling of non-personal information". Taken together with PIPL, it represents the most concerted efforts by China so far to create a system for protecting personal data, even though the country is alleged to run massive electronic surveillance networks to track its citizens.
The state-run Xinhua news agency said that PIPL also requires prominent signs to be set up at public places where image acquisition and personal identification equipment is installed, “stipulating that the collected images and identification information can only be used for safeguarding public security".
Experts said that the law also paves the way for friction with the US. The EU’s GDPR has already seen strict actions and hefty fines on US-based tech giants. While the likes of Google and Facebook are not allowed to operate in China, the rules brought in by Beijing potentially creates grounds for any US company that uses data of Chinese citizens.
In fact, a report as part of the DigiChina Project, based at the Stanford University Cyber Policy Centre, said that “because China is such an important market, its data rules have major implications for international businesses that deal with China in a number of ways" and that “almost every major corporation in the world will need a China PIPL compliance strategy".
What Does The Law Mean For The Chinese Tech Giants?
China has of late been cracking the whip on its tech giants and a variety of state and consumer organisations have kept coming up with rules and advisories to regulate their operations. In January this year, the China Consumers Association came out with a statement slamming tech firms for “bullying" consumers into making purchases and promotions.
China’s State Administration for Market Regulation (SAMR) has scripted rules to foster fair competition while its Ministry of Industry and Information Technology has issued a warning to 43 apps after finding they were illegally transferring user data.
CNBC reported that Chinese stepped up actions against tech companies after forcing cancellation of Alibaba-owber Ant Group’s initial public offering in November last year. It added that SAMR has recently fined Alibaba $2.8 billion in an anti-monopoly investigation.
The law proposes fine of up to 50 million yuan (US$7.74 million), or up to five per cent of annual turnover of the company violating the PIPL. The fine is similar to the one laid down under GDPR, which is €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Reports said that the new regulations — and the fears of more to follow — have already dented investor confidence and Chinese tech stocks have hit new lows on the back of the passage of the PIPL. Exchanges in Hong Kong and the Chinese mainland have lost over half a trillion dollars in the wake of the new laws.