China’s 989 million internet users are not accustomed to digital privacy—but that may be starting to change. On November 1, the country’s first comprehensive data privacy law came into effect and boosted the protections given to hundreds of millions of consumers. The law will reshape how companies in China do business, but will also send huge ripples around the world.
The new rules come in the form of the Personal Information Protection Law (PIPL), which places greater restrictions on what companies and individuals handling people’s personal information can do with that data. The law is the latest salvo in China’s efforts to rein in the previously unchecked growth of its tech giants, including WeChat operator Tencent and ByteDance, the company behind TikTok and Douyin.
While the law may help stop unauthorized data trading and theft in China, it is also closely linked to the government’s national security interests and builds upon recent cybersecurity and data security laws. Overseas companies that don’t fall into line with PIPL or harm the national security of China may be placed on a blacklist, which could effectively ban them from processing Chinese personal data—opening the door to international tit-for-tat retaliation against businesses. On the day the law was introduced, Yahoo shut down the few remaining services it was operating in China, citing an “increasingly challenging business and legal environment.” LinkedIn pointed to the same concerns when it withdrew from China in October.
“When you look at PIPL, it is really focusing on protecting individuals, society, and national security—because of the unique Chinese political system,” says Alexa Lee, a senior manager of policy at the Information Technology Industry Council and an associate editor of Stanford University’s DigiChina project, which has been translating the PIPL into English.
China’s personal privacy law mirrors certain aspects of Europe’s all-encompassing General Data Protection Regulation (GDPR). For individuals, PIPL copies much of the same language as GDPR, Lee says. Both PILP and GDPR let people access information that’s held about them, ask for it to be corrected and deleted, and withdraw their consent for their information to be handled by a company. In some cases the laws are so similar the language is almost the same.
For companies, there’s the requirement to protect people’s personal information. Companies operating in China now must employ a data protection officer, a move that has sent demand for such roles through the roof. Also cribbed from GDPR is the potential for huge fines: If a company breaches PIPL it can be hit with fines up to 50 million yuan ($7.8 million) or 5 percent of its annual revenue—roughly equivalent to GDPR’s $23 million and 4 percent thresholds.
In charge of the PIPL is the Cyberspace Administration of China (CAC), the country’s internet regulator which controls, among other things, the list of approved news sources. Reporting to a state-backed regulator is a stark contrast to the independent European data regulators that exist in each of the bloc’s countries. While GDPR enforcement has been slow, the CAC may take a stricter line against companies flouting its laws. The CAC sent teams to review ride-hailing giant DiDi’s data handling as it went public in New York this summer.
The unavoidable flaw in China’s personal data law is that it doesn’t stop the state itself from being able to access its citizens’ personal information. People living in China will still be some of the most surveilled and censored on the planet. “The Chinese government is the greater threat to individual privacy, and I don't know that they will be affected by this,” says Omer Tene, a partner specializing in data, privacy, and cybersecurity at law firm Goodwin.
The PIPL does differ from other data regulations in how it mirrors the broader political aims of the country enforcing it. “If European data protection laws are grounded in fundamental rights and US privacy laws are grounded in consumer protection, Chinese privacy law is closely aligned with, and I would even say grounded in, national security,” says Tene.
In fact, PIPL expands on a requirement in China’s cybersecurity law that companies store personal data within China. Telecoms, transport, finance firms, and other entities deemed to be critical information infrastructure already had to do so. But that requirement now applies to any company that collects a certain, still undefined amount of people’s data. Following the departure of Yahoo and LinkedIn, Apple is now one of a small number of high-profile international tech companies with a presence in China. To keep its place in the hugely lucrative market, Apple has previously made serious concessions to the Chinese government. At this stage, it’s unclear how much of an impact the PIPL will have on Apple’s business in China.
Companies wanting to share data outside of China must also now go through a national security review, says James Gong, a China-based partner at law firm Bird & Bird. Separate guidance translated by DigiChina reveals that a broad range of companies will likely face national security reviews, including those sending “important data” abroad. Companies holding data on more than a million people and wanting to send information abroad will also face reviews. Any reasonable-sized company operating in and out of China could be swept up in this review process.
As part of the security reviews, companies must submit the contract between themselves and the foreign partner receiving the data and complete a self-assessment. This includes laying out why data is being transferred out of China, the types of information being sent, and the risks of doing so. All of this combined could create some uncertainty for companies doing business in China, Gong says. “They will need to consider reshuffling their current business, management, and IT structure and the associated costs.”
While the PIPL is likely to force Chinese domestic companies to improve how they handle data it will also have an impact on broader data rules around the world; there are key distinctions between it, GDPR, and US approaches to privacy—the retaliatory blacklist in particular. “They’re purely political provisions,” says Lee. “These provisions are unseen in any other global privacy proposals.”
The biggest impact of China’s new privacy law—and its protectionist, political spin—may be its influence on other countries that are still developing their own data protection policies, or rewriting them for a digital age. “We have concerns that other countries in Asia may follow the Chinese approach of having those data localization measures in their privacy law,” Lee says. “We are already seeing, for example, India and Vietnam’s privacy drafts have some measures like this.”