China releases draft of major new privacy law: why it matters to everyone online

China has frequently figured in this blog, usually in the context of its censorship, surveillance activities, and wide-ranging abuse of human rights. But there’s another side to the story. Like other people around the world, China’s billion or so Internet users want their privacy protected when they go online. Trying to satisfy that need while preserving state control is a tough problem that the Chinese authorities have been grappling with recently. Back in May 2018, the Personal Information Security Specification took effect. It offered “granular guidelines for consent and how personal data (called “personal information”) should be collected, used, and shared”, as the introduction to a translation of the new digital rules by New America puts it. Now the Chinese government has followed that up with a draft version of the Personal Information Protection Law (PIPL), a far more comprehensive and rigorous approach to protecting the digital privacy of Chinese citizens. A blog post on New America explains:

China’s draft PIPL represents a third way between the sectoral U.S. approach, which applies different rules for specific industries or classes of consumers, and the European Union’s comprehensive General Data Protection Regulation (GDPR) framework, which enshrines fundamental rights across contexts. With the draft law, China’s evolving data governance regime emphasizes consumer privacy while also prioritizing national security through data localization measures, cross-border data flow restrictions, and continued surveillance and law enforcement powers.

The New America post points out that the PIPL draws quite heavily on the GDPR, which provides further proof of the influence of the latter legislation, something noted many times before on this blog. In the draft, the definitions of personal information, sensitive information, individual rights, and legal bases for processing, all have similarities to the EU framing. However, China’s requirements for national security mean that there are important differences when it comes to data flows.

Under the GDPR, these are allowed provided privacy is safeguarded. Under the PIPL, the limitations are far greater. China’s existing “Cybersecurity law” requires data held by so-called “critical information infrastructure” operators – essentially the most important digital companies – to be stored in China. The PIPL would require personal data referring to Chinese citizens to be stored within the country, even for some smaller companies. A rigorous assessment by China’s cybersecurity department is needed before any personal data can be sent abroad. In addition, the PIPL would grant the authorities the power to establish a blacklist of overseas companies that are banned from processing Chinese personal data if it is determined they violate China’s national security interests.

Moreover, the PIPL would allow the government to retaliate against entire countries that are deemed to have taken discriminatory regulatory measures against Chinese companies in the field of data protection. This is clearly with a view to counter the growing calls in the West to shut out Chinese companies from processing citizens’ personal data. However, these restrictive measures and threats of retaliation pose a problem for the Chinese authorities:

Despite its status as one of the top data importers and exporters and its ambition expressed in Article 12 of the draft PIPL to gain mutual recognition of data protection rules with other countries, China is likely to face heightening challenges advancing its model of data governance on the global stage.

Even without bans or punishment by the Chinese authorities for the actions of other governments, the proposed PIPL is likely to become a real headache for Western companies that do business with China. As with the GDPR, it doesn’t matter where a company is based, the PIPL applies as soon as Chinese personal data is involved:

Given that the reach of the PIPL extends beyond China’s borders, many organizations based outside mainland Chinese territory but handling Chinese citizens’ data will still be affected. Ultimately, this means that almost every major corporation in the world will need a China PIPL compliance strategy. Companies would need to conduct data mapping, review privacy practices and consent requirements, assign a data protection officer (DPO) within China (Article 52), and create procedures around data breach reporting (Article 55).

It is this extraterritoriality that makes the proposed PIPL so important for companies around the world. The issues raised by the GDPR’s global reach are now commonplace. Companies dealing with the personal data of EU citizens must routinely consider whether they are compliant with the GDPR. Similarly, the GDPR court cases brought by Max Schrems have led to uncertainty over whether transatlantic data flows in their current form can continue. If the PIPL is passed in anything like its current form, we can expect a similar ripple effect to spread out across the Internet, affecting companies directly, and general Internet users indirectly. As China begins to assert its right to impose its laws outside its border, the world of online privacy will become even more complex.

On the plus side, China’s proposed law underlines the fact that privacy in the online world is not some minor, optional feature, but an indispensable core element. In this context, it will be interesting to see what approach the new Biden administration takes to online privacy – and how it reacts to China’s push for a global reach of its data protection laws.

Featured image by Severin.stalder.