Shenzhen, the Silicon Valley of Hardware, Sets a Global Standard with China’s Toughest Local Privacy Law

Posted on Aug 9, 2021 by Glyn Moody

For many Westerners, China is a country associated with widespread surveillance, stringent censorship, and human rights abuses in regions such as Hong Kong and Xinjiang. Despite that, the Chinese government is well aware that the country’s billion Internet users care deeply about personal privacy, and has been steadily introducing surprisingly strong data protection laws to satisfy those demands. For example, alongside China’s Personal Information Protection Law, discussed on this blog back in May, there is another important piece of Chinese legislation touching on data protection, the Data Security Law. As its name suggests, this is largely about top-level national security, designed to protect Chinese data, including personal data, globally. China Law Insight explains the legislation’s extended reach:

the Data Security Law makes “harming national security, public interests or the lawful rights and interests of citizens or organisations” a trigger for regulating extraterritorial data processing activities. This actual impact or consequence-oriented approach further clarifies the country’s determination to safeguard data security. From the perspective of corporate compliance, overseas entities processing data relating to any Chinese citizens or whose data processing activities may actually have an impact on China are also required to fulfil the data security obligations under the Chinese laws. This provides the standing point to assert jurisdiction over multinational corporations’ services to China whose data processing activities are outside China.

Likely to be of more interest to readers of Privacy News Online is China’s first local data protection law. Perhaps unsurprisingly, it comes from the Special Economic Zone of Shenzhen, often called the “Silicon Valley of hardware”. Leading digital companies such as Tencent, Huawei, and the drone company DJI all have their headquarters there. At the other end of the business scale, Shenzhen is also famous for its vast electronics market in Huaqiangbei, generally regarded as the world’s largest. An excellent 2016 video from Wired captures well the extraordinary energy and entrepreneurial activity of Shenzhen in the digital sphere. Given the growing importance of personal data for digital products developed in Shenzhen, it was natural for the city to be authorized to draw up China’s first local privacy law, and this was passed in June 2021; it is due to come into force at the beginning of 2022. An article in the South China Morning Post summarizes the law’s main thrust:

The regulation also makes it clear that an individual has the right to say no to data collection requests and has the right to know, copy, correct and delete his or her personal information online, in a clear sign that the authorities have a preference for consumer protection over corporate profitability.

In particular, it explicitly bans apps from profiling users under the age of 18 and serving them with personalised recommendations, a rule that could challenge the business model of apps that use this type of algorithm, including ByteDance’s Douyin, the Chinese version of TikTok.

The People’s Daily Online adds that, more generally, users will have the right to refuse personalized recommendations based on their profiles. Companies will need to provide them with a way of doing this that is straightforward. These are highly significant moves in the context of the discussions underway in the West about the place, if any, of micro-targeted ads based on gathering large quantities of personal data. If Shenzhen’s approach is adopted across China it would doubtless add momentum to the growing movement to regulate or even ban such personalized advertising.

The new law also allows fines of up to 50 million yuan (about $7.74 million) to be imposed on companies that engage in algorithmic price discrimination. According to the South China Morning Post, this has become commonplace on China’s travel booking platforms. Algorithmic abuse of this kind is not such a hot topic in the West, but it could become one as more companies exploit their huge stores of personal data to offer different prices to different users based on how much they might be willing to pay. Finally, there’s another aspect of Shenzhen’s new law, highlighted here by the Technode site:

The regulation also addresses data collected by the state, requiring the government to make its data available to the public for free by default. The regulation defines a category of “public data,” and states that this data will be “shared by default, with non-sharing as an exception,” describing a system in which data from different government platforms is compiled in a single public database. The regulation also prohibits the government from charging fees to access data.

The passing of Shenzhen’s new privacy law is obviously welcome in terms of bringing in strong protection for personal data in that region, but it could complicate the overall privacy landscape in China. Given Shenzhen’s leading position in the digital sector, it is likely to influence other local privacy laws when they are drawn up: cities such as Shanghai, and the provinces of Guizhou and Anhui, are among those expected to release their own legislation in due course. It will be interesting to see whether the final form of China’s national Personal Information Protection Law also draws on Shenzhen’s ideas. One risk is that it may contradict it in important ways, which would leave Shenzhen and its companies in an awkward position.

Featured image by Charlie fong.

VPN Service