China Approves GDPR-Style Privacy Law

Last week, China passed the Personal Information Protection Law (PIPL), a broad personal privacy protection law aimed at companies. However, the law does not restrict the collection and use of personal data from the Chinese government. The law is set to go into effect on 1 November 2021.

From The Wall Street Journal article on the law:

The national privacy law, China’s first, closely resembles the world’s most robust framework for online privacy protections, Europe’s General Data Protection Regulation, and contains provisions that require any organization or individual handling Chinese citizens’ personal data to minimize data collection and to obtain prior consent.

However, unlike in Europe, where governments face more public pressure over data collection, Beijing is expected to maintain broad access to data.

Though the new privacy rules could allow China’s central government to control how lower-level agencies use and share data, nothing suggests “anything resembling legal limits on government surveillance,” said Karman Lucero, a fellow at the Yale Law School Paul Tsai China Center.

Similar to the European GDPR and other privacy laws, PIPL requires any company collecting data on people in China to get consent and make it easy for people to withdraw that consent at any time. In addition, the company cannot refuse to provide services to users who withhold consent, unless the data is essential to provide the service. Also similar to the GDPR, here’s a list of functions PIPL requires of a company that processes private user data compiled by the Data Protection Report:

• Formulate internal management systems and operation procedures.
• Implement classified management of personal information.
• Adopt corresponding technical security measures such as encryption and de-identification.
• Reasonably determine the operational authorizations for personal information and provide regular security education and training for operational staff.
• Formulate and implement response plans for security incidents relating to personal information.
• Conduct regular compliance audits.
• Adopt other security measures as stipulated by laws and regulations.

In China, legislative reform is swift and impactful. National privacy law, PIPL, passed today, is effective November 1 this year. In addition to the new data security law (Sept 1) and vehicle security measures (Oct 1) = perfect storm for MNCs in China. https://t.co/gWscn4Crx2

— Omer Tene (@omertene) August 20, 2021

The law also restricts the use of recent technological enhancements, including facial recognition. Cameras installed in public places must be identified and can only be used to maintain public security.

An analysis from the law firm Bracewell discusses some of the differences between PIPL and GDPR. Chief among them is restrictions on transferring data outside of China:

“PIPL also requires all cross-border data transfers of personal information to meet a ‘necessity test,’ and individuals must receive notice and give specific consent prior to the transfer. And, even if the transfer passes the necessity test and is consented to, the transfer must meet one of the following conditions:

• Receive approval from government authorities following a security assessment.
• Obtain certification from government authorities.
• Conclude a contract with the foreign entity receiving the data that comports with a standard contract drafted by government authorities.
• Comply with ‘other conditions’ in law or regulations (a catch-all provision).”

A Gizmodo article outlines the harsh penalties outlined in the law. “Depending on the infraction, companies can be fined up to 50 million Yuan (roughly $7.7 million USD), or have their entire ‘illegal income’ that was earned off unconsenting customers seized by Chinese authorities. If they’re caught selling or freely disclosing those people’s personal information, they could wind up with a 7-year prison sentence.”

PIPL is the latest in a string of new Chinese regulations targeting technology companies. Beginning 1 September, the Data Security Law goes into effect, which Reuters reported will require “companies that process ‘critical data’ to conduct risk assessments and submit reports to authorities. It also calls on organizations that process data affecting China's national security to submit to annual reviews.”

Other actions have included levying a $2.8 billion fine on online commerce giant Alibaba and probing ride-hailing company Didi’s data practices after it made an initial public offering in the United States.