The cornerstone of Chinese national and international policy is a fundamental principle: China First. So, while its new data privacy law, the Personal Information Protection Law (PIPL), will provide solid protection for its people’s personal information nationally, internationally the law can be used as a weapon.
PIPL is the third of China’s new cybersecurity laws. The first was the Cybersecurity Law, which has been in effect since June 2017. This is designed to regulate the network and platform providers, and how they handle personal data.
The second is the Data Security Law (DSL), which came into effect on September 1, 2021. This looks at the protection of data more from the government’s perspective. It includes, for example, stricter regulation of ‘national core data’. And it has an extraterritorial reach for data processing outside of China that might affect ‘the national security, public interests, or lawful rights and interests of citizens and organizations in China’.
The third is PIPL, which will come into effect on November 1, 2021 and is a personal information privacy law. “It's a major piece of legislation and regulation which should be seen as part of the series of regulatory moves by the government of China to rebalance the power that exists between big tech specifically, and the Chinese government,” Omer Tene, VP and chief knowledge officer at the International Association of Privacy Professionals (IAPP), told SecurityWeek.
“As you know, China has been very active over the past few years in regulating Chinese tech companies, in cutting off IPOs (such as Ant Financial this time last year), and in slapping on enforcement actions (such as that against DiDi Global, the ride hailing company earlier this year).” The three laws provide perhaps the strictest cybersecurity regulation found anywhere in the world – but always and ultimately for the benefit of the China First policy.
PIPL for personal data protection
PIPL has been described as China’s GDPR. This is part of a global trend to provide greater security for personal data protection, usually based at least in part on GDPR. But in some ways PIPL is stricter than GDPR. The maximum penalty for violation, for example, is 5% of revenue where GDPR’s maximum penalty is 4%. Nevertheless, the similarities mean that any foreign companies that have invested in GDPR compliance should have little difficulty in conforming with PIPL.
Many of the requirements are not new to personal data protection. They include ‘consent’ from the data subject, controls over processing, necessity for collection caused by statutory obligations or in response to national emergencies, or for the public good.
It would be wrong to assume that just because this is China, the result will be draconian. In some ways PIPL is less severe than western examples. For example, there is no imposed ‘adequacy’ framework such as that required by the GDPR. Adequacy frameworks can lead to problems – such as the Schrems II ruling currently threatening data flows between the EU and the U.S. China seems to be demonstrating an understanding of the importance of international trade.
That doesn’t mean it is a free-for-all in data transfers. For example, companies must conduct a security assessment with the regulator, the Cyberspace Administration of China (CAC). “The CAC is a quasi-military operation,” comments Tene, “and is an altogether different beast to the European data protection regulators. Other options,” he continued, “include a certification scheme or model contracts that will in most cases be approved by the CAC. The requirements have not yet been published by the CAC, but judging by the speed with which the Chinese are advancing this package, it won't take long.”
However, companies will need to be agile – China can and does adapt its laws easily and is likely to do so if it finds any anomalies in the existing law. These could go either way, making it less or more strict. The precise manner in which PIPL will be enforced will only become apparent as the various relevant government agencies publish their intentions.
There is no data localization requirement in PIPL (such as that required by Russia and Turkey and likely to be required in India), although there are some requirements in the DPL. Three types of personal data must remain within the Chinese borders, Government data, data related to critical information providers, and large platforms.
“Critical information providers may be interpreted more widely than we are accustomed to in the West,” comments Tene. “For example, in the DiDi Global case, the government referred to DiDi as a critical information infrastructure provider – which is not how we perceive that term in the West. But I think it is limited – I don't think they would view Nike as a critical information provider.”
The third category of large platform providers will likely be based on size, with the CAC to define the threshold. “A low threshold would expand the localization requirement, but I think they will probably limit it to the large platforms, like Alibaba, Tencent, WeChat and so on,” he concluded.
PIPL as an international weapon of diplomacy
GDPR was developed at least in part as a people’s reaction to the global NSA/GCHQ surveillance operated by the U.S. and UK intelligence agencies and revealed by Edward Snowden. It is primarily aimed at protecting European citizens and residents and promoting European ideals. PIPL, however, is closely aligned with China’s international intent to dominate emerging technologies and especially those that rely on data usage.
On the one hand, PIPL provides strong personal information protection for its people. The user ‘consent’ requirements, for example, are stronger than those of the GDPR. PIPL does not include the get out of jail free card embodied in the European phrase in ‘the legitimate interests of the controller’. Instead, the PIPL defines the relatively few areas where consent is not required. And like its western counterparts, that consent can be revoked by the user.
But on the other hand, comments Tene, “The Chinese government isn't shy about flexing its muscles -- and it has big muscles -- and part of its superpower clout is written into the laws. The concept of retaliation is not something hidden between the lines, it's in black and white as part of the law: if a foreign country discriminates against a Chinese company, or singles them out in the sort of way that the former U.S. administration seemed to be doing with TikTok, then China will retaliate.” TikTok could become Tit4Tat. The law says that.
While this could be viewed as a simple threat, it could also be viewed as a diplomatic method of promoting open trade between nations.
Overall, PIPL is an impressive piece of legislation that largely stays within the principles of data protection without being as proscriptive as GDPR. It is unlikely to be particularly burdensome for those western companies that already conform to GDPR and California’s CCPA.
PIPL has even introduced a few novel concepts that haven’t yet been drafted into GDPR – such as a focus on automatic decision making, and AI, large data platforms and children’s personal data. Large data platforms are required to establish privacy committees that are similar to the Institutional Review Boards (IRBs) used in western academic institutions.
But China is not a democracy, and it is a superpower. Both aspects are clear in this legislation – and especially when the three cybersecurity laws are viewed together.