China has passed a major new privacy law, in an effort to curb the power of big tech firms operating in the country.
The precise wording of the new Personal Information Protection Law (PIPL) has not yet been finalized. However, it to a large degree parallels the EU’s General Data Protection Regulation (GDPR) and requires companies to limit their collection of personal data and obtain user consent for its use.
“At present, all aspects of society are highly concerned about new technologies and applications such as user portraits and algorithm recommendations, and have strongly responded to issues such as information harassment and ‘big data killing’ [big data analysis] in related products and services,” says spokesperson Zang Tiewei.
Companies may not refuse service to users that don’t agree to data collection, unless it’s impossible to provide those services without. Users can withdraw their consent at any time, and companies cannot invoke a “legitimate interest” defense. The personal data of children under 14, meanwhile, is subject to tighter laws.
There are also, as with GDPR, strict rules around the transfer of personal data outside the country, with fines for non-compliance.
“The provision of personal information overseas in accordance with the international treaties and agreements that my country has concluded or participated in, and the protection of personal information transferred overseas should not be lower than my country’s protection standards,” says Tiewei.
MORE FOR YOU
Foreign companies are required to appoint a local representative to oversee compliance, and will be regulated by the Cyberspace Administration of China (CAC). They must appoint boards to review privacy issues and publish social responsibility reports, as well as consucting risk assessments before transferring data abroad or using data for automated decision making.
As the news has broken, Chinese tech stocks have been plunging, with the Hang Seng Tech index falling by 4.5 per cent. And foreign firms may have to up their game — paericularly US firms, thanks to the requirement that data can only be transfered to countries with similar levels of privacy protection.
“It’s part of a sweeping move by PRC to regulate the digital economy,” comments Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals (IAPP).
“If you’re doing business in China, get legal advice. They’re not playing around.”
And, adds Alex Roberts, TMT counsel in Shanghai at global law firm Linklaters: “The impact on businesses and individual’s lives cannot be underestimated, as data security has become one of the top concerns for China’s enforcement agencies over the last few years: new definitions of sensitive personal information, restrictions on automated decision-making and excessive data processing, as well as sanctions with real teeth.
“Compliance will be a boardroom issue for domestic and foreign businesses alike.”