The unavoidable flaw in China’s personal data law is that it doesn’t stop the state itself from being able to access its citizens’ personal information. People living in China will still be some of the most surveilled and censored on the planet. “The Chinese government is the greater threat to individual privacy, and I don’t know that they will be affected by this,” says Omer Tene, a partner specializing in data, privacy, and cybersecurity at law firm Goodwin.
The PIPL does differ from other data regulations in how it mirrors the broader political aims of the country enforcing it. “If European data protection laws are grounded in fundamental rights and US privacy laws are grounded in consumer protection, Chinese privacy law is closely aligned with, and I would even say grounded in, national security,” says Tene.
In fact, PIPL expands on a requirement in China’s cybersecurity law that companies store personal data within China. Telecoms, transport, finance firms, and other entities deemed to be critical information infrastructure already had to do so. But that requirement now applies to any company that collects a certain, still undefined amount of people’s data. Following the departure of Yahoo and LinkedIn, Apple is now one of a small number of high-profile international tech companies with a presence in China. To keep its place in the hugely lucrative market, Apple has previously made serious concessions to the Chinese government. At this stage, it’s unclear how much of an impact the PIPL will have on Apple’s business in China.
Companies wanting to share data outside of China must also now go through a national security review, says James Gong, a China-based partner at law firm Bird & Bird. Separate guidance translated by DigiChina reveals that a broad range of companies will likely face national security reviews, including those sending “important data” abroad. Companies holding data on more than a million people and wanting to send information abroad will also face reviews. Any reasonable-sized company operating in and out of China could be swept up in this review process.
As part of the security reviews, companies must submit the contract between themselves and the foreign partner receiving the data and complete a self-assessment. This includes laying out why data is being transferred out of China, the types of information being sent, and the risks of doing so. All of this combined could create some uncertainty for companies doing business in China, Gong says. “They will need to consider reshuffling their current business, management, and IT structure and the associated costs.”
While the PIPL is likely to force Chinese domestic companies to improve how they handle data it will also have an impact on broader data rules around the world; there are key distinctions between it, GDPR, and US approaches to privacy—the retaliatory blacklist in particular. “They’re purely political provisions,” says Lee. “These provisions are unseen in any other global privacy proposals.”
The biggest impact of China’s new privacy law—and its protectionist, political spin—may be its influence on other countries that are still developing their own data protection policies, or rewriting them for a digital age. “We have concerns that other countries in Asia may follow the Chinese approach of having those data localization measures in their privacy law,” Lee says. “We are already seeing, for example, India and Vietnam’s privacy drafts have some measures like this.”
More Great WIRED Stories