China’s new data protection law outlines Beijing’s mandate to shape global data protection discussions and gives the government more powers to review how companies transfer information overseas.
The Personal Data Protection Act (PIPL), unveiled on Friday, lays down rules on how companies can use the data of Chinese citizens and the conditions that companies must meet in order to share information with computer servers or business partners outside the country. This could have a significant impact on the international flow of data as more countries set up digital trade barriers to protect citizens’ privacy or national security, data protection and legal professionals.
“[Chinese lawmakers] make no secret of their desire to act in this area,” said Omer Tene, chief knowledge officer at the International Association of Privacy Professionals.
The framework of the PIPL is generally similar to that of the General Data Protection Regulation of the European Union, say data protection experts. Both require companies to justify their data collection and give consumers the right to access or delete their information.
But the approach of Chinese law to how companies transfer data internationally is in some ways more restrictive than GDPR, said David Hale, shareholder of the law firm Brownstein Hyatt Farber Schreck LLP.
“I would look into the types of export permits I need when processing information outside of China,” said Hale, former chief privacy officer of brokerage TD Ameritrade.
Technology companies like Microsoft Corp. and Apple Inc. have increasingly stored customer data in China in recent years as the Chinese market expanded and the government began to unveil a web of data security rules. The new data protection law, when it comes into effect on November 1st, could encourage more businesses to follow suit, Hale said.
Companies wishing to transfer information internationally must use government-approved contracts, obtain certification of data practices from a government-recognized agency, or undergo security clearance by Chinese cyber regulators, said Barbara Li, division director of Rui Bai Law Firm in Beijing / p>
Companies that are considered “operators of critical information infrastructures,” as well as companies that process large amounts of user data, generally have to store data within China, said Ms. Li. The GDPR does not contain such explicit data localization requirements, the data protection experts aim to target overseas surveillance and allow local authorities better access to data.
Beijing released separate rules this month giving the state the power to define companies in sectors like technology, telecommunications and finance as critical based on the importance of corporate networks to the sector as a whole or the potential harm of a hack. However, it is unclear what the exact criteria are in order to receive this designation and in turn face higher potential penalties, said Gabriela Zanfir-Fortuna, director of global privacy at the Future of Privacy Forum, a think tank.
The cybersecurity review of ride-hailing giant Didi Global Inc., in which the state forced app stores to remove Didi products, suggests Beijing may interpret the category broadly, said Dr. Zanfir Fortuna. Beijing sent regulators, including security guards and police, to the company’s offices last month to conduct the investigation.
“We don’t tend to think of ridesharing as such an important information company,” she said. “This shows us that either the idea of this category is arbitrary or that the Chinese government actually thinks Didi has some extremely sensitive data.”
According to a translation by the DigiChina Project, a technology policy center at Stanford University, Chinese law opens the door for Beijing to enter into international agreements that allow some data flows. But unlike the GDPR, which gives the European Commission the power to assess the data protection of other countries, Chinese law does not describe a similar procedure for determining that other foreign security measures comply with local standards.
This approach gives the Chinese state more leeway in the long term to negotiate agreements with other governments, said Paul McKenzie, managing partner of the law firm Morrison Foerster in Shanghai and Beijing.
Regarding countries restricting the flow of data to China in the name of privacy, the law allows Beijing to reciprocate its own digital trade restrictions.
Oops! It looks like you’ve exceeded the limit to bookmark the image. Remove some to bookmark this image.
You are now subscribed to our newsletter. If you cannot find an email from our site, please check the spam folder.