The inevitable drawback of China’s personal data law is that it does not prevent the country itself from being able to access the personal information of its citizens. People living in China will continue to be among the most watched and censored people on the planet. “The Chinese government is the biggest threat to people’s privacy, and I don’t know they’re going to be affected by that,” says Omar Tine, a partner who specializes in data, privacy and cybersecurity at law firm Goodwin.
PIPL is no different from other data regulations in how it reflects the broader political goals of the country that applies it. “If European data protection laws are grounded in fundamental rights, and US privacy laws are grounded in consumer protection, then Chinese privacy law is closely aligned with national security, and I would even say rooted in it,” says Tine.
In fact, PIPL expands upon the requirements of China’s Cybersecurity Law that companies store personal data within China. Telecoms, transportation, finance and other entities that are critical information infrastructure have already had to do so. But this requirement now applies to any company that collects an unspecified amount of people’s data. After the departure of Yahoo and LinkedIn, Apple is now one of a small number of high-profile global technology companies with a presence in China. To maintain its position in the hugely profitable market, Apple has previously achieved Serious concessions to the Chinese government. At this point, it is not clear to what effect PIPL Apple’s business in China.
James Gong, a Chinese partner at law firm Bird & Bird, says companies that want to share data outside of China must now undergo a national security review. separate routing Translated by DigiChina It reveals that a wide range of companies will likely face national security reviews, including those that send “critical data” abroad. Companies with data on more than a million people and wanting to send information abroad will face reviews. Any company of reasonable size operating in and out of China can be swept up in this review process.
As part of security reviews, companies must submit the contract between themselves and the foreign partner receiving the data and complete a self-assessment. This includes explaining why data is being transferred outside of China, what types of information is being sent, and the risks of doing so. Taken together, Jung says, this could create some uncertainty for companies operating in China. “They will need to consider re-mixing their existing business, management, IT architecture and associated costs.”
While PIPL will likely force local Chinese companies to improve how they handle data, it will also have an impact on broader databases around the world; There are key differences between it, the GDPR, and US approaches to privacy – the retaliatory blacklist in particular. “They are purely political judgments,” he tells me. “These provisions are not visible in any other global privacy proposals.”
The biggest impact of China’s new privacy law – and its protectionist political role – may be its impact on other countries that are still developing their own data protection policies, or rewriting them for a digital age. “We have concerns that other countries in Asia may follow the Chinese approach to having these data localization measures in their privacy law,” Lee says. “We’re already seeing, for example, privacy drafts in India and Vietnam have some measures like that.”
More great wired stories