China’s state-run news agency Xinhua says that the country has enacted a personal data protection law (via Reuters).
The Personal Information Protection Law (PIPL) is scheduled to go into force on November 1st.
It was proposed last year, signalling China’s communist leaders’ intention to clamp down on shady data collecting in the commercial sector by imposing legal constraints on user data collection.
According to Xinhua, the new rule requires app developers to give users choices about how their data is used, such as the opportunity to opt out of being targeted for commercial purposes or having marketing based on personal traits.
It also requires data processors to get consent from individuals before processing sensitive data such as biometrics, medical and health information, financial information, and location data.
Apps that process user data in an unauthorised manner risk having their service suspended or cancelled.
Any western company conducting business in China that entails processing residents’ personal data must deal with the law’s extraterritorial jurisdiction, which means foreign corporations will have to assign local representatives and report to Chinese supervisory bodies.
On the surface, China’s new data protection regime appears to mirror requirements long embedded in European Union law — where the General Data Protection Regulation (GDPR) provides citizens with a comprehensive set of rights surrounding their personal data, including a similarly high bar for consent to process what EU law refers to as “special category data,” such as health data (although elsewhere there are differences in what personal information is considered the most sensitive by the respective data laws).
The GDPR also has an extraterritorial reach.
However, the context in which China’s data protection law will work is obviously extremely different — not least because the Chinese government deploys a massive data-gathering apparatus to monitor and manage its own citizens’ behaviour.
Any restrictions the PIPL might impose on Chinese government departments’ ability to collect data on citizens — state organs were excluded from draught versions of the law — could be nothing more than window dressing to allow the Chinese Communist Party (CCPstate )’s security apparatus to continue collecting data on citizens while consolidating its centralised control over government.
It’s also unclear how the CCP will utilise the new data privacy laws to further control — or, in certain cases, tame — the domestic IT sector’s strength.
It has been slamming the industry in a variety of ways, leveraging regulatory changes against behemoths like Tencent. Beijing, for example, filed a civil suit against Google earlier this month, alleging that its messaging service WeChat’s youth mode violates regulations safeguarding minors.
According to Reuters, the National People’s Congress commemorated the law’s passage today by publishing an op-ed from the People’s Court Daily, which praises the legislation and calls for entities that use algorithms for “personalised decision making” — such as recommendation engines — to first obtain user consent.