By Charles McDermid

China is fast-tracking the country’s first law to protect privacy and personal data, a long-awaited move heralded by pro-Beijing media but questioned by experts for not restricting state surveillance and for forcing economies to pick a side in the escalating tech war with the U.S.

The National People’s Congress, China’s powerful legislative body, last week released for public review the first draft of the Personal Information Protection Law.

If approved in the coming weeks, as expected, it would become China’s first unified national law on the protection of personal information.

No similar legislation exists in the United States.

Emmanuel Pernot-Leplay, an expert on comparative data-protection law at Tilburg University in the Netherlands, said the law, which has been in the works for nearly a decade, was eagerly anticipated because it would allow China to supersede its current system for governing data protection — mostly a patchwork of dozens of nonbinding guidelines.

“The confirmation of China’s direction leaves the U.S. lagging behind on many data-protection rights.”

Emmanuel Pernot-Leplay, Tilburg University.

“In this law, data-controllers clearly bear the responsibility to adopt the necessary measures to safeguard the security of the personal information they handle, which, together with the significant increase in the amount of potential fines, sends a strong message that organizations have to comply with data-protection requirements,” Pernot-Leplay told Digital Privacy News.

“The law features several protections that are typical of EU-style data protection laws,” he added. “The confirmation of China’s direction leaves the U.S. lagging behind on many data-protection rights.”

Modeled After GDPR

The Global Times, a state-run newspaper, admitted the new law was based on the General Data Protection Regulation (GDPR), implemented by the European Union in 2018.

The agency reported that those violating the new law could face a fine of up to $7.4 million or 5% of the previous year’s revenue.

It pointed out that GDPR regulators already had fined tech and internet giants, including Google and Facebook, more than $130 million.

“This (is) part of the bifurcation of the internet: one that is led by China and one that is led by the U.S.”

Natalie Pang, National University of Singapore.

The report continued that foreign organizations or individuals found to have violated Chinese citizens’ rights to private data or have harmed national security would be “put on a blacklist” by the Cyberspace Administration of China. 

“A drastic change to previous Chinese texts is the extraterritorial scope of this law, which previously existed only in the EU’s GDPR,” said Pernot-Leplay.

“Now, companies that are not present in China but that process data from people in China will have to comply with Chinese law.”

Concerns on Data Use

Experts agreed that the new law showed an unprecedented level of concern over how companies use data — perhaps after public outrage against hacks and leaks — but that it did little to mitigate the Chinese government’s mass-surveillance programs.

Natalie Pang, senior lecturer in the communications and new media department at the National University of Singapore, described China’s law as “a start” — with the law making some provisions to protect the personal data of consumers and clear penalties for those who abuse the personal data they collect. 

“Many American platforms have been already put on a blacklist — and, therefore, not available within China.”

Kyung-Sin Park, Korea University.

“But as with many other countries,” she told Digital Privacy News, “the law alone won’t be able to address the problem completely — as those that have been thriving on illegally collecting and trading personal data will continue to find loopholes.”

Pang said she was concerned the law would be used to target internet firms based overseas.

“I also see this as part of the bifurcation of the internet: one that is led by China and one that is led by the U.S.,” she said. 

“Covid-19 has provided a push for the global digital economy,” Pang continued. “At the heart of massive digitalization across all industries is how data will be collected, used and analyzed.

“There will be eventually, if not already, economies that are part of the digital infrastructure and internet that is led by China, and some that are part of the one led by the U.S.”

Data-Localization Fears

Kyung-Sin Park, director of the American Law Center at Korea University and head of Open Net Korea, said the law might reinforce a global trend toward data-localization, broadly defined as requiring data about a nations’ citizens to be stored within the country.

“In a sense, many American platforms have been already put on a blacklist — and, therefore, not available within China,” Park told Digital Privacy News.

“I am worried that the new law will only pile on additional justification for data-localization,” he observed. “China’s data-protection law has tremendous potential to rationalize data-localization rules.” 

For Pernot-Leplay, the real question is how the law is enforced and on whom.

“Will it be evenly implemented for government data-processing activities?” he posed. “Otherwise, any progress that could be had will remain on paper.”

Charles McDermid is a writer based in Asia.

Sources (links external):

• Text of China Data Law: China’s Draft ‘Personal Information Protection Law’ (Full Translation)
• Global Times report: China unveils first law on personal data protection