China’s draft PIPL represents a third way between the sectoral U.S. approach, which applies different rules for specific industries or classes of consumers, and the European Union’s comprehensive General Data Protection Regulation (GDPR) framework, which enshrines fundamental rights across contexts. With the draft law, China’s evolving data governance regime emphasizes consumer privacy while also prioritizing national security through data localization measures, cross-border data flow restrictions, and continued surveillance and law enforcement powers.
The New America post points out that the PIPL draws quite heavily on the GDPR, which provides further proof of the influence of the latter legislation, something noted many times before on this blog. In the draft, the definitions of personal information, sensitive information, individual rights, and legal bases for processing, all have similarities to the EU framing. However, China’s requirements for national security mean that there are important differences when it comes to data flows. Under the GDPR, these are allowed provided privacy is safeguarded. Under the PIPL, the limitations are far greater. China’s existing “Cybersecurity law” requires data held by so-called “critical information infrastructure” operators – essentially the most important digital companies – to be stored in China. The PIPL would require personal data referring to Chinese citizens to be stored within the country, even for some smaller companies. A rigorous assessment by China’s cybersecurity department is needed before any personal data can be sent abroad. In addition, the PIPL would grant the authorities the power to establish a blacklist of overseas companies that are banned from processing Chinese personal data if it is determined they violate China’s national security interests.
Moreover, the PIPL would allow the government to retaliate against entire countries that are deemed to have taken discriminatory regulatory measures against Chinese companies in the field of data protection. This is clearly with a view to counter the growing calls in the West to shut out Chinese companies from processing citizens’ personal data. However, these restrictive measures and threats of retaliation pose a problem for the Chinese authorities:
Here are some key highlights about LGPD: General principles: The main principles that all private and public entities must take into account when processing personal data are purpose, adequacy, free access, data quality, security, prevention of damage, accountability, transparency, need limitation, and non-discrimination.
Despite its status as one of the top data importers and exporters and its ambition expressed in Article 12 of the draft PIPL to gain mutual recognition of data protection rules with other countries, China is likely to face heightening challenges advancing its model of data governance on the global stage.
Even without bans or punishment by the Chinese authorities for the actions of other governments, the proposed PIPL is likely to become a real headache for Western companies that do business with China. As with the GDPR, it doesn’t matter where a company is based, the PIPL applies as soon as Chinese personal data is involved:
Given that the reach of the PIPL extends beyond China’s borders, many organizations based outside mainland Chinese territory but handling Chinese citizens’ data will still be affected. Ultimately, this means that almost every major corporation in the world will need a China PIPL compliance strategy. Companies would need to conduct data mapping, review privacy practices and consent requirements, assign a data protection officer (DPO) within China (Article 52), and create procedures around data breach reporting (Article 55).
It is this extraterritoriality that makes the proposed PIPL so important for companies around the world. The issues raised by the GDPR’s global reach are now commonplace. Companies dealing with the personal data of EU citizens must routinely consider whether they are compliant with the GDPR. Similarly, the GDPR court cases brought by Max Schrems have led to uncertainty over whether transatlantic data flows in their current form can continue. If the PIPL is passed in anything like its current form, we can expect a similar ripple effect to spread out across the Internet, affecting companies directly, and general Internet users indirectly. As China begins to assert its right to impose its laws outside its border, the world of online privacy will become even more complex.
On the plus side, China’s proposed law underlines the fact that privacy in the online world is not some minor, optional feature, but an indispensable core element. In this context, it will be interesting to see what approach the new Biden administration takes to online privacy – and how it reacts to China’s push for a global reach of its data protection laws.
Featured image by Severin.stalder.