Written by Noah Katz, Ohio State University Moritz College of Law
What is China’s new privacy law?
The Personal Information Protection Law (PIPL), which took effect in November 2021, is China’s first comprehensive data privacy law.[1] The PIPL’s impact is immense given that China is home to almost one billion internet users.[2] The new legislation provides a clear framework for regulating the use of personal data, but, if violated, businesses could face massive fines and may even be blacklisted by the Chinese government.[3]
Is the PIPL just like the GDPR?
At first blush, the PIPL is simply a reflection of other comprehensive privacy legislation around the globe, specifically the European Union’s General Data Protection Regulation (GDPR).[4] For instance, the PIPL and GDPR both have a broad scope, meaning they apply to all companies handling the data of Chinese or EU citizens respectively, whether they are a domestic or international business. Some other significant similarities include limiting data collection to the minimum amount required, requiring a Data Protection Officer, granting the right to individuals to access and correct their personal information, and assessing steep fines for violations (up to 50 million yuan [$7.5 million] or 5% of the business’s annual revenue).[5]
However, a closer look reveals notable disparities. Perhaps the most glaring discrepancy is the purpose of the EU’s GDPR compared to the purpose of China’s PIPL. Individual ownership and control of personal information underpin the GDPR, while national security and preserving social order are foundational to the PIPL.[6] The GDPR is independently regulated and can even hold EU member states in violation of the law, while the PIPL is enforced directly by the Chinese government, meaning that China can access and use citizens’ personal data as it sees fit without any repercussions.[7] The PIPL’s government exemption has raised serious concern among privacy professionals about the effectiveness of a Chinese privacy law that notably exempts one of the world’s biggest privacy violators, namely China itself! Omer Tene, a partner at Goodwin, specializing in privacy and cybersecurity law, said of the PIPL, “the Chinese government is the greater threat to individual privacy, and I don’t know that they will be affected by this.”[8]
Wielding privacy as a weapon
The largest concern with the PIPL is that the new legislation is not a double-edged sword; the PIPL is simply another weapon that China can wield against its businesses and its citizens, while the government itself has full immunity for its own privacy violations. The law gives China the power to blacklist non-compliant foreign companies and firms that “harm” national security. The blacklist would ban those companies from processing Chinese personal data, making it essentially impossible to continue conducting business in the country.[9] Alexa Lee, a senior manager of policy at the Information Technology Industry Council and an associate editor of Stanford University’s DigiChina project, warns that aspects of the PIPL, particularly the blacklist, are “entirely political provisions unseen in any other global privacy proposal.”[10]
Even before the PIPL came into effect, telecoms, transport, and finance firms already had to store their data within China per Chinese cybersecurity legislation.[11] The PIPL now requires that ALL companies store their personal data within China.[12] If a company wants to send Chinese data outside of the country, the company will be subject to a complicated, multi-step “national security review,” which includes a self-assessment about why the data needs to be sent abroad, what data will be sent, and the risks of doing so.[13]
Conclusion
The PIPL affects billions of people, but it has the potential to impact even more. The PIPL’s unique national security bent may influence other countries to adopt similar privacy legislation. For instance, countries like India and Vietnam already have privacy drafts that include data localization measures that reflect similar provisions found in the PIPL.[14]
Under the guise of privacy, the Chinese government seems to have found an effective tool to control companies that do business in China, yet China itself is not bound to its own law; China will have unrestricted access to citizens’ personal data but can force companies to keep their data within Chinese borders, levy fines against violators, and even blacklist companies that do not comply with the law and “harm” national security. China is putting businesses between a rock and a hard place; companies must choose between reaping the economic benefit of the robust Chinese economy at the steep cost of complying with China’s political whims (like Apple has chosen) or avoiding their laws altogether by withdrawing all business from China (like LinkedIn and Yahoo have done).[15] The PIPL is a stark reminder that privacy law is not inherently beneficial and may even be wielded as a political weapon against enemies of the state to preserve social order.
[1] Matt Burgess, Ignore China’s New Data Privacy Law at Your Peril, WIRED (November 5, 2021), https://www.wired.com/story/china-personal-data-law-pipl/ [https://perma.cc/TP4H-S65B].
[2] Id.
[3] Guillaume Vergnaud, What is China’s New Personal Information Protection Law (PIPL)?, New Horizons (Dec 8, 2021), https://nhglobalpartners.com/pipl-personal-information-protection-law/ [https://perma.cc/S8Z2-GSNB].
[4] Id.
[5] Id.
[6] Id.
[7] Id.
[8] Burgess, supra note 1.
[9] Id.
[10] Id.
[11] Id.
[12] Id.
[13] Id.
[14] Id.
[15] Id.
