China Pushes Through Data Protection Law That Applies Cross-border

China has pushed through a new personal data protection law that details regulations around collection, use, and storage. It includes data processing by companies based outside of China and encompasses requirements for organisations, including multinational cooperations, operating China to appoint someone responsible for its compliance.

The Chinese government on Friday passed the Personal Information Protection Law (PIPL), outlining a set of rules on how personal data should be collected, used, and stored. It had gone through a couple of revisions since it was first pitched last year.

To come into effect from November 1, the bill was approved amidst the "chaos" data had created, with online platforms over-collecting personal data, according to a report by Xinhua News Agency. The state-run news outlet noted that some businesses had deployed facial recognition systems without authorisation, "secretly" capturing consumers' faces and other biometrics data. 

China is home to 989 million online users as of end-2020.

"China has always attached great importance to personal information security. The law on personal information protection clarifies rules on the processing and cross-border providing of personal information," Xinhua quoted Zang Tiewei, a spokesperson for the Legislative Affairs Commission of the NPC Standing Committee, which approved the bill Friday. 

Zang noted that there had been increased scrutiny on technologies that carried out user profiling and ran recommendation algorithms, which had led to issues such as data-powered price discrimination. The new law aimed to address such problems, he added.

According to Xinhua, the PIPL stipulated that brands must not deploy marketing tactics that targeted "personal characteristics" and must provide consumers with options to decline targeted marketing. 

Major online platforms that owned personal data of a large customer base also must establish an independent body, comprising mainly of external parties, to oversee how the information was handled. 

In addition, these companies would have to lay out data protection policies that were based on "openness, fairness, and justice" as well as regularly publish reports on their data protection initiatives. 

With regards to facial recognition systems, the law required signs" to be prominently displayed at public locations where such equipment and images mages would be implemented and captured. Furthermore, the collection and use of such data must be limited to "safeguarding public security". 

Companies dealing with Chinese consumers have to ensure compliance

Modelled broadly after Europe's General Data Protection Regulation (GDPR), the PIPL set a range of obligations, administrative guidelines, and enforcement actions regarding the processing of personal data, according to a blog post published Friday by Future of Privacy Forum (FPF). The report was jointly authored by FPF's Asia-Pacific director Clarisse Girot, global privacy director Gabriela Zanfir-Fortuna, and policy analyst for global privacy, Hunter Dorwart. 

They noted that the PIPL applied to personal data transferred outside of China by imposing obligations on handlers before such data was moved abroad, such as complying with a security assessment by relevant authorities. It also included mandatory risk assessments for specific processes, such as automated decision-making that could have "a major influence" on consumers. 

Organisations must establish a dedicated entity or appoint a representative in China responsible for issues related to their data processing. The name and contact details of such representatives would have to be provided to the relevant authorities overseeing the implementation of the law.

The PIPL also extended to data processing by companies based outside of China when one of three conditions was met, such as instances where the data processing was carried out for the provision of products or services to consumers in China as well as when the data was used to analyse or assess the activities of consumers in China. 

The third condition, in particular, referred to "other circumstances provided in laws or administrative regulations", which the FPF said left a "margin of discretion" to Chinese authorities to "further extend the long-arm jurisdiction of the law in cross-border scenarios".

The FPF further noted a "distinct national security flavour" in the PIPL, which was most apparent in reference to provisions on data localisation and cross-border transfers. 

"The law incorporates provisions that affirm China's intention to defend its digital sovereignty," the authors wrote. "Overseas entities that infringe on the rights of Chinese citizens, or jeopardise the national security or public interests of China, will be placed on a blacklist and any transfers of personal information of Chinese citizens to these entities will be restricted or even barred."

"China will also reciprocate against countries or regions that take 'discriminatory, prohibitive, or restrictive measures against China in respect of the protection of personal information'."

According to the FPF report, the new Chinese law had a complex enforcement framework that included financial penalties of up to 5% of an organisation's turnover as well as punitive actions, such as orders to stop processing data and confiscation of unlawfully attained profits. 

If a business refused to correct the violation, it could be fined up to 1 million yuan ($150,000). Employees directly responsible and overseeing the data violation also might be slapped with a fine of 10,000 yuan ($1,500) to 100,000 yuan ($15,000). In more serious violations, financial penalties could go up to 50 million yuan ($7.5 million) or 5% of annual revenue in the company's previous fiscal year.

Omer Tene, vice president and chief knowledge officer at International Association of Privacy Professionals (IAPP), said the new law would require the submission of cross-data data transfers to Cyberspace Administration of China (CAC) for security assessment. In addition, organisations that handled large data volumes, which Tene noted would be defined by CAC, had to be stored locally in China. 

In a series of Tweets posted a day before the PIPL was passed, he added that the law was "heavily based on consent", with no provision for data processing based on "legitimate interest"--though, this did not include the need to fulfil contracts or compliance with a legal obligation. 

"If you're doing business in China, get legal advice. They're not playing around," he cautioned.

Didi Global has been removed from appstores in China following an order from the government to do so. The move comes just days after the popular Chinese ride-sharing app made its debut on the New York Stock Exchange. 

The CAC last month ordered Chinese ride-sharing platform Didi to remove its app from local appstores for breaching regulations governing the collection and use of personal data. Did was further instructed to rectify "existing problems" and "effectively protect" users' personal data. 

Earlier in May, the CAC had singled out 33 mobile apps for collecting more user data than it deemed necessary to offer their service. These companies, which included Baidu and Tencent Holdings, also were told to plug the gaps. Citing complaints from the public, the government agency said operators of the apps were found to have infringed the rules after authorities assessed several popular apps, including map navigation apps. 

RELATED COVERAGE

• Didi barred from China appstores amidst government cybersecurity review
• China calls out 33 apps for collecting more user data than deemed necessary
• China's top court demands greater scrutiny to prevent monopolies
• Baidu's Android apps caught collecting sensitive user details
• APAC consumers have concerns about online privacy, but let it go for freebies