August 24, 2021
China passed the Personal Information Protection Law (PIPL) for data privacy, to take effect November 1 of this year. The law is similar to the European Union’s General Data Protection Regulation (GDPR) and includes a requirement for organizations and individuals to minimize data collection of Chinese citizen’s personal data and obtain prior consent. Unlike the GDPR, however, the Chinese law is not expected to limit state surveillance or access to such data, though it could apply to lower-level government agencies.
The Wall Street Journal reports that, “China’s new privacy framework comes as frustration grows within the government and in Chinese society over online fraud, data theft and data collection by domestic technology giants,” which benefited from “loose rules on accessing data … but also fueled a black market for consumer data.”
The government has already tightened rules on data security and anticompetition in the tech sector, including “imposing a multibillion-dollar fine on Alibaba Group Holding for forcing vendors to sell exclusively on its e-commerce platform.”
According to Neil Liang, co-founder of Shanghai-based tech startup The CareVoice, the new law is a “sign of the market maturing.” He added that “costs will likely increase, as tech companies must dedicate more resources to compliance … but the new rules could also provide new opportunities for third parties who help companies with data management.”
The new law also considered concerns about facial recognition cameras found in urban residential compounds. Building managers must “offer alternatives for residents who don’t want to submit to facial recognition … [and] facial recognition cameras installed in public places must be marked with prominent alerts and only be used to maintain public security.”
The new law addresses “the issue of algorithmic discrimination,” and also “requires automated decision-making to be transparent and fair … [giving] individuals the option to opt-out of personalized marketing.” A serious violation of the new law “could result in a fine of up to $7.7 million, or up to 5 percent of the preceding year’s business income.”
Information Technology Industry Council (ITI) senior manager of policy Alexa Lee stated that companies already compliant with the GDPR “are going to be fine complying with the Chinese privacy law.” But, she added, “national security-related provisions in the law, such as one enabling the blacklisting of overseas data handlers who endanger China’s national security or public interest, could be driven by considerations unrelated to privacy, such as U.S.-China relations.”
“That is an area companies can’t predict and they cannot control,” she said.
Regulators there “also published new rules requiring companies that process auto data to enhance data security and protect personal information collected from vehicles,” requiring data related to “sensitive military and government locations, to be stored in China” with the addition of “principles for reducing unnecessary collection and sharing of data.”
The vehicle-related rules will take effect October 1.