China’s new data privacy laws

Source: By Rounak Bagchi: The Indian Express

China, on 20 August 2021, passed a data protection law setting out tougher rules on how companies collect and handle their users’ information. The rules add to Beijing’s tightening of regulation, particularly around data, which could impact the way China’s technology giants operate.

The Personal Information Protection Law (PIPL) lays out for the first time a comprehensive set of rules around data collection, processing and protection that were previously governed by piecemeal legislation. However, analysts believe that the policy is unlikely to limit the state’s widespread use of surveillance. The law will take effect on 1 November 2021, news agency Xinhua reported. The full text of the final version hasn’t yet been released.

The national privacy law closely resembles the world’s most robust framework for online privacy protections, Europe’s General Data Protection Regulation, and contains provisions that require any organization or individual handling Chinese citizens’ personal data to minimize data collection and to obtain prior consent.

However, unlike in Europe, where governments face more public pressure over data collection, Beijing is expected to maintain broad access to data.

Under the new rules passed by China’s top legislative body, state and private entities handling personal information will be required to reduce data collection and obtain user consent.

The Chinese state security apparatus will maintain access to swathes of personal data, however. Beijing has long been accused of harnessing big tech to accelerate repression in the northwestern Xinjiang province and elsewhere.

The law also aims to protect those who “feel strongly about personal data being used for user profiling and by recommendation algorithms or the use of big data in setting [unfair] prices,” a spokesman for the National People’s Congress told state news agency Xinhua.

It will also prevent companies from setting different prices for the same service based on clients’ shopping history.

More so, the law stipulates that the personal data of Chinese nationals cannot be transferred to countries with lower standards of data security than China — rules which may present problems for foreign businesses. Companies that fail to comply can face fines to the tune of up to 50 million yuan (around Rs 57 crore) or five per cent of their annual turnover.

The law says sensitive personal data includes information which if leaked can lead to “discrimination… or seriously threaten the safety of individuals” including race, ethnicity, religion, biometric data or a person’s whereabouts.

In January, the government-backed China Consumers Association had accused internet companies of violating customers’ rights by misusing personal data and “bullying” people into purchases and promotions. “Consumers are being squeezed by data algorithms and becoming the targets of technical bullying,” the association had said.

“Companies must stop using systems to scan through consumers’ personal data and offer them different prices for goods based on that information,” it had added.

Following this, China’s market regulator had also slapped fines on Tencent and asked it and its affiliated companies to relinquish exclusive rights to music labels. China’s State Administration for Market Regulation, in a statement, had said, “To restore market competition, Tencent and its affiliated companies must end their exclusive music copyrights within 30 days and stop charging high prepayment and other copyright fees.”

However, Chinese companies’ use of data had come to the fore only when Beijing’s cyber security agency launched a probe into ride-hailing group Didi Chuxing days after it raised more than $4 billion in a New York initial public offering in June.

The Cyberspace Administration of China had asked Didi to stop accepting new user registrations saying that the app “has serious violations of laws and regulations pertaining to the collection of personal information”. Tens of thousands of consumers had complained about having to pay more for hailing a taxi using an iPhone than a cheaper mobile phone model or for tickets if they are profiled as a business traveller, China’s consumer protection watchdog had said.

The greatest fallout of China notifying the law was that the stocks of the big tech companies of the country suffered a major slump, prompting renewed concerns among investors.

Stocks, including that of Tencent and Alibaba, dropped as much as 4.5 per cent. The Nasdaq Golden Dragon index of large US-listed Chinese stocks closed more than 5 per cent lower in New York, dragged down by an almost 7 per cent fall for the ecommerce group founded by Jack Ma. The gauge has fallen almost 10 per cent, putting it on track for its biggest weekly drop since April.

The sell-off for Chinese tech stocks, brought about by Beijing’s new regulations, has taken the index down almost 53 per cent from its peak in February. Tens of billions of dollars have been obliterated from the wealth of tycoons including the Alibaba founder and Tencent’s Pony Ma.

Tencent, the owner of the popular WeChat messaging app, has warned that further regulations could be coming for the technology industry.

Globally there has been a push to create better rules around data protection. In 2018, the European Union’s landmark General Data Protection Regulation came into effect —a regulation that aims to give citizens in the bloc more control over their data. Not only does it affect organizations located within the EU, but will also apply to companies outside the region if they offer goods or services to, or monitor the behaviour of, people in the bloc.

As per the Regulation, a user can access the personal data being stored by companies and find out where and for what purpose it is being used. One will also have the right to be forgotten, which means that the user can ask the company to delete one’s data, potentially stopping third parties from accessing it.

Brazil’s Lei Geral de Proteção de Dados, which came into force in September 2020, is Latin America’s first major data protection law. As Brazilian companies and service providers scramble to reach compliance, the remaining months of the year will be the testing ground for how Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD), will enforce the new law.

At the end of 2020, Singapore amended its Personal Data Protection Act, introducing, among others, mandatory data breach notifications, an expansion of its deemed consent framework, exceptions to consent for legitimate interests, and increased penalties for non-compliance.