Ignore China’s New Data Privacy Law at Your Risk
The inevitable flaw in China’s personal data law is that it cannot prevent the state itself from accessing the personal information of its citizens. People living in China are still some of the most watched and censored on the planet. “The Chinese government is the biggest threat to individual privacy, and I didn’t know they would be affected by it,” said Omer Tene, a fellow data, privacy, and cybersecurity specialist at law firm Goodwin. .
PIPL differs from other data regulations in how it reflects the broader political purpose of the country in which it is implemented. “If European data protection laws are based on fundamental rights and U.S. privacy laws are based on the protection of consumers, China’s privacy law is closely aligned, and yet I would say based on , national security, ”Tene said.
In fact, PIPL has extended a requirement in China’s cybersecurity law that companies store personal data within China. Telecommunications, transportation, finance companies, and other entities considered critical information infrastructure need to do just that. But that requirement now applies to any company that collects a specific, as yet unspecified amount of people’s data. After leaving Yahoo and LinkedIn, Apple is now one of a small number of high-profile international technology companies with a presence in China. To maintain its place in the big revenue market, Apple previously did serious concessions to the Chinese government. At this stage, it is unclear how large the impact of PIPL will be Apple’s business in China.
Companies that want to share data outside of China must also go through a national security review, said James Gong, a China -based associate at law firm Bird & Bird. Different guide translated by DigiChina reveals that a wide range of companies are likely to face national security checks, including those sending “important data” overseas. Companies that hold data on more than a million people and want to send information overseas will also face scrutiny. Any reasonably sized company operating in and out of China can be swept through this review process.
As part of security checks, companies must submit the contract between themselves and the foreign partner who received the data and complete a self-assessment. This includes setting out why the data was transferred from China, the types of information sent, and the risks of doing so. All of this combined could create some uncertainty for companies doing business in China, Gong said. “They need to consider reshuffling their current business, management, and IT structure and associated costs.”
While PIPL is likely to force domestic Chinese companies to improve how they manage data it will also have an impact on broader data rules around the world; there are key differences between this, GDPR, and U.S. privacy practices – especially the retaliatory blacklist. “They’re just political provisions,” Lee said. “These provisions do not appear in any other global privacy proposals.”
The biggest impact of China’s new privacy law — and its protectionist, political spin — could be its influence on other countries that are still developing their own data protection policies, or writing more. also its for a digital age. “We have concerns that other Asian countries may follow China’s approach with data localization measures in their privacy law,” Lee said. “We’ve already seen, for example, that privacy drafts in India and Vietnam have some measures like this.”
Lots of Great WIRED Stories