On November 1, 2021, the Chinese government introduced a new law which is attempting for the first time to comprehensively regulate the storage, transfer and processing of personal data. The Personal Information Protection Act (PIPL) enshrines the principle of consent for the use and transmission of personal data, privacy and security impact assessments, and the handling of data protection breaches . Article 2 provides: â€œThe personal information of natural persons enjoys legal protection; no organization or individual may infringe on the rights and interests of individuals with regard to personal information â€.
Why has the Chinese government decided to take this step now? To date, China does not have comprehensive personal data protection. The new law fills this gap and thus represents, like the European General Data Protection Regulation (GDPR) of 2018, an important step towards standardizing, updating and formalizing data protection principles.
A number of substantial changes were incorporated into the final version of the law. These range from the ban on algorithmic price discrimination to a new requirement for data portability and new approaches for the cross-border transfer and processing of data of minors under the age of 14. The vigorous debate is far from over, however, as the legislation is more of a framework – with concrete details yet to be completed.
From US regulations to GDPR
At first, it seemed that China would take the relatively minimalist US regulations as a model for developing its own legislative framework. In the United States, digital regulation is largely a patchwork. â€œHistorically in the United States we have had a bunch of disparate federal governments [and state] laws â€, according to data protection expert Amie Stepanovich. Soon, however, there has been a change towards the European GDPR. The final text, now available in English translation, confirms this trajectory, as large parts of the text present similar concepts and even practically identical formulations.
“This law is actually very inspired by the GDPR,” said Han Xinhua, professor of law and member of the cybersecurity committee of the University of Communication of China. “‘The rules are very similar in many respects, such as the definition of personal information, the rules for handling sensitive information, …, the obligation to take security measures, retention (storage) Time limit, evaluation impact on personal information protection, DPO / privacy accountability system, etc.
Discussions in China have been going on for years about the necessity and design of user rights in the digital realm.
Because the new law applies to all data collected in China, it also affects foreign companies and institutions operating in China. Most companies have already informally oriented themselves towards GDPR, according to expert Yiming Hu. But now “they all have to take a closer look.”
The rejection of the American model and the massive adoption of the GDPR in the most populous country in the world represent a kind of export coup for the European Union in the digital economy.
Discussions in China have been going on for years about the necessity and design of user rights in the digital realm. These debates took place in a context where corruption, arbitrariness and the absence of rule of law structures were seen as an obstacle to China’s development. It finds expression in the current ‘main contradiction“in Chinese society. The Chinese Communist Party (CCP) considers this to be between” unbalanced and unsatisfactory development and people’s ever-increasing need for a better life. “The” common prosperity movement “launched by the Party thus aims to promote better governance and a more balanced economy.
This campaign is a response to the gap that has widened in recent years between rich and poor, the emergence of a new urban middle class and, not least, the rise of powerful national digital companies and widespread corruption. within the State and the Party. Xi Jinping’s era, after all, is characterized by a “severe and far-reaching anti-corruption campaign,” according to sinologists Daniel Fuchs and Frido Wenten.
In recent years, the emergence of large digital companies as â€œpersonal data processorsâ€ has compromised the social balance. This has significantly complicated the relationship between the Chinese government and big business. Their ramp-up was closely monitored and, if necessary, curbed. For example, at the end of 2020, the government temporarily suspended the initial public offering of Ant Financial Services Group, a subsidiary of Chinese group Alibaba.
A range of new digital laws
Han Xinhua explains that a “three-pillar model” has been created: “The dual structure of public-private rights in an industrial society is replaced by a triangular structure of public-private-power-private-rights power instead. According to her, this development has changed the balance of power in the digital world. She stresses that in the new triangle of power, it is important to strengthen individual rights vis-Ã -vis the other two poles. The new law therefore also aims to promote these rights. Xinhua points out that the law was passed mainly because of “internal pressure from China,” not because of efforts to accommodate foreign countries or to conform to Western standards.
The new Chinese law inspired by the EU’s GDPR really strengthens individual rights against large digital companies.
The new law must be seen in the context of a host of other laws passed in recent years in an attempt to reframe the digital legal space. For example, the Cybersecurity law entered into force in mainland China on June 1, 2017. On September 1, 2021, the Data protection law entered into force, covering the use, collection and protection of data in the People’s Republic of China.
Zhenbin Zuo, an expert in Chinese law at the University of Cambridge, considers both cybersecurity law and data protection law in the context of national security law. President Xi jinping also highlighted this link: â€œWithout cybersecurity, there is no national security.
Article 58 of the PIPL contains a so-called â€œaccess guardâ€ provision, which makes platform operators responsible for all practices of third-party providers on their platform. According to Zuo, this requires operators to self-regulate their third-party vendors and maintain a good ecosystem of online applications. This is similar to the FTC’s demands on Facebook after the Cambridge Analytica incident. ‘
The objectives of the CCP
In contrast, according to Zuo, the recently adopted PIPL is more concerned with the protection of individual rights and interests. “But as explained in the legislative notes for PIPL 2021, it is also largely about promoting business interests and developing a national digital economy.”
The new Chinese law inspired by the EU’s GDPR really strengthens individual rights against large digital companies. For the Party and the state leadership, however, it also serves two other purposes: First, it is an element of the campaign against corruption and abuse, and is therefore likely to build public confidence. in institutions; and second, it takes place in the context of a policy of regulation, restriction and even control of digital companies.
Strengthening individual data protection rights and reducing the power and data collection frenzy of private and state entities are aimed at ensuring the frictionless functioning of China’s digital economy in the future. As part of the fight against hypercapitalist drifts, the state is on the side of ordinary people, the army of millions of users of digital platforms. In this way, it kills two birds with one stone: it restrains the power of big business and positions itself as the advocate of the new Chinese digital savvy middle class.