China’s new privacy law, which takes effect in November, will have far-reaching implications for how companies that do business in the country handle cross-border data, possibly helping Beijing establish global standards for data management, according to legal experts.
Under China’s Personal Information Protection Law (PIPL), previously standard business operations such as sending mainland Chinese client data to regional head offices in Hong Kong or Singapore could be subject to strict protocols and regulatory reviews. Through multiple laws and regulations passed in recent years, Beijing is setting up a data regime that, in some cases, could be mutually incompatible with laws in the US and Europe, throwing multinationals into a hazardously fragmented legal landscape.
“The new law will push data recipients located outside of the country to comply with Chinese laws more seriously, establishing long-arm jurisdiction,” said You Yunting, a senior partner at Shanghai Debund Law Firm. “The strictness of China’s legislation in the area of privacy and data safety is leading the world in terms of both national sovereignty and individual protection,” You said.
According to Chapter III of the law, if a personal information processor needs to move data beyond the country’s borders, it must either pass a security assessment by the Cyberspace Administration of China (CAC), be certified for personal information protection by the government’s cybersecurity department, be concluding a contract with a foreign party in accordance with government standards, or meet “other conditions” set by government agencies.
The law also requires user consent when personal information is transferred abroad, and the person must be informed by the receiving party about how the data will be used if changed from its original purpose.
Handing data over to foreign law enforcement requires explicit approval from the Chinese government under the new law. This requirement could put foreign companies like Apple or Tesla in an awkward position if disputes arise between Chinese and American authorities.
The law also authorises the Chinese government to blacklist foreign organisations, companies and individuals to prevent them from accessing the data of Chinese citizens. In the event that a foreign government restricts access to personal information, the law provides for retaliatory measures.
Omer Tene, vice-president of the non-profit organisation International Association of Privacy Professionals, said the provisions “convey China’s muscle as a global superpower”.
With a new law and a formidable regulator, international businesses will have to find ways to comply to keep doing business in the country.
Charles Yu, a lawyer at international law firm Pillar Legal, said the strict rules will further discourage Chinese companies from sharing data with overseas partners because it could lead to steep penalties. The PIPL’s maximum penalty for serious violations is 5 per cent of annual revenue, more than the 4% fine companies face under the European Union’s General Data Protection Regulation (GDPR).
Yu noted that the PIPL requires Chinese companies to ensure that foreign data recipients comply with Chinese laws and regulations, a stricter standard than what was included in earlier drafts.
China specifies in the law that the only international treaties it will follow are the ones it has signed, but the country has not signed any treaties involving personal data protection. This is a sign that China wants to be the one to set international standards regarding data transfers, Yu said.
Stephen Wong Kai-yi, Hong Kong’s former privacy commissioner, said the PIPL could pave the way for China to obtain an “adequacy decision” under the GDPR, which is a prerequisite for allowing data transfers between the EU and other jurisdictions. An adequacy decision is determined by the European Commission, which assesses whether countries outside the EU have sufficient data protection standards.
The broad scope of the PIPL could help China push its standards on foreign companies, as happened following the implementation of the GDPR, according to Seha Yatim, an analyst at the political consultancy Access Partnership.
“As the US leverages the APEC Cross-Border Privacy Rules to overcome data transfer issues, it would be interesting [to see whether] China will come up with its own approach that can rival it, or even the EU adequacy approach,” Yatim said. – South China Morning Post
