Chinese President Xi Jinping in Beijing on Jan. 22, 2021.
Shen Hong | Xinhua News Agency | Getty Images
A strong data framework could help countries define how the next-generation internet looks as well, one expert said, pointing out that it could become a geopolitical issue as China looks to challenge the U.S. in the technology sphere.
But the move has also raised debate about whether those same rules will apply to one of the country’s biggest data processors — the government.
Last year, Beijing published the draft version of the Personal Information Protection Law (PIPL), laying out for the first time a comprehensive set of rules around data collection and protection. Previously, various pieces of piecemeal legislation governed data.
It’s seen as part of a bigger effort to rein in the power of Chinese technology giants which were able to grow unencumbered over the past few years through the vast collection of data to train algorithms and build products, experts said.
… Users are becoming more knowledgeable, and they are becoming angry with companies abusing their personal information.
New York University School of Law
In February, China issued revised antitrust rules for so-called “platform economy” companies, which is a broad-brush term for internet firms operating a variety of services from e-commerce to food delivery.
“The government wants to rein in some … of those technology giants,” Rachel Li, a Beijing-based partner at the Zhong Lun Law Firm, told CNBC by phone. “This legislation … goes along with other efforts such as antitrust.”
Data protection rules
Globally, there has been a push toward more robust rules to protect consumer data and privacy as technology services continue to expand.
In 2018, the European Union’s landmark General Data Protection Regulation came into effect. Called the GDPR for short, it gives citizens in the bloc more control over their data and grants authorities the ability to fine companies that fall foul of the rules. The U.S. has yet to enact a nationwide data protection law like Europe.
Now China is attempting to do something similar.
“After years of Chinese internet companies building business models around Chinese people’s lack of awareness about privacy, users are becoming more knowledgeable, and they are becoming angry with companies abusing their personal information,” Winston Ma, adjunct professor at the New York University School of Law, told CNBC via email.
China’s Personal Information Protection Law applies to the country’s citizens and to companies and individuals handling their data.
Here are key parts of the law:
- Data collectors must get user consent to collect information and users have a right to withdraw that consent;
- Companies processing the data cannot refuse to provide services to users who do not consent to have their data collected — unless that data is necessary for the provision of that product or service;
- Strict requirements and rules for transferring Chinese citizens’ data outside the country, including getting government permission;
- Individuals can request for their personal data that’s being held by a data processor;
- Any company or person falling foul of the rules could be fined no more than 50 million yuan ($7.6 million), or 5% of the annual turnover. They could also be forced to stop some of their business.
What it means for tech giants
In general, the age of ‘exponential growth in the wilderness’ for Chinese technology companies’ expansion is over, whether domestic or overseas.
New York University School of Law
But there are signs that scrutiny could be widening. Reuters reported last month that Pony Ma, the founder of gaming giant Tencent, met with antitrust watchdog officials to discuss compliance at his company. Tencent owns social networking app WeChat, which has become ubiquitous in China.
Ma from NYU noted that the data protection law will have a “balanced approach towards the relationship between individual users and internet platforms.” But combined with other regulations, it could slow down the growth of technology giants, he said.
“In general, the age of ‘exponential growth in the wilderness’ for Chinese technology companies’ expansion is over, whether domestic or overseas,” he said.
Li added that some companies could be forced to change their business models.
Experts previously told CNBC that China’s push to regulate its internet sector is part of its ambition to become a technology superpower as tensions between Beijing and Washington continue. Data protection regulation is part of this push.
“To a large extent, the cyberspace and digital economy remains undefined, the data law framework has become a geopolitical factor,” said Ma from NYU. “Whichever country can take the lead in achieving breakthroughs in legislation or its model of development, it can provide a model for the next-generation internet.”
Ma said that if there is a digital economy version of World Trade Organization rules, countries with strong data laws can have “leadership power.” The WTO is a group of 164 member states that aims to create rules around global trade.
“That is why more and more are talking about what the China model is.”
The Chinese data protection law contains a section on state agencies processing information.
In theory, the state should adhere to similar principles around data collection as a private company — but there is debate over whether that is the case.
“We often think about the PIPL in terms of its applications to Alibaba or Tencent but we forget that China’s state agencies are the country’s largest data processors,” said Kendra Schaefer, a partner at Trivium China, a research firm based in Beijing.
“There’s lively debate in the Chinese legal and academic communities around how the PIPL should be applied to administrative activities,” she said. “One specific issue is the the PIPL gives individuals the right to give informed consent when their data is collected but this may conflict with, for example, police investigations by law enforcement.”
“What’s interesting is that a national conversation is starting around what the Chinese government can or cannot do with citizen data, and how the law should define the state’s obligations,” Schaefer added.