China keeping citizens’ data to itself with privacy law

China keeping citizens’ data to itself with privacy law


Beijing’s new data privacy law is an attempt by Chinese authorities to take the lead in establishing global data management standards that could have broad implications for companies doing business in the country, legal experts contend.

China’s Personal Information Protection Law (PIPL), which goes into effect in November 2021, could end some standard operating procedures, such as sending client data from mainland China to regional offices in Hong Kong or Singapore, the South China Morning Post newspaper reported. Now, those data transfers could be subject to strict protocols and regulatory review, disrupting business.

“The new law will push data recipients located outside of the country to comply with Chinese laws more seriously, establishing long-arm jurisdiction,” You Yunting, a senior partner at Shanghai Debund Law Firm, told the newspaper.

Modeled after the European Union’s General Data Protection Regulation, the PIPL is particularly focused on apps using personal information to target consumers or offer them personalized prices on products and services. The legislation was fueled by several high-profile domestic cases.

  • A college-bound student in China died in 2016 from cardiac arrest after her family’s savings were stolen in a phone scam caused by leaked personal information, the online news magazine The Diplomat reported.
  • Guo Bing, an associate law professor from Zhejiang Sci-Tech University in Hangzhou, China, filed a lawsuit challenging the use of facial recognition technology at a safari park, Agence France-Presse reported.
  • A law professor at Tsinghua University in Beijing sued her homeowners association in September 2020 for installing facial recognition at her gated community, according to multiple media outlets.

The new privacy law requires user consent when personal information is transferred abroad, and companies with personal data of Chinese citizens can’t hand it over to foreign law enforcement agencies without permission from the Chinese government.

Charles Yu, a lawyer at international law firm Pillar Legal, told the Post that the rules will discourage Chinese companies from sharing data with overseas partners because it could lead to steep financial penalties. This is a sign, Yu said, that China wants to set international standards regarding data transfers.

The newfound push for privacy seems at odds with a regime that is a world leader in state-sponsored video surveillance. Beijing collects personal data on millions of its citizens, particularly in Xinjiang, which has become a police state under constant surveillance with cameras and humans monitoring everyday life of the general public in addition to up to 1 million Uyghurs Muslims in detention camps.

The government also developed a social credit scoring system based on citizens’ digitally trackable behavior — everything from unpaid taxes to posting negative comments about the government on social media.

The Chinese Communist Party has not been transparent about how the scoring algorithm works but acknowledges rewarding those with high scores with the freedom to travel abroad, luxury accommodations and better jobs. Citizens with low scores face punishments that include being barred from management jobs, air or rail travel, and nice hotels.

While purportedly designed to protect privacy, the new law exempts data collectors when there is a statutory reason for collection. It doesn’t specify which statutes qualify. “Notably, exemptions could be granted on the basis of statutes that facilitate China’s controversial social credit system,” the Post reported.