China passes data protection law

China has passed a personal data protection law, state media Xinhua reports (via Reuters).

The law, called the Personal Information Protection Law (PIPL), is set to take effect on November 1.

It was proposed last year — signalling an intent by China’s communist leaders to crack down on unscrupulous data collection in the commercial sphere by putting legal restrictions on user data collection.

The new law requires app makers to offer users options over how their information is or isn’t used, such as the ability not to be targeted for marketing purposes or to have marketing based on personal characteristics, according to Xinhua.

It also places requirements on data processors to obtain consent from individuals in order to be able to process sensitive types of data such as biometrics, medical and health data, financial information and location data.

While apps that illegally process user data risk having their service suspended or terminated.

Any Western companies doing business in China which involves processing citizens’ personal data must grapple with the law’s extraterritorial jurisdiction — meaning foreign companies will face regulatory requirements such as the need to assign local representatives and report to supervisory agencies in China.

On the surface, core elements of China’s new data protection regime mirror requirements long baked into European Union law — where the General Data Protection Regulation (GDPR) provides citizens with a comprehensive set of rights wrapping their personal data, including putting a similarly high bar on consent to process what EU law refers to as ‘special category data’, such as health data (although elsewhere there are differences in what personal information is considered the most sensitive by the respective data laws).

The GDPR is also extraterritorial in scope.

But the context in which China’s data protection law will operate is also of course very different — not least given how the Chinese state uses a vast data-gathering operation to keep tabs on and police the behavior of its own citizens.

Any limits the PIPL might place on Chinese government departments’ ability to collect data on citizens — state organs were covered in draft versions of the law — may be little more than window-dressing to provide a foil for continued data collection by the Chinese Communist Party (CCP)’s state security apparatus while further consolidating its centralized control over government.

It also remains to be seen how the CCP could use the new data protection rules to further regulate — some might say tame — the power of the domestic tech sector.

It has been cracking down on the sector in a number of ways, using regulatory changes as leverage over giants like Tencent. Earlier this month, for example, Beijing filed a civil suit against the tech giant — citing claims that its messaging-app WeChat’s youth mode does not comply with laws protecting minors.

The PIPL provides the Chinese regime with plenty more attack surface to put strictures on local tech companies.

Nor is it wasting any time in attacking data-mining practices that are common place among Western tech giants but now look likely to face growing friction if deployed by companies within China.

Reuters notes that the National People’s Congress marked the passage of the law today by publishing an op-ed from state media outlet People’s Court Daily which lauds the legislation and calls for entities that use algorithms for “personalized decision making” — such as recommendation engines — to obtain user consent first.

Quoting the op-ed, it writes: “Personalization is the result of a user’s choice, and true personalized recommendations must ensure the user’s freedom to choose, without compulsion. Therefore, users must be given the right to not make use of personalized recommendation functions.”

There is growing concern over algorithmic targeting outside China, too, of course.

In Europe, lawmaker and regulators have been calling for tighter restrictions on behavioral advertising — as the bloc is in the process of negotiating a swathe of new digital regulations that will expand its power to regulate the sector, such as the proposed Digital Markets Act and Digital Services Act.

Regulating the Internet is clearly the new geopolitical battleground as regions compete to shape the future of data flows to suit their respective economic, political and social goals.