We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

the good information project

China is setting up its own version of GDPR - but how will it work in one of the most secretive countries in the world?

Observers say the new rules could give China stronger privacy protections than the US.

IN THIS PART of the world, we don’t always pay much attention to how advanced China’s digital economy has become in recent years.

“In many cases, when someone visits China from the west, they’re surprised as to how large the digital divide is, with China ahead of us in terms of digital payments, e-commerce and connectivity,” says US-based privacy expert Omer Tene. 

Homegrown Chinese internet companies like Alibaba and Tencent have been at the forefront of the huge tech sector explosion of the last decade: between 2014 and 2017, 34 Chinese tech ‘unicorns’ received market valuations topping $1 billion each. 

Estimates differ but it’s widely accepted that, in terms of dollar value, the Chinese digital economy is the world’s second-largest, behind the United States.

In certain subsectors, however, China is a world leader. It accounted for nearly 40% of global e-commerce transactions in 2019, according to the International Monetary Fund. 

Meanwhile, the transaction value of Chinese mobile payments by individuals hit $790 billion in 2016, 11 times that of the US.

Naturally, this has been highly lucrative for China, not least on the jobs front.

But along with that success has come a host of concerns for China’s 938 million internet users, not totally dissimilar to ones we’ve faced in Europe or the United States.

At the top of the list is the fact that tech companies have become powerful market forces, processing huge amounts of personal consumer data.

In order for it all to work for the Chinese economy, Tene says, it “requires individual consumers to buy in and to have trust in technology and platforms”.

A new Chinese privacy and data protection law seeks to address some of those concerns in a similar way to the European General Data Protection Regime (GDPR). 

The new law, which could be passed by the end of the year, is far from perfect. 

But experts say the Personal Information Protection Law (PIPL), the second draft of which was published in April, is a step in the right direction which will tip the scales in favour of consumers rather than tech companies – if and when it does get over the line, it could mean that, in some respects, Chinese citizens have stronger privacy protections than their American counterparts.

Tech crackdown

It’s difficult to detach the proposed privacy regime from the fact that the Chinese government has, in recent months, moved to curb the influence of Big Tech.

“I think the Chinese government is enjoying the benefits of its golden goose — the major tech companies — and being a dominant world player in terms of tech and AI, [but] it also wants to keep in check the power of these major businesses,” Tene, who is chief knowledge officer at the International Association of Privacy Professionals in Portsmouth, New Hampshire, says. 

“Because that’s how the government of China operates.”

Emblematic of that campaign is the case of e-commerce giant Alibaba, a dominant force that has established itself as the Chinese answer to Amazon.

It was investigated by authorities and then fined a whopping $2.8 billion (€2.3 billion) in April for alleged monopolistic practices and market abuses.

The probe was announced in December, a matter of weeks after Bejing halted Alibaba’s gargantuan financial services arm, Ant Group, from listing on stock markets in Shanghai and Hong Kong. 

Depending on who you ask, the Alibaba debacle was either a genuine attempt to tackle economic abuses — not unlike the ones that Google, Amazon and Facebook stand accused of in the West — or the result of a clash between its founder, Jack Ma, and the Chinese government.

In a controversial October speech, the outspoken Ma had lashed out at China’s financial system.

He was summoned for talks with government regulatory officials shortly before Ant’s IPO was suspended.

Ma kept a very low profile for a couple of months after that until he resurfaced in the New Year.

But other major companies have since fallen foul of Chinese regulators as part of a broader crackdown on the growing influence of domestic tech companies.

Consent and legitimate interest

There’s no one reason in particular for the creation of China’s new data protection regime — The Personal Information Protection Law (PIPL).

Much like GDPR, the law probably wouldn’t have existed a decade ago but across the world, in China as well as Europe, regulators have had to grapple with the ever-increasing power of tech companies and the thorny questions thrown up their access to consumer data.

While it is comparable to data protection laws in the US, Europe and Brazil, Tene says, the PIPL does have some important differences.

“When you look at the legal basis for processing data, GDPR has consent; legal obligation; performance of a contract; and legitimate interest, [which is] a hugely important legal basis,” Tene explains.

Legitimate interest under GDPR basically means that even if it doesn’t have your consent, “if the company thinks that it has a legitimate interest to collect data, then it goes through a kind of a risk analysis and a balancing exercise between its interests and the rights of individuals, and it can decide to proceed”.

The draft Chinese law doesn’t include a legitimate interest basis, he says.

Instead, it gives huge weight to obtaining the consent of the individual.

This is important because it means if a company wants to collect a Chinese user’s data, feed it into an algorithm and send them personalised adverts based on that, it needs the user to explicitly opt-in.

It means is that in the government-business-consumer equation, as Tene says, China is putting its finger on the scales “against businesses to a greater extent than some of the other jurisdictions” like Europe.

In the US, in fact, companies don’t need a legal basis to process data at all.

“It’s the other way around,” he says. “It’s allowed unless it’s prohibited.”

Review boards

There are some other novel features of the proposed law.

For one, it will require some of the bigger domestic tech outfits — like WeChat and Alibaba — to put in place external boards to review their use of personal information.

These review boards — to be staffed mainly by people outside the company — will have to provide regular reports about the firm’s handling of consumer data.

Although Facebook was required by the US Federal Trade Commission to put something similar in place in 2019, Tene says the idea is still “kind of state-of-the-art, cutting edge in terms of thinking around privacy and artificial intelligence”. 

There are, however, one or two things in the law that will cause consternation, particularly for western multinationals based in China, Tene says.

Data localisation requirements will mean that companies have to conduct a security assessment in conjunction with the regulator.

The regulator, in this case, is Cyberspace Administration China, a national security agency, Tene says.

“Telling a multinational company that does business in China that they need to approach this agency to perform a security assessment before it can transfer data abroad is probably going to cause some companies to skip a heartbeat.”

The draft law also includes provisions that allow the Chinese government to blacklist foreign companies for “harming the rights and interests” of Chinese citizens.

Tene believes this is a nod towards other economic powers like the European Union. 

Under GDPR, Europe has an ‘adequacy framework’ in place, which allows companies to transfer data freely to jurisdictions outside the EU deemed by the European Commission to have adequate levels of data protection.

The idea of the Chinese version, Tene says, seems to be “if you consider us inadequate, we could retaliate against you”.

One chapter of the draft document aims to regulate even the Chinese government’s use of personal data.

Consensus in the west, at least, seems to be that this section of the law is largely toothless.

However, Jeremy Daum, a senior fellow of the Yale Law School Paul Tsai China Centre, told tech news site Protocol recently that the fact that it’s in there at all shows “they’re really considering who should be allowed to use this and when”.

Tene doesn’t think the Chinese government will be subject to the same laws as private companies.

But that’s quite a “reasonable approach” he says.

“There isn’t sort of a higher edict that says that you need to dispose of privacy [issues] in both the private and public sector in one fell swoop. In fact, in the US, there is a separate kind of legal regime for government data and private sector data.”

“But, of course with China, given the more concentrated government, more questions are raised about how it deals with privacy with data collection surveillance itself as a government,” he says.

“I don’t think those questions are answered here.”

This work is co-funded by Journal Media and a grant programme from the European Parliament. Any opinions or conclusions expressed in this work is the author’s own. The European Parliament has no involvement in nor responsibility for the editorial content published by the project. For more information, see here.


Your Voice
Readers Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel