Data Privacy Chinese-Style
China’s new Personal Information Protection Law represents an important first step toward protecting the privacy of Chinese citizens, and it will undoubtedly increase the compliance burden for major tech firms. But the PIPL may turn out to be far weaker than it appears.
HONG KONG – China has just passed a major data-privacy law. Inspired by the European Union’s General Data Protection Regulation, China’s Personal Information Protection Law (PIPL) comprises a far-reaching set of rules governing how tech companies handle user data. And, on the surface, it seems pretty tough: in fact, The Wall Street Journal hailed the PIPL as “one of the world’s strictest data-privacy laws.” But it will probably do less to protect Chinese users than many believe, and it might even entrench further the dominance of China’s incumbent tech giants.
To be sure, the PIPL represents an important first step toward protecting the privacy of Chinese citizens. It gives regulators a new set of weapons to use in their fight against China’s mighty tech firms; limits companies’ ability to engage in algorithmic price discrimination; tightens rules on cross-border data transfers; and imposes additional compliance burdens for large tech firms that are deemed “gatekeepers.”
But a close look at the PIPL reveals its major weaknesses. For starters, although it requires businesses and government agencies to obtain individual consent before processing personal information, it exempts them from doing so when there is a “statutory basis” – while failing to specify which statutes qualify. Because many Chinese government authorities, including central ministries and local governments, possess some degree of legislative power, a vast array of lower-level rules and regulations could potentially be used to circumvent the PIPL.