China’s GDPR clone passed, but will it really protect people’s data?

By Elles Houweling

China has passed a sweeping new law that aims to restrict how personal data is collected, used and managed. The Personal Information Protection Law (PIPL) will come into effect on November 1 and is the country’s toughest regulation on data security yet.

The rules add to Beijing’s tightening of regulations concerning data and are set to make it significantly harder and more expensive for tech firms in China to access and use consumer information.

The final version of the document has not yet been released, but according to state media Xinhua, consumers will have the right to reject excessive data collection by business entities and certain government agencies.

A key component of the draft regulation is the informed consent by users, which requires companies to get user consent to collect their information, inform them of how their information will be used and provide users with the possibility of opting out.

In addition, users can also request to view their personal data held by the company and request any corrections or for their information to be deleted. Fines of up to 50m yuan ($7.7m) or up to five per cent of annual turnover can be enforced on companies that violate the law.

Following the far-reaching scope of the PIPL, experts have pointed out that it shares similarities with the EU’s General Data Protection Regulation. Both laws will require companies in China to examine their data storage and processing practices to ensure they are compliant.

The document says that “the processing of personal information should have a clear and reasonable purpose.” It further points out that personal rights cannot be violated and that data cannot be applied in automated decision-making processes that lead to “unreasonable differential treatment”.

There are also strict requirements for transferring Chinese citizens’ data outside the country. Overseas businesses that fall within the jurisdiction of the law will have to comply with China’s new regulations.

The law further calls for handlers of personal information to designate an individual in charge of personal information protection and for handlers to conduct periodic audits to ensure compliance with the law.

China doubles down on data security

The PIPL comes as China’s regulatory scrutiny on the country’s technology companies intensifies. With the PIPL, alongside the country’s Cybersecurity Law and Data Security Law, China has beefed up its data regulation.

The laws are set to put an end to the supposed ‘Wild West’ era enjoyed by China’s tech giants while also regulating cross-border data flows amid rising tensions with the US.

Last month, the Cyberspace Administration of China released a draft proposal that would require companies that hold personal data of over one million users to go through additional cybersecurity reviews before listing abroad.

China’s dominant ride-hailing app, Didi Chuxing, notably became a prominent victim of Beijing clampdown on data collection. The company saw its app removed from Chinese app stores last month, a few days after it debuted on the New York Stock Exchange.

Subsequently, several Chinese state agencies launched a probe into the company, citing illegal collection of users’ personal data and cybersecurity concerns.

Recently, the Ministry of Industry and Information Technology (MIIT) proposed a new law concerning data generated by smart cars and autonomous vehicles. The new rules call on connected vehicle makers who offer automated driving assistance and other autopilot functions to “clearly inform” about their vehicles’ functions and performance limitations. In addition, manufacturers will also be required to disclose driver responsibilities and other important data.

On Tuesday, China’s State Administration for Market Regulation passed a sweeping set of rules aimed at improving fair competition, banning practices such as fake online reviews.

In a separate instance, the MIIT said on Wednesday that 43 smartphone applications, including popular apps such as WeChat, its corporate version WeCom, Tencent Video and Tencent Maps, were found to have inappropriately transferred user contact data and location information, or used pop-up ads when users opened the app.