The top legislative body in the People's Republic of China voted Friday to adopt a new national privacy law. The Standing Committee of the National People's Congress passed the Personal Information Protection Law at a meeting in Beijing, according to the nation's state-operated Xinhua News Agency.
The sweeping law will take effect Nov. 1. With the move, the PRC joins three of the world's top four economies with an omnibus privacy law, leaving the U.S. as the only nation in the top four without one.
As of Friday morning, the full text of the final version of the law has yet to be released, but a third reading of the law was circulated earlier this week. [[Update Friday, Aug. 20, 12:23 PM ET: NPC Observer released the final text of the law.]] Some aspects of PIPL have drawn comparison's to the EU General Data Protection Regulation, with provisions mandating companies exercise data minimization and user consent. Violations of the law would come at a cost for companies doing business in the country, with fines ranging between $7.7 million or up to 5% of the previous year's business revenue, according to The Wall Street Journal.
Though some of the commercial aspects of the law resemble the GDPR, PIPL will not prevent the PRC's central government from accessing data. Karman Lucero, a fellow at Yale Law School Paul Tsai China Center, told the WSJ there is little to indicate "anything resembling legal limits on government surveillance. ... Chinese civil society still has very limited means of ‘watching the watchmen.'"
According to an earlier version of the draft bill, the law would require any cross-border data transfers be submitted first to the Cyberspace Administration of China, the cyber and data protection regulator in China. IAPP VP and Chief Knowledge Officer Omer Tene offered a brief Twitter thread on the proposed law's main takeaways, concluding: "If you're doing business in China," he said, "get legal advice. They're not playing around."
Enactment of PIPL was expected this week, and according to the latest Xinhua report, the law "stipulates that individual consent should be obtained when processing sensitive personal information such as biometrics, medical and health, financial accounts" and for those conducting "business marketing to individuals through automated decision-making, personal information processors should provide options that don't target personal characteristics at the same time, or offer ways of rejection." It also "requires suspension or termination of services for apps that illegally processed personal data."
Another provision in PIPL includes regulating the use of facial recognition. The proliferation of the surveillance technology has prompted a number legal cases in China, including among building residents and visitors who had to verify their identity via facial recognition. Last month, the PRC's highest court ruled that building managers should offer alternatives to tenants who do not want to submit their biometric information for facial recognition.
Similarly, a Chinese citizen recently sued a zoo in the city of Hangzhou for requiring facial recognition and won the case. Law Prof. Guo Bing said there was no legal basis for the collection of his biometric data and the zoo had not implemented security of the information. An appeals court ruled in favor of the professor and ordered the zoo to refund the plaintiff and delete his biometric data.
PIPL enacted amid flurry of regulatory activity in China
Passage of PIPL comes amid a flurry of regulatory activity related to the digital economy in the PRC. According to Beijing Rui Bai Law's Barbara Li, Chinese authorities approved the Measures for Security Administration of Vehicle Data, which will oversee the processing of automotive information. The measures will be implemented Oct. 1.
Stanford's DigiChina Project also reported earlier this week the State Council released the "Critical Information Infrastructure Security Protection Regulations" as part of the PRC's Cybersecurity Law and will become effective Sept. 1.
Uncertainty around what is a "critical information infrastructure" has existed since the Cybersecurity Law went into effect five years ago, but the issue came into focus recently when the CAC determined that ride-hailing company DiDi Chuxing was a CII operator. The Future of Privacy Forum conducted an analysis of the DiDi case — the first time the CAC conducted such an enforcement review — to assess trends for data protection enforcement activity in China.
To add on, China's Ministry of Industry and Information Technology said Wednesday that 43 applications, including WeChat and Tencent Holdings, "illegally transferred user data, and ordered their parent companies to make rectifications." According to MIIT, the apps "illegally transferred users' contact list and location data, while also harassing (users) with pop-up windows." The companies were given until Aug. 25 to rectify the alleged violations.
Earlier this week, China's State Administration for Market Regulation approved a set of rules designed to improve competition and stymie fake reviews online.
According to Reuters, the National People's Congress published an op-ed on state media-run People's Daily Court praising PIPL, the new privacy law, noting companies using algorithms for "personalized decision making" need to obtain user consent. "Personalization is the result of a user's choice," the op-ed stated, "and true personalized recommendations must ensure the user's freedom to choose, without compulsion."
Photo by zhang kaiyv on Unsplash