China’s new data privacy laws could see the beginning of the end of the country’s “wild era” of internet development where platforms have been free to collect and use citizens’ personal information.
Legal experts welcomed the draft of the Personal Information Protection Law (PIPL), despite its shortcomings, saying the move is timely and will help push back against big tech’s control over personal data.
Wang Zhicheng, associate professor of finance at the Guanghua School of Management at Peking University, said the past two decades have been a “wild era” for China’s internet, with the big tech platforms operating with few rules to regulate their collection and usage of personal data.
Get the latest insights and analysis from our Global Impact newsletter on the big stories originating in China.
The draft version of the PIPL, which closed for public comments last week, significantly increases penalties for companies responsible for data breaches, proposing fines of up to 50 million yuan (US$7.6 million) or 5 per cent of annual revenue. However, it is short on details of what companies must do to be compliant, putting the onus on them to be extra cautious when handling user data.
“It is imperative that companies formulate or update their data compliance and risk management strategies for the China market,” said Barbara Li, the head of corporate technology, media and telecommunications (TMT) and data practice at professional services firm PwC.
As the world’s most populous country, many of China’s 1.4 billion population are already online but the country has a reputation for lax controls over the collection, storage and use of individual digital data. Existing laws covering cybersecurity and data security do not specifically address personal data protection but authorities, driven by consumer demands for better protection, have regularly launched crackdowns on smartphone apps that collect user data illegally.
China’s big digital platforms, from e-commerce giant Alibaba Group Holding to Tencent Holdings, which has 1.2 billion users on its WeChat social media app, have already amassed a deep pool of user data they can use to develop artificial intelligence (AI) models.
Alibaba, which owns the South China Morning Post, and Tencent, did not immediately reply to a request for comment on PIPL law.
The use of data has become one of the world’s biggest businesses. Last year, market research firm IDC forecast that China’s big data market could be worth US$22.49 billion by 2023. Given the huge size of the market, some believe the penalties under the new law are light and that it has some shortcomings.
“Compared with what the tech giants benefit from in mining users’ personal data, I don’t see the punishment as that significant,” said Wang, adding that while higher penalties will reduce non-compliance they are not a solution to prevent data breaches.
Scholars say the law will provide a legal reference for data breaches but the current draft of the legislation requires further details and enforcement will be a challenge given the industry practice of seeking user agreement to data collection when they sign up for a service.
Under the new law, the consent of individuals must be obtained before their personal information can be used and they have the right to rescind their consent.
“Most of the time individuals have no access to internet service without a data collection agreement [up front],” Wang said. “It is easy for companies to … add such a deceptive action to comply with the law but it does not achieve the aim of the law [which is] to protect the personal data.”
The concept that each person should have ownership of their own data was first introduced in Europe’s General Data Protection Regulation (GDPR), which says that companies that collect personal data are only stewards of that data, not the owners of it. In reality, the bargaining power of individuals against tech giants is weak but Chinese law experts agree that having something is better than nothing.
“China’s draft PIPL will definitely help stem personal information leak and breaches,” said Wang Xinrui, a lawyer at Beijing-based law firm Anli Partners, adding that the GDPR has greatly improved data protection for Europeans.
“In the early days of the enactment of the new law people will see many cases related to personal data breaches [and] to some extent these cases will hurt people’s trust in big companies in the short term,” he said. “But over the longer term the trust will come back [as there is more compliance with the PIPL].
“Most companies will take a very serious attitude towards the PIPL because there is the potential risk of large fines [for violations]. Although the new law is stricter, its impact on China’s internet economy development will be minimal,” Anli‘s Wang said, adding that demand for legal advice related to PIPL has increased significantly.
Last week, a court in eastern China ordered a wildlife park to delete the facial recognition data of a law professor and pay him compensation in the first case of its kind in the country.
It is anticipated that Chinese authorities will fast track finalisation of the PIPL and that the country’s regulators will be proactive in enforcing against non-compliance, said Li from PwC.
The draft PIPL will complement the country’s draft Data Security Law and its existing Cybersecurity Law which is seen by Beijing as essential for national security.
Additional reporting by Tracy Qu
More from South China Morning Post: