China’s data legislation matures
Beijing has made it clear that data must be regulated. We take a closer look at two key pieces of recent legislation: the Personal Information Protection Law and Data Security Law.
For China people interested in digital affairs, the first weeks of 2022 have not disappointed. The growing regulatory wave that swept over online platforms from autumn 2020 onward has now culminated in a swathe of new policy plans, including the overall Five-Year Plan for the digital sector, and related plans for the digital economy and the fintech sector. Where the last year and a half made clear that Beijing wanted more control over digital players, these plans now make clear what it intends to do with this control. The key domestic themes in this plan are integrating the digital economy with the real economy, enhancing governmental capabilities for service delivery and more effective administration, and fostering “high-quality development.”
Critical in all of these pursuits is the use of data, which has now officially been anointed as a production factor on par with land, capital, and labor in terms of importance. At the same time, Beijing has made clear that, like those other factors, data must be regulated. Last year, the National People’s Congress passed two separate pieces of legislation that constitute the twin pillars on which China’s data governance architecture rests: the Personal Information Protection Law (PIPL) and the Data Security Law.
The Personal Information Protection Law does pretty much what it says on the box: it intends to protect individuals from harm arising from the abuse of their personal data. Legal scholars had argued in favor of a data protection law since at least the mid-2000s. However, the vast majority of data at that time was held by government bodies or state-owned enterprises, which had little interest in legal constraints to their behavior. The real impetus leading to the current legislation came from incidents such as the Snowden revelations, as well as a cavalcade of highly publicized incidents of large-scale data theft and data-enabled fraud. One prominent case was that of Xu Yuyu, an 18-year old who died of a heart attack in 2016 after she was swindled out of her college savings in a telephone scam.
More broadly, an illegal data trading cottage industry developed, where company or government employees purloined data to make an extra buck. And as more Chinese citizens became connected, more data was generated, and more of that data ended up in the hands of private companies, momentum toward a dedicated law on personal data protection grew. The 2016 Cybersecurity Law already contained embryonic provisions in this direction, and the drafting of the PIPL started in 2018. At this stage, much of the inspiration for the law came from Europe’s General Data Protection Regulation (GDPR), as participants in the law’s drafting have readily acknowledged.
The Personal Information Protection Law intends to protect individuals from harm arising from the abuse of their personal data.
However, where the PIPL’s first draft mostly targeted overt forms of abuse, its later iterations started paying more attention to those platforms themselves. The 2018 ecommerce law had already required platform companies to provide an opt-out option for personal data-based content recommendations. The final version of the PIPL included, among others, an obligation for platform companies to create an independent body, mainly staffed with external members, to oversee personal information management activities, regularly release CSR reports on data protection, and limit the extent to which algorithms can be used to push content. Further draft regulations explicitly limited companies’ ability to use personal information and algorithms for work allocation for gig workers, or for anti-competitive purposes.
This market-regulatory intention of the PIPL equally somewhat resembles initiatives the EU is undertaking, most notably in the 2019 New Deal for Consumers, and the Digital Markets and Services Acts currently in the legislative process. Where China diverges, unsurprisingly, is in the extent to which the PIPL provides an effective constraint on government. Privacy is a fundamental right in Europe, and the very concept of a fundamental right does not meaningfully exist within the Chinese legal order. The law thus creates wide carve-outs for government departments to obtain personal data, as long as this is within the remit of their statutory duties.
Another considerable difference, which ride-hailing company Didi found out the hard way, is the greater concern about foreign ownership of companies holding large amounts of data on Chinese individuals. After its IPO on the New York Stock Exchange, Didi was suddenly put under a cybersecurity review. Subsequently, new rules emerged that mandated such a review before the foreign listing of any company holding personal information on 1 million Chinese individuals or more — a very low threshold in China’s billion-strong market. While Beijing has never quite made clear its specific concern about foreign listing, one could surmise they are concerned that the U.S. government might use the Foreign Corrupt Practices Act or other oversight processes to gain access to personal data on Chinese citizens. And, in view of reports on large-scale data capture on overseas individuals from China, perhaps there is some mirroring going on.
This connection between data and national security has center stage in the Data Security Law (DSL). This law not only covers personal information, but all possible data, held by anyone. Its goal is ensuring that national security and the public interest do not suffer harm from data-enabled interference by criminals or adversaries. To this end, all entities holding data in China will be required to self-categorize into one of five tiers, with higher tiers coming with stricter requirements on software and hardware maintenance, technical protection measures, reporting and auditing obligations, etc. Line ministries now have the task of publishing catalogues to indicate which data belongs in which tier.
In the Data Security Law, Beijing has created a comprehensive legislation that is unique in the world, addressing the fundamental question of data governance and national security.
It is difficult to overestimate the impact of the DSL on data operations in China: in the same way that safety regulations transformed the automotive industry, data security law will likely do something similar in the digital realm. Moreover, the DSL is unique worldwide: no other state has passed comprehensive legislation addressing the fundamental question of data governance and national security. This makes it probable that other countries will learn from China’s example — also if it’s an example of how not to do things.
To summarize, China’s new data protection regime aims to combine several different objectives. First of all, it sought to remedy fairly frequent forms of abuse affecting individuals. From that starting point, it has expanded to include EU-style market regulation that seeks to rebalance the relationship between platforms on the one hand and users, as well as on-platform traders, on the other. They also play a significant role in helping Beijing achieve its technological development objectives. In general, the lofty ambitions outlined in the recent plans require that data can be collected, stored, processed, and used in a secure environment, with risk of theft, interference, or alteration minimized. More specifically, the many reports, reviews, and audits the new laws oblige will create considerable demand for the services of the budding domestic cybersecurity sector. But the PIPL and DSL also target the CCP’s adversaries, at home and — most importantly — abroad.
Different regulatory bodies already issued several draft regulations that provide some detail on how the vague and general terms of the PIPL and the DSL will be implemented, but it will likely take years for the catalogues and schedules that are necessary for full compliance with the laws to come out. In the meantime, businesses would do well to keep these different objectives at the back of their mind in restructuring their operations. A foreign company having a dozen employees in a representative office in Beijing exporting its HR data to headquarters will simply be a far less priority concern to regulators than companies running large-scale consumer operations in China, or working in critical sectors.