The Great Wall of privacy: China’s new data protection laws9 min readReading Time: 6 minutes
Picture this: You want a new pair of sneakers, so you open your browser and do a quick search on the latest trends. You don’t immediately find a pair you like, so you put your search on hold and log onto social media to see what your friends are up to. Something is strange about the ads — they are all about shoes!
Has this happened to you?
While it may seem like your computer or smartphone is reading your mind, it’s actually not. This strategy or business model of ‘selling ads’ is used by the biggest tech companies in the world. Based on the data available online, your birthday for example, and on your browsing history, tech companies are able to target specific ads based on what you like and want at that moment! This is a billion dollar industry.
Can you guess which tech giant has the MOST data on us? Hint: The name of the company starts with ‘G’.
Hold up — why are we talking about this in a law and politics column? The reason is China, and its new rules on data privacy. These new laws were put in place to protect the people from companies that store their personal data. In today’s ‘Law and Order’, let’s explore these new rules and regulations.
Recently, China passed security and privacy laws that are aimed at preventing businesses from collecting sensitive personal data — the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). While DSL came into effect on September 1, PIPL will come into effect on November 1.
What is personal data? It is all data relating to a person, on the basis of which the person can be identified. Personal data includes: Name and surname, residential address, email address, birth date, etc.
This decision came after several reports of internet scams, leaks and concerns about tech giants abusing clients’ personal information.
Let’s understand what these laws are all about..
This includes the protection of ‘important data’ and ‘core data’, the latter of which is defined as information involving national and economic security, people’s welfare or public interest.
Under the new rule, state-run and private companies handling personal information will be required to reduce data collection and also get permission from customers on using their data. The law will also prevent companies from setting different prices for the same service based on clients’ shopping history.
An example of how companies were charging higher based on user shopping history is what happened with the Chinese transport company, Didi. Tens of thousands of consumers had complained about having to pay more for hailing a taxi using an iPhone than a cheaper mobile phone model!
According to the law, the personal data of Chinese nationals cannot be transferred to countries with lower standards of data security than China. This could mean trouble for the number of countries that do business in China or with China. We will get into why and how later in the article.
What are a person’s rights under PIPL?
The PIPL provides individuals with various rights with respect to their personal information, including:
- right to know and to decide relating to their personal information;
- right to restrict or prohibit the processing of their personal information;
- right to consult and copy their personal information from the processors;
- right to portability of their personal information;
- right to correct and delete their personal information; and
- right to request the processors to explain the processing rules.
How did it all start?
This has been in the works for a while now. China has long sought to shield its domestic internet from outside influences with a policy it calls ‘cyber sovereignty’.
Back in January, the China Consumers Association (which is backed by the government) had accused internet companies of violating customers’ rights by misusing personal data and “bullying” people into purchases and promotions.
“Companies must stop using systems to scan through consumers’ personal data and offer them different prices for goods based on that information,” the association had said.
Before this, China had no law in place specifically dealing with the collection and use of such data.
What is noteworthy here is that while the laws apply to both the private and public sector, it does not apply to the Chinese government.
Owliver’s Obscure Observations
The law is modelled after one of the world’s strictest online privacy protection laws — the European Union’s General Data Protection Regulation.
What this means for businesses
Chinese tech companies have already been facing a lot of pressure regarding data, and these new laws are only going to make thing harder for them. Chinese companies collecting data can be subject to checks from law enforcement agencies, and hence need to have data centres.
For data that is transferred out of the country, a designated person must be tasked with overseeing the protection of the data, and companies must conduct regular audits to be sure they’re complying with the law.
Companies that fail to comply can face fines to the tune of up to 50 million yuan (around Rs 57 crore) or five per cent of their annual turnover.
The stock market issue
One big issue that came up for big tech companies as soon as the law was notified was a downward spiral of their stocks. Stocks, including that of Chinese giants Tencent and Alibaba, dropped as much as 4.5 per cent!
What about non-Chinese companies?
The DSL will have quite a bit of impact on non-Chinese companies too. If you collected data in China but used it in, say Europe, you could run into legal complications.
It could stop big businesses from doing data-gathering operations across borders. The DSL also applies to data processing activities outside of China (but about China) if the nation deems it could affect its security or the rights of its citizens.
Are there similar laws anywhere else in the world?
Around the world, there has been a push to create better rules around data protection. In 2018, the European Union’s landmark General Data Protection Regulation (GDRP) came into effect —a regulation that aims to give citizens more control over their data.
As per the Regulation, a user can access the personal data being stored by companies and find out where and for what purpose it is being used! An individual also has the right to be ‘forgotten’, which means that the user can ask the company to delete one’s data.
Brazil’s Lei Geral de Proteção de Dados, which came into force in September 2020, is Latin America’s first major data protection law.
At the end of 2020, Singapore amended its Personal Data Protection Act to make notifications of data breaches mandatory. This means that the company has to make known that it is using someone’s data and whether they have given consent to the company to use that data.
Are there data privacy laws in India?
Since the European Union introduced GDPR in 2018, many countries around the world have followed suit. India, too, is taking steps to enact a data protection framework which borrows many elements of the GDPR. The new law, the Personal Data Protection Bill (PDP), is currently in front of parliament. This means that it is still being discussed by the government.
The new Bill is supposed to completely change India’s current laws around data protection —the Information Technology Act, 2000.
So what does the PDP Bill include?
The PDP Bill includes requirements for notice and prior consent for the use of individual data, limitations on the purposes for which data can be processed by companies, and restrictions to ensure that only data necessary for providing a service to the individual in question is collected.
It also includes data localisation requirements and the appointment of data protection officers within organisations. This basically means that there will need to be people assigned to check the use of data within organisations.
India has not yet enacted this Bill on data protection, and there is no clarity on when it will be.
Do you think national data privacy laws are important for your country? What are some of the advantages of this? Let us know in the comments below!
Sources: The Hindu, Indian Express, Financial Times, Times of India