Protocol | China

Unpacking China’s game-changing data law

Its emphasis on digital sovereignty could fragment the global privacy landscape.

lock and key on keyboard

China's new Personal Information Protection Law is its next step in promoting national security.

Photo: Patrick Pleul/Picture Alliance/Getty Images

China's National Congress passed the highly anticipated Personal Information Protection Law on Friday, a significant piece of legislation that will provide Chinese citizens significant privacy protections while also bolstering Beijing's ambitions to set international norms in data protection.

China's PIPL is not only key to Beijing's vision for a next-generation digital economy; it is also likely to influence other countries currently adopting their own data protection laws.

The new law clearly draws inspiration from the European Union's General Data Protection Regulation, and like its precursor is an effort to respond to genuine grassroots demand for greater right to consumer privacy. But what distinguishes China's PIPL from the GDPR and other laws on the books is China's emphasis on national security, which is a broadly defined trump card that triggers data localization requirements and cross-border data flow restrictions.

"It provides an additional justification, if you will, to countries that were keen to pursue a similar agenda [about] tech sovereignty [and] localization," Clarisse Girot, director for Asia Pacific at the nonprofit organization Future of Privacy Forum, told Protocol. "And it really signals [China]'s intention to have an influence that's commensurate with the size of its economy and its technological capabilities."

A special breed of data protection

Cross-border data transfer provisions are by now a staple in data protection laws globally, Girot said, but China's approach to data transfer is more heavy-handed; transfers can be restricted or banned if they harm China's national security, and China defines national security more broadly than most other countries.

The PIPL contains provisions requiring all data processed by national agencies and so-called critical information infrastructure operators be stored in China. Entities that handle personal information reaching a certain threshold are also required to store user data within China. And the law requires companies to pass a security assessment organized by cybersecurity agencies, like the Cyberspace Administration of China, or to meet other compliance requirements, if they wish to transfer data abroad. If they pass compliance requirements, they need to make sure those overseas data recipients also follow PIPL.

The PIPL reinforces Beijing's ambition to defend its digital sovereignty. If foreign entities "engage in personal information handling activities that violate the personal information rights and interests of citizens of the People's Republic of China, or harm the national security or public interest of the People's Republic of China," China's enforcement agencies may blacklist them, "limiting or prohibiting the provision of personal information to them." And China may reciprocate against countries or regions that adopt "discriminatory prohibitions, limitations or other similar measures against the People's Republic of China in the area of personal information protection."

Many Asian governments are in the process of writing or rewriting data protection laws. Vietnam, India, Pakistan and Sri Lanka have all inserted localization provisions in their respective data protection laws. "[The PIPL framework] can provide encouragement to countries that would be tempted to use the data protection law that includes data transfer provisions to add this national security component," Girot said.

This new breed of data protection law could lead to a fragmented global privacy landscape. Localization requirements can be a headache for transnational tech companies, particularly cloud service providers. And the CAC, one of the data regulators in charge of implementing and enforcing the PIPL, is also tasked with implementing a national security policy, which could present a challenge to international cooperation.

"When regulators come from a cybersecurity agency, it's not going to be very easy to build the necessary trust with your partners, with your colleagues or counterparts, that it will be necessary to activate this international cooperation," Girot said. "This is not trivial because today, tech is global."

Stateside impact

China's PIPL will also have an impact on the United States. Text in the PIPL, as well as in China's Data Security Law, would prevent foreign law enforcement from accessing Chinese citizen data held by companies in China without going through strict clearance procedures. Samm Sacks, a cyber policy fellow at New America, told Protocol that this provision was meant to respond to the CLOUD Act, a U.S. federal law that grants law enforcement agencies the authority to reach into any other country and pull out local data in criminal law enforcement investigations.

"If a U.S. company held data in China, for example, that U.S. law enforcement needed as part of a criminal proceeding," Sacks said, "[the PIPL] could create a blocking mechanism to prevent them from complying with that request."

The U.S. does not have a federal privacy law. And privacy and cybersecurity experts say China's progress in its privacy law won't make the U.S. accelerate its own long-stalled privacy law-making process. But Sacks nonetheless anticipates a negative response from the U.S. to China's data protection law. "I think in an environment of increasing hawkishness about China, it's going to be viewed as another tool that the Communist Party can use to control the private sector and to control the data that the private sector holds," Sacks said, adding that she disagrees with this view.

In protecting consumer privacy, PIPL will rein in China's Big Tech to a certain extent. But that's not the PIPL's major function; Beijing has demonstrated that if it wants to target the industry, it can make it happen overnight — see, for example, the sudden ed-tech crackdown. The immediate impact of the PIPL, said Jeremy Daum, a senior fellow of Yale Law School's Paul Tsai China Center, is to better protect citizen data.

"I think to some extent, you have to be willing to accept that this law is doing what it says it's going to do," Daum said.

Zeyi Yang contributed to research.

Protocol | Fintech

Crypto has a payment for order flow problem, too

The SEC is concerned about payment for order flow in stocks and options. But crypto, which it is struggling to regulate, is a "Wild West."

What are you paying for your bitcoin?

Illustration: Jeremy Bezanger / Unsplash

Two of the SEC's major concerns are payment for order flow, the potentially conflict-ridden system where retail brokers get paid by market makers for sending them orders, and cryptocurrencies, the largely unregulated digital tokens that are generating a booming market in speculative trading.

What if you put them together?

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

While it's easy to get lost in the operational and technical side of a transaction, it's important to remember the third component of a payment. That is, the human behind the screen.

Over the last two years, many retailers have seen the benefit of investing in new, flexible payments. Ones that reflect the changing lifestyles of younger spenders, who are increasingly holding onto their cash — despite reports to the contrary. This means it's more important than ever for merchants to take note of the latest payment innovations so they can tap into the savings of the COVID-19 generation.

Keep Reading Show less
Antoine Nougue,Checkout.com

Antoine Nougue is Head of Europe at Checkout.com. He works with ambitious enterprise businesses to help them scale and grow their operations through payment processing services. He is responsible for leading the European sales, customer success, engineering & implementation teams and is based out of London, U.K.

People

Theranos machines often failed tests, ex-employee testifies

The testimony from lab-worker-turned-whistleblower Erika Cheung could form a crucial piece of government prosecutors' fraud case against former Theranos CEO Elizabeth Holmes.

The former Theranos headquarters in Palo Alto.

Photo: Andrej Sokolow via Getty Images

Did Theranos' blood-testing technology work? That was the key question prosecutors hammered away at as the fraud trial of former CEO Elizabeth Holmes continued Wednesday in a San Jose courtroom.

The company's proprietary Edison machines routinely failed quality control tests to the point that former lab employee Erika Cheung said she sometimes refused to run patient samples on the devices, she testified in court.

Keep Reading Show less
Biz Carson

Biz Carson ( @bizcarson) is a San Francisco-based reporter at Protocol, covering Silicon Valley with a focus on startups and venture capital. Previously, she reported for Forbes and was co-editor of Forbes Next Billion-Dollar Startups list. Before that, she worked for Business Insider, Gigaom, and Wired and started her career as a newspaper designer for Gannett.

Protocol | Policy

Big Tech builds bit by bit. The FTC is challenging that.

The FTC on Wednesday unveiled the findings of a study on the small deals that helped Big Tech grow without regulatory scrutiny, and took steps to treat such acquisitions more skeptically.

The FTC is putting more scrutiny on the small deals that built Big Tech.

Photo: Ian Hutchinson/Unsplash

The Federal Trade Commission on Wednesday took a dive into the kinds of deals that make Big Tech, well, big.

The commission unveiled findings from an investigation into hundreds of small acquisitions that companies such as Facebook, Amazon and Google undertook with little government oversight, which helped those titanic businesses reach their current size and power. Some of those transactions evaded regulator scrutiny thanks to loopholes in the law, the report found.

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

Protocol | China

Tencent dominates digital donations in China. That’s the problem.

After building the only successful digital fundraising platform in China, Tencent's immense impact in the charity world raises questions about inequality, state censorship and platform responsibility.

Tencent's 99 Giving Day has grown into a behemoth, facilitating million of dollars' worth of donations on a yearly basis.

Image: Christopher T. Fong / Protocol

An hour before September 9, Eric, a nonprofit fundraising worker in southern China, was as frustrated as he'd been in months. It was way past his normal work hours, but he had just finished writing a few paragraphs he hoped to send to people tomorrow to ask for donations. He received his first blow from one friend, who commented that his plan felt "insincere;" and then, during a WeChat conversation with another friend, he casually brought up the project he was fundraising for and got the half-joking reply: "Don't do this to me." Eric's frustration was verging on anger.

For Eric, and countless nonprofit workers in China, this wasn't a normal day. Tomorrow would be the "99 Giving Day," an online donation bonanza that Tencent, one of China's most prominent tech companies, created in 2015 and has since grown into the most important event annually for charity workers. Every year for a few days leading up to Sept. 9, Tencent takes out tens of millions of dollars' worth of its own money to match the donations made on its Tencent Charity platform, a mini-app in WeChat where thousands of fundraising projects are listed. But to make the magic happen on these few days, nonprofit workers often start preparing months in advance, learning the platform's arcane rules, planning their strategies and mobilizing their giving communities. As the event grows bigger and the rules grow more complicated, the work is taking an emotional toll on people like Eric.

Keep Reading Show less
Zeyi Yang
Zeyi Yang is a reporter with Protocol | China. Previously, he worked as a reporting fellow for the digital magazine Rest of World, covering the intersection of technology and culture in China and neighboring countries. He has also contributed to the South China Morning Post, Nikkei Asia, Columbia Journalism Review, among other publications. In his spare time, Zeyi co-founded a Mandarin podcast that tells LGBTQ stories in China. He has been playing Pokemon for 14 years and has a weird favorite pick.
Latest Stories