China's National Congress passed the highly anticipated Personal Information Protection Law on Friday, a significant piece of legislation that will provide Chinese citizens significant privacy protections while also bolstering Beijing's ambitions to set international norms in data protection.
China's PIPL is not only key to Beijing's vision for a next-generation digital economy; it is also likely to influence other countries currently adopting their own data protection laws.
The new law clearly draws inspiration from the European Union's General Data Protection Regulation, and like its precursor is an effort to respond to genuine grassroots demand for greater right to consumer privacy. But what distinguishes China's PIPL from the GDPR and other laws on the books is China's emphasis on national security, which is a broadly defined trump card that triggers data localization requirements and cross-border data flow restrictions.
"It provides an additional justification, if you will, to countries that were keen to pursue a similar agenda [about] tech sovereignty [and] localization," Clarisse Girot, director for Asia Pacific at the nonprofit organization Future of Privacy Forum, told Protocol. "And it really signals [China]'s intention to have an influence that's commensurate with the size of its economy and its technological capabilities."
A special breed of data protection
Cross-border data transfer provisions are by now a staple in data protection laws globally, Girot said, but China's approach to data transfer is more heavy-handed; transfers can be restricted or banned if they harm China's national security, and China defines national security more broadly than most other countries.
The PIPL contains provisions requiring all data processed by national agencies and so-called critical information infrastructure operators be stored in China. Entities that handle personal information reaching a certain threshold are also required to store user data within China. And the law requires companies to pass a security assessment organized by cybersecurity agencies, like the Cyberspace Administration of China, or to meet other compliance requirements, if they wish to transfer data abroad. If they pass compliance requirements, they need to make sure those overseas data recipients also follow PIPL.
The PIPL reinforces Beijing's ambition to defend its digital sovereignty. If foreign entities "engage in personal information handling activities that violate the personal information rights and interests of citizens of the People's Republic of China, or harm the national security or public interest of the People's Republic of China," China's enforcement agencies may blacklist them, "limiting or prohibiting the provision of personal information to them." And China may reciprocate against countries or regions that adopt "discriminatory prohibitions, limitations or other similar measures against the People's Republic of China in the area of personal information protection."
Many Asian governments are in the process of writing or rewriting data protection laws. Vietnam, India, Pakistan and Sri Lanka have all inserted localization provisions in their respective data protection laws. "[The PIPL framework] can provide encouragement to countries that would be tempted to use the data protection law that includes data transfer provisions to add this national security component," Girot said.
This new breed of data protection law could lead to a fragmented global privacy landscape. Localization requirements can be a headache for transnational tech companies, particularly cloud service providers. And the CAC, one of the data regulators in charge of implementing and enforcing the PIPL, is also tasked with implementing a national security policy, which could present a challenge to international cooperation.
"When regulators come from a cybersecurity agency, it's not going to be very easy to build the necessary trust with your partners, with your colleagues or counterparts, that it will be necessary to activate this international cooperation," Girot said. "This is not trivial because today, tech is global."
Stateside impact
China's PIPL will also have an impact on the United States. Text in the PIPL, as well as in China's Data Security Law, would prevent foreign law enforcement from accessing Chinese citizen data held by companies in China without going through strict clearance procedures. Samm Sacks, a cyber policy fellow at New America, told Protocol that this provision was meant to respond to the CLOUD Act, a U.S. federal law that grants law enforcement agencies the authority to reach into any other country and pull out local data in criminal law enforcement investigations.
"If a U.S. company held data in China, for example, that U.S. law enforcement needed as part of a criminal proceeding," Sacks said, "[the PIPL] could create a blocking mechanism to prevent them from complying with that request."
The U.S. does not have a federal privacy law. And privacy and cybersecurity experts say China's progress in its privacy law won't make the U.S. accelerate its own long-stalled privacy law-making process. But Sacks nonetheless anticipates a negative response from the U.S. to China's data protection law. "I think in an environment of increasing hawkishness about China, it's going to be viewed as another tool that the Communist Party can use to control the private sector and to control the data that the private sector holds," Sacks said, adding that she disagrees with this view.
In protecting consumer privacy, PIPL will rein in China's Big Tech to a certain extent. But that's not the PIPL's major function; Beijing has demonstrated that if it wants to target the industry, it can make it happen overnight — see, for example, the sudden ed-tech crackdown. The immediate impact of the PIPL, said Jeremy Daum, a senior fellow of Yale Law School's Paul Tsai China Center, is to better protect citizen data.
"I think to some extent, you have to be willing to accept that this law is doing what it says it's going to do," Daum said.
Zeyi Yang contributed to research.