Protocol | China

China could soon have stronger privacy laws than the U.S.

Really — at least, when it comes to corporations collecting data. A major draft law could end the free-for-all in the world's largest market.

China could soon have stronger privacy laws than the U.S.

Back to work and back to surveillance in China.

Photo: Getty Images

International observers often think of China as a place where privacy protections are thin or nonexistent. But a forthcoming law could arm Chinese consumers with offensive and defensive tools that web users in places like the United States could only dream of.

In late April, China unveiled the second draft of the country's privacy law, the Personal Information Protection Law, for public comment. The law is expected to pass by the end of the year, and would shield Chinese internet users from excessive data collection and misuse of personal data by tech companies — and even, to some extent, by the government.

The new law, similar to the European Union's General Data Protection Regulation, will give individuals the power to know how their personal data is being used and to consent to it.

"It's a good law," Jeremy Daum, a senior fellow of the Yale Law School Paul Tsai China Center, told Protocol. "We tend to think of China as not being overly concerned with privacy, and that's just wrong … There's a growing expectation of privacy in the Chinese public, and the government is responding to it by passing high-level authority to try and ensure some protections."

Several of the provisions in the draft could change the experience of Chinese web users nationwide.

Privacy committees come to China

One new provision requires big internet platforms — including WeChat, Douyin and Taobao — to each form a committee, staffed predominantly by non-company employees, that supervises the handling of personal information. Tech companies will have to stop providing services that misuse personal information. The big platforms are also required to publish periodic reports about information protection.

This is not a model new to the rest of the world. Facebook, for example, was required to form an independent privacy committee by the Federal Trade Commission in 2019. But Chinese tech companies will be required for the first time to establish an outside board to review the handling of consumer data, especially sensitive biometric data.

"It gives consumers an added level of protection," Daum said. "You're going to have somebody besides the government and besides the company itself looking at how the company is using personal information, making sure they're doing it as they said in their user agreements for the purposes that they state."

Personal information as inheritance

The law also adds novel protections for "post-mortem privacy." When a person passes, that person's family will inherit the rights to handling the decedent's personal information, which could include the power to delete their account.

Alexa Lee, senior manager for global cyber and privacy policy with the Information Technology Industry Council and an associate editor of DigiChina, told Protocol that privacy laws globally rarely address the rights to personal information of the deceased. "This is a very unique addition because if you look at all the global privacy laws, only France has one on this," Lee said. "No other privacy laws have something like this, not even GDPR."

Bye-bye, personalized recommendations

Under the new Personal Information Protection Law, users can elect to block algorithmically-curated information or personalized ads. This means that if Taobao or Douyin recommends merchants or video clips to users, by default the platforms must provide options that aren't tailored for the user based on past and present engagement. If companies want to serve ads based on personal information "with a major influence on the rights and interests of the individual," the app or the site must get affirmative user consent first.

Consent. Consent. Consent.

Other than the new changes, one big theme throughout the draft law is ensuring the consumer's right to consent and the right to know how their information is being used. They also have the right to withdraw that consent at any time, and service providers are required to make a streamlined withdrawal process by law.

The draft law stipulates the concrete applications of minimum necessary standards, meaning tech companies can only collect personal information when it's necessary for the services being provided.

But getting consent is tricky. Users don't always understand the terms and privacy notices to which they're agreeing. "It will be a really long process for consumers to get used to that, and it will also be work for the company themselves to figure out how they can streamline and make this notice easier for the consumer to read," Lee said. Otherwise, Lee said, the process will generate consent fatigue.

Limits on the state

The new law contains a whole chapter regulating the use of personal information by state organs, even though it has less teeth compared to protections against corporate abuse.

The draft law stipulates that when handling personal information, the state "may not exceed the scope or extent necessary to fulfill their statutory duties and responsibilities." And state organs, like corporations and individuals, have to inform individuals and get consent from them when handling their personal information. But there are broad exceptions. The government doesn't have to inform individuals about data collection when doing so would undermine the purpose of the collection — for example, in a criminal investigation.

"Of course, that can get abused," Daum said, "because how do you know to question their use if you don't even know that they're using it? But the fact that there is even a section on state organ use of personal information shows they're really considering who should be allowed to use this and when."

Protocol | Policy

New report shows kids see COVID-19 misinfo on TikTok in minutes

A new report finds that kids as young as 9 are being fed COVID-19 misinformation on TikTok, whether they engage with the videos or not.

NewsGuard researchers asked nine kids to create new TikTok accounts and record their experiences on the app.

Photo: Andrew Harrer/Bloomberg via Getty Images

TikTok is pushing COVID-19 misinformation to children and teens within minutes of creating a new account, whether they actively engage with videos on the platform or not, a new report has found.

The report, published Wednesday by the media rating firm NewsGuard, raises questions not only about how effectively TikTok is enforcing its medical misinformation policies, but also about how its own recommendation algorithms are actively undermining those policies.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Keep Reading Show less
A technology company reimagining global capital markets and economies.
Protocol | China

Beijing meets an unstoppable force: Chinese parents and their children

Live-in tutors disguised as nannies, weekday online tutoring classes and adult gaming accounts for rent. Here's how citizens are finding ways to skirt Beijing's diktats.

Citizens in China are experienced at cooking up countermeasures when Beijing or governments come down with rigid policies.

Photo: Liu Ying/Xinhua via Getty Images

During the summer break, Beijing handed down a parade of new regulations designed to intervene in youth education and entertainment, including a strike against private tutoring, a campaign to "cleanse" the internet and a strict limit on online game playing time for children. But so far, these seemingly iron-clad rules have met their match, with students and their parents quickly finding workarounds.

Grassroots citizens in China are experienced at cooking up countermeasures when Beijing or governments come down with rigid policies. Authorities then have to play defense, amending holes in their initial rules.

Keep Reading Show less
Shen Lu

Shen Lu is a reporter with Protocol | China. Her writing has appeared in Foreign Policy, The New York Times and POLITICO, among other publications. She can be reached at

Protocol | Policy

Google and Microsoft are at it again, now over government software

The on-again, off-again battle between the two companies flared up again when Google commissioned a study on how much the U.S. government relies on Microsoft software.

Google and Microsoft are in a long-running feud that has once again flared up in recent months.

Photo: Jens Tandler/EyeEm/Getty Images

According to a new report commissioned by Google, Microsoft has an overwhelming "share in the U.S. government office productivity software market," potentially leading to security risks for local, state and federal governments.

The five-page document, released Tuesday by a trade group that counts Google as a member, represents the latest escalation between the two companies in a long-running feud that has once again flared up in recent months.

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.


Facebook wants to kill the family iPad

Facebook has built the first portable smart display, and is introducing a new household mode that makes it easier to separate work from play.

Facebook's new Portal Go device will go on sale for $199 in October.

Photo: Facebook

Facebook is coming for the coffee table tablet: The company on Tuesday introduced a new portable version of its smart display called Portal Go, which promises to be a better communal device for video calls, media consumption and many of the other things families use iPads for.

Facebook also announced a revamped version of its Portal Pro device Tuesday, and introduced a new household mode to Portals that will make it easier to share these devices with everyone in a home without having to compromise on working-from-home habits. Taken together, these announcements show that there may be an opening for consumer electronics companies to meet this late-pandemic moment with new device categories.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Latest Stories