China's newest legislative move on data privacy closely resembles the world’s most robust framework for online privacy protections, Europe’s GDPR. (Photo by NICOLAS ASFOURI / AFP)

China’s newest legislative move on data privacy closely resembles the world’s most robust framework for online privacy protections, Europe’s GDPR. (Photo by NICOLAS ASFOURI / AFP)

Did China just pass one of the strictest data privacy laws in the world?

  • Its top legislative body passed the Personal Information Protection Law (PIPL) on Friday, effective November onwards.
  • It closely resembles the world’s most robust framework for online privacy protections, Europe’s GDPR.
  • The PIPL requires firms to get user consent to collect, use and share information, and to provide a way for them to opt-out.

Over the last few years, the Chinese government, seeking to strengthen consumers’ trust and participation in the digital economy, has begun to implement data privacy protections that in many respects resemble those in America and Europe today.

China under President Xi Jinping especially has been cracking down on its most powerful tech stars, including Alibaba Group Holding Ltd., Tencent Holdings Ltd, and Didi Global Inc. in a bid to ensure its hold on society. 

It appears that the government is constantly moving to address consumer worries about the gradual erosion of their privacies as tech companies make rapid advances in the use of tools from facial recognition to big data. That said, the most recent move by the Chinese authorities is passing legislation setting out tougher rules for how companies handle user data.

Last Friday, the legislature of the Asian nation approved the Personal Information Protection Law (PIPL), said China Central Television. Based on earlier drafts, companies are required to get user consent to collect, use and share information, and to provide a way for them to opt out. 

Companies found breaking the rules could face fines of up to 50 million yuan (US$7.7 million) or 5% of their annual revenue. The national privacy law, China’s first, closely resembles the world’s most robust framework for online privacy protections, Europe’s General Data Protection Regulation.

Right before this law, the nation’s legislature passed a related law in June that gave President Xi Jin Ping the power to shut down or fine tech companies that stood in the way of his efforts to control vast reams of data they build. The moves come as some US lawmakers call for breaking up internet titans like Facebook Inc. and Alphabet Inc., and as European regulators prioritize antitrust actions and giving users more control over data.

What else does the data privacy law cover?

According to the Wall Street Journal, the new privacy law, which unifies previously piecemeal legislation on personal information protection, also tackles a number of concerns that have come to light in recent years, such as the proliferation of facial recognition. According to the latest PIPL draft, facial recognition cameras installed in public places must be marked with prominent alerts and only be used to maintain public security.

The new law will also seek to address the issue of algorithmic discrimination, which has drawn increasing public concern, especially in cases where online platforms offer different prices to different users based on their online behavior. The latest draft, which requires automated decision-making to be transparent and fair, also instructs companies to give individuals the option to opt-out of personalized marketing.

Unlike the GDPR, however, the PIPL comes with one major caveat: It’s largely written to protect people from private companies monopolizing their data while giving state authorities a free pass to largely do just that. It is inevitably a loophole that kind of undercuts the biggest problem that a lot of people tend to have with China’s surveillance state.

The PIPL also has pretty strict guidelines for foreign companies doing business in the region—and that includes data-hoovering giants like Facebook that offer services to Chinese customers through obscure subsidiaries.

The PIPL states that any of these outfits aren’t only required to abide by the new law but that they need to “pass a security assessment organized by the State cybersecurity and information department” before they get a pass to operate in the country.