August 26, 2021

China’s New Personal Information Protection Law Raises the Stakes

China’s New Personal Information Protection Law Raises the Stakes

As the world’s most populous country and its second biggest economy, China holds immense sway in virtually every major industry. That’s why China’s summer deluge of data protection legislation has turned the international outlook on data security and compliance upside down. 

In just the past few months, China has clarified how a key term in its 2016 Cybersecurity Law–Critical Information Infrastructure (CII) regulator–would be defined, introduced the Data Security Law, and as of Friday, August 20th, officially passed the wide-scoped Personal Information Protection Law (PIPL). All of the legislation comes in conjunction with heightened enforcement of the entire sphere of data security, with China disciplining Chinese companies to try and control exactly how businesses handle data. 

In mid-August, China’s Ministry of Industry and Information Technology (MIIT) warned that 43 Chinese apps, including Tencent’s WeChat, perhaps the most influential app in the country, had illegally transferred user data and would receive less than two weeks to rectify the issue. This enforcement comes in lockstep with similar efforts by the Chinese government to protect data from the growing smart car industry, as the country has publicized concerns about Tesla’s data privacy and determined the popular ride-hailing company DiDi Chuxing to be a CII regulator, increasing the company’s data protection requirements.

The full scope of what CII regulators need to do to stay compliant with data laws has not yet been published, but the stakes could not be higher. Whereas most countries have set up fines that hardly dissuade companies from unsafe data practices, China has set fine amounts at $7.7 million to 5% of a company’s previous year revenues. 

As Omer Tene, law professor and VP at the International Association of Privacy Professionals nonprofit noted on Twitter, “If you’re doing business in China, get legal advice. They’re not playing around.”

While there are multiple Chinese ministries that have some responsibility in the data protection landscape, the Cyberspace Administration of China (CAC) has the official designation to act as the regulator of PIPL, which as the major data protection law, will likely take precedence in the logistics of how China governs data going forward. This includes the CAC needing to explicitly approve any cross-border data transfers and large data handlers needing to localize data within China, which together would likely lead to strict data residency within China. 

All of this equates to a renewed global focus on how local data regulations will reshape how business is done. The EU’s GDPR started that conversation in 2016, but since then most subsequent regulations, from those in Brazil to India, have not pushed the stakes beyond the GDPR-line. After watching the world go more digital during Covid-19 and the corresponding increase in the value of data protection, China has taken it upon themselves to take the conversation on data protection well into its next chapter.