China’s Personal Information Protection Law is Here. What’s Changing?
You go out for a bowl of noodles, and have to share your name and phone number to order. You ride in a taxi, and leave a trail the company can use to see where you work. If you walk outside, dozens of cameras train their face recognition algorithms on you. In Chinese cities, there’s no escaping data collection.
Many people are fed up. Most restaurants in large Chinese cities require diners to scan a QR code to order food — sharing personal information stored in WeChat — or follow the establishments’ official social media accounts for future promotions. Over 98.5% of participants in a March survey by Shenzhen Consumer Council said they disliked the practice, but 240 out of 260 surveyed supermarkets and restaurants, or 92%, made the authorization mandatory.
China’s first comprehensive legislation on personal data protection, the Personal Information Protection Law (PIPL), effective today, says data collectors can only handle personal information when “there is a specific purpose and a need to fulfill, and under circumstances of strict protection measures.” Restaurants, for example, will have to reduce requests for data to what they need to provide food orders.
The new law governs the use and handling of personal information, regulating how companies “collect, store, use, process, share, provide, transfer, and delete information” of Chinese citizens at home and abroad. It was passed by the Standing Committee of the National People’s Congress on Aug. 20.
Modeled on the European Union’s General Data Protection Regulation (GDPR), considered the most stringent and sophisticated data regulation in the world, PIPL requires companies to obtain consent from individuals before collecting their information.
“When we view PIPL in the global context, it’s also a global phenomenon to deal with [personal information protection] issues,” Tom Nunlist, a senior analyst at strategic advisory Trivium China, told Sixth Tone. In Asia, similar legislation came into effect in Singapore, Malaysia, and South Korea in the early 2010s.
The Personal Information Protection Law is considered one of three pillars of China’s legal framework on data privacy and security, along with the Cyber Security Law and the Data Security Law, which went into effect in June 2017 and this September, respectively.
The law defines personal information as “any kind of information about natural persons who are or can be identified, in electronic or other forms, not including information after anonymization handling.” Under the law, handling such information requires individual consent, which individuals have the right to rescind.
The law deems certain personal information “sensitive” — including biometrics, religious beliefs, specially-designated status, medical health, financial accounts, traveling paths, and all data relating to minors — and requires separate consent for handling.
The law is in part a response to public demand, according to Nunlist. “With the rapid digitalization of everything, many problems emerged in the 2010s, including identity theft,” he said.
China’s internet population rose from 22.5 million in 2000 to a whopping 1 billion this year, making China the biggest digital society in the world.
From 2012 to 2019, CCTV’s 315 Evening Galas, an annual consumer rights show, accused 14 companies of mishandling user information. This year, the state broadcaster called out several international brands, including U.S. manufacturing company Kohler and German automaker BMW, for using face recognition cameras in stores without consent, potentially violating privacy rules.
In 2017, the Jiangsu Consumer Council, which handles consumer complaints, warned over two dozen companies that include Tencent and Baidu about privacy infringements. While the council reported that over 70% of the platforms resolved issues after the warning, it said after a few months that Baidu had not even responded.
After three rounds of review, the law targets areas including apps over-collecting personal information, as well as price discrimination.
The latter issue, often known in Chinese as “big data backstabbing” (dashuju shashu), is a prominent problem among large e-commerce platforms. It refers to the common practice of using big data to compile user profiles, offering different prices based on a customer’s assessed buying power.
Consumers have complained of companies charging their best customers more, raising prices on repeat customers, offering users of iPhones and Android devices different prices, and allegedly even quoting higher prices to membership holders.
“Personal information processors must not use automated decision-making to impose unreasonable differential treatment on individuals such as transaction prices,” the law stated.
Companies are still waiting for regulators to fill in many of the details. PIPL directs the Cyberspace Administration of China, the country’s internet watchdog, and its subordinate departments to make the actual rules that will govern data collection.
“GDPR is more of a complete package one in the Western-style lawmaking, while PIPL is more like a high-level framework,” Nunlist said.
Businesses will be affected differently. “If you are not doing any of the targeted practices that the government wants to end, then it may not be as challenging for you,” he added.
Editor: David Cohen.
(Header image: E+/People Visual)