The National People’s Congress last week approved China’s new Personal Information Protection Law (PIPL). PIPL’s drafting began in 2003. The law broadly seeks to improve the protection of personal information in China by requiring entities that collect personal data to reveal how the information is used and request permission for the collection and use of personal data. PIPL also allows people to request deletion of their data or transfer their data elsewhere. While PIPL in some respects embodies the spirit of the EU’s General Data Protection Regulation (GDPR), it also places a strong emphasis on “national security,” a far-reaching concept in the Chinese context. For example, the international transmission of data can be restricted or banned entirely in the name of national security. Moreover, the law seems to be somewhat vaguely defined when it comes to authorities’ access to and handling of personal data.
Regulations on data were already tightened earlier this summer, when the National People’s Congress set September 1 as the date the Data Security Law (DSL) would enter into force (BOFIT Weekly 32/2021). Although the details of official guidance have yet to be released, this recent package of data legislation is expected to restrict significantly the ability of firms to gather, retain and exploit personal data. For example, the EU Chamber of Commerce in China expects the law to have a significant impact on companies operating in some branches like the car industry. The EU Chamber has encouraged European firms operating in China to make sure that their practices comply with the new Chinese laws. Moreover, the laws can also make it more difficult for foreign officials to access data from China.
China’s traditional laissez-faire stance on data handling and use has given China’s massive tech firms a competitive advantage over smaller firms, allowing them e.g. greater ease in AI development. Tighter rules aim to level the field on this respect. Tightened data protection has long been anticipated, especially with drafting underway for many years. The final push to put data protection measures in place reflects also increased superpower competition, particularly the fact that China does not want its information falling into foreign hands.