China has skipped a major new privacy law aimed at curbing the power of large technology companies operating in the country.
The exact wording of the new Personal Data Protection Act (PIPL) has not yet been finalized. However, it is largely in line with the EU’s General Data Protection Regulation (GDPR) and requires companies to restrict the collection of personal data and obtain the consent of users.
“Currently, all aspects of society are very concerned about new technologies and applications, such as user images and algorithm recommendations, and have reacted strongly to, for example, data disruption and the ‘killing of big data.’ [big data analysis] related products and services ” says spokesman Zang Tiewei.
Companies may not refuse the service to users who do not consent to the collection of data unless it is impossible to provide these services without it. Users can withdraw their consent at any time, and companies cannot invoke the defense of a “legitimate interest.” Stricter laws apply to the personal information of children under the age of 14.
Like the GDPR, there are strict rules on the transfer of personal data outside the country, and fines are imposed for non-compliance.
“The transfer of personal data abroad in accordance with international agreements and treaties that my country has concluded or participated in, and the protection of personal data transferred abroad should not be lower than the protection standards of my country,” Tiewei says.
Foreign companies must appoint a local representative to monitor compliance with the rules, and they are overseen by the China Cyberspace Administration (CAC). They must appoint boards to look at privacy issues and publish social responsibility reports, as well as conduct risk assessments before transferring data abroad or using the data for automated decision-making.
As news threatens, China’s technology stocks have fallen and the Hang Seng Tech Index has fallen 4.5 percent. Foreign companies may need to improve their game – especially U.S. companies, as data is required to be transferred only to countries with similar privacy protections.
“It’s part of China’s extensive move to regulate the digital economy,” commented Omer Tene, vice president and chief information officer of the International Association of Privacy Professionals (IAPP).
“If you do business in China, get legal advice. They’re not playing.”