China Just Passed a Major Data Privacy Law — With a Big, Government-Sized Loophole

China Just Passed a Major Data Privacy Law — With a Big, Government-Sized Loophole
Photo: Greg Baker, Getty Images

When covid-19 cases started surging through China last year, we saw the country’s already authoritarian surveillance systems get kicked into overdrive. Officials rolled out everything from face-detecting drones and mandated movement-tracking apps to literally harvesting citizen’s blood in order to stem the flow of the virus. Going into 2o21, the country had clearly reached a breaking point; China saw its first facial recognition lawsuit this year, and the first drafted law that would partially ban this tech from being used in a major city, Hangzhou.

And on Friday, state-run media outlets reported the country had taken its biggest step yet: passing a sweeping national privacy law that’s set to go into effect November 1.

And we do mean sweeping. The Personal Information Protection Law (PIPL) takes a page from Europe’s landmark privacy law — the General Data Protection Regulation (GDPR) — that many policy wonks consider to be the “gold standard” when it comes to protecting citizen’s privacy. Unlike the GDPR, however, it comes with one major caveat: It’s largely written to protect people from private companies hoovering their data, while giving state authorities a free pass to largely do just that.

Yeah, it’s a loophole that kind of undercuts the biggest problem that a lot of us tend to have with China’s surveillance state: That state authorities use their panopticon to constantly track innocent people or entire ethnic groups. But there is a bright spot. Just like we’re seeing with officers in the U.S., China’s government officials typically rely on private companies to collect that data for them: apps, smart devices, and even TV’s. The PIPL is meant to crack down on the companies behind these data-sucking monsters, which means — hopefully — citizens can use the law to cut off access to their data before it winds up in federal hands.

Like most privacy laws, the full PIPL is wordy and dense. But in a nutshell, it mandates that those who operate apps, sites, or any other tech doing data collection — obtain consent from their users in order to collect that data, just like we’ve seen with the GDPR. In cases where that app or device handles “sensitive” data like a person’s fingerprint or financial details, it’s required to ask for consent again before collecting those specific details, even asking operators to get “written consent” from users if the law requires it.

On top of that, the law also requires that users are given different options for how their data is allowed to be handled. Users must be allowed to, say, tell an app it can track their data, but not use that data to target them with ads. And when they give that consent, the app is required to give those users an easy way to withdraw it at any time. If you’ve seen the way Apple rolled out app tracking choices in iOS 14, what the law’s asking for sounds pretty similar. Only in this case, it won’t be Apple taking your app down if you’re caught flouting these requirements — it’s China’s government.

The PIPL also has pretty strict guidelines for foreign companies doing business in the region — and that includes data-hoovering giants like Facebook that offer services to Chinese customers through obscure subsidiaries. The PIPL states that any of these outfits aren’t only required to abide by the new law but that they need to “pass a security assessment organised by the State cybersecurity and information department” before they get a pass to operate in the country.

When companies get caught flouting privacy laws in the U.S., companies like Facebook are slapped with the same sort of punishment they’d get if they were caught violating those rules in then EU: thousands (sometimes millions) of dollars worth of fines. As you’d probably expect, the consequences for companies in China is much more severe.

Depending on the infraction, companies can be fined up to 50 million Yuan (roughly $1,076,908), or have their entire “illegal income” that was earned off unconsenting customers seized by Chinese authorities. If they’re caught selling or freely disclosing those people’s personal information, they could wind up with a 7-year prison sentence.

Does that sound a bit severe? Maybe. But after seeing these companies make billions of dollars by misleading customers about their data or straight-up lying when they’re caught, it’s good to see them with a new reason to be afraid.