China’s PIPL: The New GDPR?

Key Points of this article

• Fundamental parts of China’s PIPL
• What personal data is
• How the PIPL changes the way Chinese businesses collect data

As technology is constantly expanding, there has been a global push to create more robust legislation to protect consumer data and privacy. This can be seen through the 2018 European Union General Data Protection Regulation, the GDPR for short. The GDPR allows for nationwide data protection for its citizens as well as fines for those businesses who breach data privacy.

China takes strong inspiration from the EU and is following in its footsteps. The Personal Information Protection Law (PIPL) was introduced in 2013 in response to strengthening cyberspace security however, it has developed a targeted approach to data privacy. Earlier this year, China released its second draft of the PIPL, the country’s first comprehensive personal data protection legislation. The updated draft includes more detailed requirements vis-a-vis what personal information online businesses are permitted to collect from users, and how they must handle this data. With the draft PIPL nearing completion, all Chinese businesses with a digital presence must be prepared to take steps to comply with the latest tightening of rules around their personal data collection.

“Information is the oil of the 21st century, and analytics is the combustion engine” — Peter Sondergaard, Gartner Research

Here are key parts of the law:

• Individual consent must be obtained by the data collector to collect personal information — users also have a right to withdraw their consent
• Individuals have the right to request their stored data from the data collector
• Government approval is required if the Chinese citizen’s data is to be used outside the country
• Unless the data is necessary for the product or service, companies cannot refuse to provide services to individuals who do not wish to have their data collected
• Any person or company who breaches the laws surrounding data privacy can be fined up to 50 million yuan (approx. $10 million AUD) or 5% of the company’s annual turnover.

It is important to note what classifies as personal data.

How does China’s GDPR affect online businesses?

The handling of personal data collection in China has been said to be like the Wild West, but with the introduction of the PIPL (UK equivalent GDPR), Chinese consumers no longer need to hand over all their personal information in exchange for services. This means that companies need to have a good reason to collect data and confine the scope of processing of that data to that reason.

In China, there is more opportunity to track a singular person compared to in the West. If data collection becomes more restricted, it would be harder to allow for hyper-targeted marketing. Chinese online businesses will have to be careful when collecting location data from individuals as it may be deemed as unnecessary information. Additionally, consumers now have the option to refuse personal information from being used to analyse preferences and behaviours. This will hinder online Chinese businesses that use programmatic decisions to determine personalised advertisements for an individual and potentially be forced to change their business models.

The Chinese Government is cautious about big technology companies having too much power, beyond their regulatory control. Chinese billionaire Jack Ma’s Alibaba empire falls prey to these rigid regulations. Alibaba Group was slapped with an 18.2-billion-yuan ($3.7 million AUD) fine for abusing its market dominance and preventing the free flow of information. As shown through the survey published by Luxury Institute — Chinese consumers are more inclined to share data for the exchange of more personalised content as opposed to Americans. Although Millennials and Gen Zs are more ready and willing to share data compared to older users, they are fully aware of the value of their data, thus are careful with the way they share their personal information. The new data relationship between consumers and data collectors will have to be based on trust. If the consumer trusts the brand, they will share their data.