China has passed a major data privacy law aiming toward how data companies should handle the user’s data. The law is inspired by EU’s General Data Protection Regulation but with far-reaching setoff rules.
On the surface, it seems pretty tough. In fact, the Wall Street Journal hailed the PIPL as “one of the world’s strictest data-privacy laws.”
However, it will probably do less to protect Chinese users than many believe, and it might even entrench further the dominance of China’s incumbent tech giants.
To be sure, the PIPL represents an important first step toward protecting the privacy of Chinese citizens. It gives regulators a new set of weapons to use in their fight against China’s mighty tech firms; it limits companies’ ability to engage in algorithmic price discrimination; tightens rules on cross-border data transfers; and imposes additional compliance burdens for large tech firms that are deemed “gatekeepers.”
However, a close look at the PIPL reveals its major weaknesses. For starters, although it requires businesses and government agencies to obtain individual consent before processing personal information, it exempts them from doing so when there is a “statutory basis” — while failing to specify which statutes qualify.
Because many Chinese government authorities, including central ministries and local governments, possess some degree of legislative power, a vast array of lower-level rules and regulations could potentially be used to circumvent the PIPL.
Notably, exemptions could be granted on the basis of statutes that facilitate China’s controversial social credit system. The People’s Bank of China (PBOC) has been drafting credit information guidelines that will bring an abundance of online consumer data — covering, for example, transportation, communication, property and payments — under the purview of its credit system.
This goes far beyond the existing social credit system, which mostly collects negative credit information, such as personal debt defaults and breaches of the law. Not surprisingly, it has fueled heated debate in China, with many arguing that the new guidelines amount to a serious violation of personal privacy.
For the PBOC, however, they are central to an ambitious plan to create a nationwide credit database, a step that will significantly bolster the state’s ability to pressure fintech giants such as Ant Group to transfer their vast troves of personal data to state-controlled storage infrastructure.
Such companies previously resisted official pressure on grounds of consumer privacy.
However, China’s regulatory war on the country’s tech giants — especially its suspension of Ant Group’s initial public offering — has strengthened the PBOC’s hand considerably. Now, the central bank is aggressively pushing its credit database plan, purportedly in the name of financial stability.
The PIPL also fails on another front: It does not create a new independent data protection agency. The Chinese Cyberspace Administration will manage coordination, leaving enforcement to a patchwork of national and local-level regulators, which tend to be thinly staffed.
This probably explains why legal sanctions are not the only form of enforcement envisaged by the PIPL. Instead, the law allows for soft legal measures, such as administrative interviews with firms to request that they rectify their behavior. While these soft measures could offer a flexible and efficient alternative to legal sanctions, they might leave too much to the discretion of bureaucrats and weaken deterrence.
Moreover, the new law is unlikely to rein in Chinese tech giants’ market power. After all, these companies have deep coffers and strong legal support — resources that put them in a strong position to shoulder PIPL compliance costs. The same cannot be said of their smaller rivals.
The law’s data portability requirement — which allows consumers to move their personal data more easily between platforms — is a case in point. The rule is intended to encourage multihoming, wherein consumers patronize multiple platforms, and to reduce platform-switching costs for consumers.
However, studies suggest that it could discourage new entrants, as smaller businesses often cannot afford the costs of forced data transfers.
Similarly, strict privacy protections might place smaller firms and new entrants at a competitive disadvantage. Consider ByteDance, which owes its exponential growth to its application of algorithms that gauge consumer preferences and recommend content and advertisements. Stricter privacy protections would have made it impossible for ByteDance to acquire sufficient data to become a true challenger to incumbent firms.
If new entrants cannot gather the data they need to compete, it could end up harming users — the very group privacy laws are supposed to protect.
China’s new data-privacy law will undoubtedly increase the compliance burden for China’s Big Tech firms, which have faced regulatory onslaughts over the past 10 months. Although, in the end, the PIPL could turn out to be a blessing in disguise for them.