Typically when we think of China, we think of surveillance, censorship, and human rights abuses in some regions. Nevertheless, this hasn’t stopped the government from introducing strong data protection laws to protect the privacy of its constituents from non-governmental (commercial) entities.
Among the laws that were enacted are the Personal Information Protection Law and the Data Security Law. The latter largely deals with top-level national security, designed to protect Chinese data globally.
“From the perspective of corporate compliance, overseas entities processing data relating to any Chinese citizens or whose data processing activities may actually have an impact on China are also required to fulfill the data security obligations under the Chinese laws,” The China Law Insight explains. “This provides the standing point to assert jurisdiction over multinational corporations’ services to China whose data processing activities are outside China.”
Adding to the already comprehensive legal framework is the first local data protection law that comes from the Special Economic Zone of Shenzhen, which is known as the home of many Chinese tech giants such as Tencent, Huawei, and the drone company DJI.
The new law was passed in June of this year and is due to come into force at the beginning of 2022. It will make it clear that an individual has the right to say no to data collection requests and has the right to know, copy, correct and delete his or her personal information online, in a clear sign that the authorities have a preference for consumer protection over corporate profitability.
According to the explanation from the South China Morning Post, the law will “explicitly ban apps from profiling users under the age of 18 and serving them with personalized recommendations — a rule that could challenge the business model of apps that use this type of algorithm, including ByteDance’s Douyin, the Chinese version of TikTok.”
Furthermore, the law will let users refuse personalized recommendations based on their profiles, even requiring companies to provide them with a way of doing this that is straightforward.
Also included in the law is the regulation of algorithmic price discrimination for which there are fines of up to 50 million yuan (about $7.74 million). This tech is often used on travel websites both in the East and the West.
Finally, the regulation addresses data collected by the state, requiring the government to make its data available to the public for free by default. The regulation defines “public data,” stating that it will be “shared by default, with non-sharing as an exception.”
The passing of Shenzhen’s new privacy law is obviously welcome in terms of bringing in strong protection for personal data in China. Given the city’s leading position in the digital sector, it is likely to influence other local privacy laws when they are drawn up. Also, it will be interesting to see whether the final form of China’s national Personal Information Protection Law also draws on Shenzhen’s ideas.
Nevertheless, we do remain a bit skeptical in terms of the law’s ability to effectively ban personalized advertising. Simply put, there are billions on the table and we doubt the authorities, either local or national, would be willing to destroy an entire sector. Though you never know. Waiting and seeing is pretty much all we could do at this stage…