What you need to know about data privacy in China

How different are Chinese attitudes to data privacy?

by Elliot Rhodes 27 August 2019

China is quickly becoming a superpower. Its might is demonstrated by its impressive military assets, persuasive diplomatic relations with neighboring Asian countries, and the financial aid granted to smaller states. It is clear that President Xi Jinping is so ambitious that he wants China’s power extended to the countries perceived to be allies of another superpower: the United States of America.

At the moment, China and the US are locked in a bitter trade war. The economic conflict has seen a rapid increase in tariffs and a “tit-for-tat” approach that prompted the US to ban telecommunication giant Huawei – one of China’s largest technology companies – from doing business in America.

The move to block Huawei has caused a damaging blow to the company’s image as the leading telecommunication provider in Asia and further afield. However, this also prompted Huawei, and other Chinese technology companies, to craft and adopt new systems and approaches to business.

Dominance in technology

Over the past 20 years, China has grown to dominate the manufacturing of technology products. Those who are critical of China’s influence in tech would describe the country as a hotbed of piracy. But China is also home to some of the biggest and most innovative tech companies that produce services and products on par with the Silicon Valley.

For instance, a 2018 report from Kleiner Perkins, a venture capital firm, identified at least five Chinese software companies that belonged to the world’s top 20 technology firms – Xiaomi, Baidu, Alibaba, Tencent, and China Mobile.

Kleiner Perkins also noted that Chinese software companies had actually doubled in size from 2009 to 2014. Apart from this, China is producing an estimated 100,000 software engineers every year. Considering the country’s aggressive growth, it is expected that tech companies in the US will remain critical of their Chinese counterparts, while emphasizing the privacy and security angle.

Data protection

In China’s own backyard, data privacy is a hot topic that requires a national conversation between its people and policymakers. China has previously crafted a policy for data protection – however its end goal was protecting Chinese consumers from American tech companies that are sometimes accused of spying on the Chinese government and its people.

In May, China’s National Information Security Standardization Technical Committee (NISSTC) released Information Security Technology – Personal Information Security Specification (PI-Specification). This newly revised standard is now considered to be the de facto rulebook for handling personal data. The Chinese government said that the new PI-Specification would work in harmony with the country’s existing cyber security and consumer protection laws.

The new rules cover data transfer, data anonymization, access to personal information, requests to copy or delete personal information, data breach notifications, and role and function of data controllers, including the systems that involve the processing of personal information, details on explicit consent, assessments on the security impact of personal information, and other topics.

Apart from tech companies, the new standard also covers companies that deal with Chinese intellectual property.

A big change in 2019

Both the new data security law and the personal data protection law were on the lawmakers’ radar since 2018, and observers are expecting to see new rules announced in 2019. It is important to note that it was the academics who drafted China’s first laws on personal data protection — modeling those on the EU’s 1995 Data Protection Directive.

Policymakers should focus on the revisions that could be made in China’s data security laws. Changes are expected in the areas of cyber security, alongside a requirement for multiple-level protection systems. Regulators are also expected to demand an “inventory of processing activities” from businesses that deal with data.

Data protection models that work in other countries, especially in the EU, could still be applied to the same processing activities. Regulators must be able to quickly identify the safeguards as businesses operating in China also require consent from users. And finally, regulators are keen to demand tailored privacy and data protection policies from multinationals, that are translated into Chinese.