With the adoption of the new Personal Information Privacy Law, China has become the second major player after Europe to formulate its own rules in the industry. Not all tech companies now have an understanding of how to comply with the new law.
The law, seen as the Chinese version of the General Data Protection Regulation ( GDPR ) in Europe, is a set of rules that govern the collection, use, processing, exchange and transfer of personal data by organizations. The legislative initiative aims to protect Chinese citizens from private sector entities, while government agencies retain access to personal data. In May, American business representatives sent comments to the National People’s Congress in which they protested against the vague wording in the bill, as well as the stipulated monetary fines and criminal liability. Overly prescriptive and onerous rules, according to American businessmen, will become a deterrent to innovation.
The laws aim to protect Chinese citizens from the private sector; while the Chinese government still has easy access to personal data.
China overtakes US with new privacy law
Also, given the fact that now in the United States there is no federal data privacy law at all; European and Chinese regulations may become defining in the world arena. And tech companies doing business in China will have to adhere to vague new rules, which can be costly. Any company that in its activities involves the processing of data from Chinese users must undergo security checks by the relevant regulator in the PRC, appoint local representatives to resolve issues of confidentiality and risk management – for violation of the law, fines of up to 5% of annual revenue are provided, license revocation as well as the personal responsibility of the management.
- Companies will “have to submit to a security assessment by the Chinese regulator before performing data transfers; appoint local representatives to handle privacy issues; and manage exposure to steep fines and penalties, including criminal, under the law,” he said.
- Also, companies who violate the law could be subject to fines of up to 5% of annual revenue; revocation of their licenses to do business in China and personal penalties against executives, according to a blog post by attorneys at Morgan Lewis, an international law firm.
- “There are really significant compliance requirements for any company that handles Chinese user data; and they’re re-evaluating their exposure, and asking is it worth it or not;” said Samm Sacks, a cyber policy fellow at the New America Foundation.