By all accounts, data privacy laws are relatively new. You can point to GDPR as a global standard, which only came to force in 2018.
It added certainty to the ambiguity created by voluminous fine prints not designed for human eyes or convenience, giving data harvesters free reign.
It also added a few more regulations that gave back consumers control of their personal data. The “right to be forgotten” is one popular example. Overall, it heightened awareness, and soon other regions and countries started creating similar laws based on this framework.
Similar, but not the same. That is because data privacy has a slightly different meaning in Asia. And without a standardizing body like the E.U., every country in the region has its cultural nuances.
So, it comes as no surprise when China inked the Personal Information Protection Law (PIPL), instead of celebrating, we heard a chorus of criticisms from the proponents of GDPR.
Articles like this further fueled suspicion, stating that Chinese companies no longer share shipping data into the Universal Automatic Identification System (AIS), used as an anti-collision system for sea-going vessels. And they all blame PIPL.
So, where does that leave the chief data officers and chief digital officers (CDOs)?
Let the mind wars begin
The first thing CDOs need to understand is that PIPL is no GDPR. It was never meant to be one either.
“There's a lot of misperception and misunderstanding,” admits Carolyn Bigg, partner at law firm DLA Piper.
She noted that many people from outside China seem to be looking at the PIPL and saying, ‘Oh, it's China's GDPR, it looks just like GDPR.’ “The reality is that this is not China's GDPR. This is a data privacy law that is very much aimed at China.”
That’s a big difference.
Bigg explains that China rolled out two laws around the same time. The first was the data security law, and the second was PIPL.
“Both of them form part of a much bigger framework of data and cyber laws in China. What's really important to know is that these are not going to replace existing provisions; they are adding to and clarifying the existing laws and regulations that are already there,” says Bigg.
This is good news for CDOs and the chief privacy officers dealing with the mindboggling array of privacy requirements across China’s laws. For the many internet companies operating in the grey zone regarding personal data protection, the PIPL clarifies what is legal.
PIPL is also built with the Chinese government's interpretation of data privacy. While it is true that the country censors and surveils its citizens a lot, the people in Asia do not necessarily subscribe to the European outlook of privacy.
In Europe, GDPR is built on a concept of a fundamental right to private life. In the U.S., the CCPA and CPRA “are very much built around the fear of some of the big technology platforms and what they do. That's their focus,” Biggs explains.
“Whereas in Asia Pacific, including China, we have much more pragmatic consumers who are more open to their data being collected and used if it provides convenience,” she adds.
The broader data picture
When it comes to cross-border data sharing, PIPL takes a different tact from GDPR.
“The law is designed to help encourage free flows of data around the world within this framework, which is a very different message to the message coming out from the European authorities and courts that actually wants to essentially restrict flows of data around the world because of data privacy,” says Bigg.
The approach aligns with China’s ambition to become a leading international center of data analytics, AI, and related technologies. To be one, it needs to share data.
This is great for CDOs, especially those working with emerging technologies in the Greater Bay Area. With consumers and part of their business undoubtedly operating in Chinese jurisdictions, PIPL offers a more straightforward “three-step” approach on how companies can transfer most types of personal data outside of China, says Bigg.
Personal information handlers (or processors), similar to GDPR controllers, can use four mechanisms to transfer personal information out of China. They need to pass a security assessment by the Cyberspace Administration of China (CAC), undergo a personal information certification by a CAC professional body, enter a standardized contract created by CAC between the data exporter and importer, or comply with the conditions provided in other laws and regulations or by the CAC.
But PIPL is no panacea
While PIPL clarifies existing privacy measures, it does not remove all the uncertainties. Bigg points out that these areas impact online businesses and operators of online platforms, especially for e-commerce. It is also where the current Chinese administration is scrutinizing.
“That's because there have been some separate measures around whether or not certain online shopping transaction data has to stay in China. And there are some provisions in the PIPL talking about certain platform operators and complex businesses needing to take additional compliance steps. Definitely, if you are in that space, you need to monitor developments,” she advises.
She also notes uncertainty regarding consent, which is how companies in China (and by extension Asia) collect, use, dispose and process data.
“And historically, up till now, you've always needed to get expressed consent, which is a positive affirmation,” explains Bigg.
PIPL introduces the concept of separate consent. “It doesn't clarify what that means. To us, it feels like this is going to involve some form of unbundling of consent language in China. So we await guidance on that as well,” she says.
Cutting through the politicization
Unfortunately, the continuing fear-mongering around PIPL is muddying the law's intent. Some warn that it may give the Chinese government more authority to analyze personal data, while others feel it is meant to gain concessions from foreign companies.
In a Wired article, Omer Tene, a partner at law firm Goodwin, argued that the “Chinese privacy law is closely aligned with, and I would say grounded in national security.”
Yet, for CDOs, the politicization of PIPL does not help. Knowing what can and cannot be done, the guard rails, and the proper processes needed when working on China-sourced personal data does.
Besides, PIPL is not just for foreign companies. It also helps local companies with the clarity to deploy the right processes. The resulting data privacy discipline will help them work with foreign partners efficiently.
However, the story of PIPL is not over yet. In China, laws are drafted as high-level principles. The detailed compliance steps that you need to take will be outlined in the guidance, and it remains to be seen how these will be interpreted.
“And that will come over the next few months,” says Bigg. Oh yeah, so will another round of fear-mongering as well.
Winston Thomas is the editor-in-chief of CDOTrends and DigitalWorkforceTrends. He’s a singularity believer, a blockchain enthusiast, and believes we already live in a metaverse. You can reach him at [email protected].
Image credit: iStockphoto/Khosrork