China’s data protection laws are designed to keep the country’s tech giants in check

GUANGZHOU, China – China wants to tighten the rules for how the personal data of its citizens is collected, while further curbing the power of technology giants like Alibaba and Tencent.

A strong data framework could help countries define what the next-generation internet looks like, one expert said, pointing out that it could become a geopolitical issue as China seeks to challenge the US in the technological field.

But the move has also sparked debate as to whether those same rules will apply to one of the country’s largest data processors – the government.

Last year, Beijing published the draft of the Personal Information Protection Act (PIPL), which set out for the first time a comprehensive set of data collection and protection rules. Previously, various pieces of legislation regulated data.

It is seen as part of a larger effort to rein in the power of Chinese technology giants, who have been able to grow unimpeded in recent years due to the vast collection of data to train algorithms and build products, experts said.

In February, China enacted revised antitrust rules for so-called “platform economy” companies, which is a broad term for Internet companies operating a variety of services from e-commerce to food delivery.

“The government wants to keep some … of those technology giants in check,” Rachel Li, a Beijing-based partner at the Zhong Lun Law Firm, told CNBC over the phone. “This legislation … goes along with other efforts, such as antitrust.”

Globally, there is a push toward more robust rules to protect consumer data and privacy as technology services continue to expand.

In 2018, the historic General Data Protection Regulation of the European Union came into effect. The GDPR, or GDPR for short, gives citizens in the block more control over their data and allows authorities to fine companies that fail to comply with the rules. The US has yet to enact a nationwide data protection law, such as Europe.

Now China is trying to do something similar.

“After years of Chinese internet companies developing business models around Chinese people’s lack of privacy awareness, users are becoming increasingly informed and angry at companies misusing their personal information,” said Winston Ma, assistant professor at the US. New York University School of Law, told CNBC via email.

China’s Personal Data Protection Act applies to the citizens of the country and to companies and individuals who handle their data.

Here are the main parts of the law:

• Data collectors must obtain user consent to collect information and users have the right to withdraw that consent;
• Companies that process the data cannot refuse to provide services to users who do not consent to the collection of their data – unless that data is necessary for the provision of that product or service;
• Strict requirements and rules for transferring data of Chinese citizens abroad, including obtaining government consent;
• Individuals can request their personal data held by a data processor;
• Any company or person that breaks the rules can be fined no more than 50 million yuan ($ 7.6 million), or 5% of its annual revenue. They could also be forced to shut down some of their business.

But there are signs that the research could broaden. Reuters reported last month that Pony Ma, founder of gaming giant Tencent, met with antitrust watchdog officials to discuss his company’s compliance. Tencent owns WeChat, a social networking app that is ubiquitous in China.

NYU’s Ma noted that the data protection law will take a “balanced approach to the relationship between individual users and Internet platforms”. But combined with other regulations, it could slow the growth of technology giants, he said.

“Overall, the era of ‘exponential growth in the wilderness’ for the expansion of Chinese technology companies is over, both domestically and abroad,” he said.

Li added that some companies could be forced to change their business models.

Experts previously told CNBC that China’s push to regulate its Internet sector is part of its ambition to become a technology superpower as tensions between Beijing and Washington persist. Data protection regulations are part of this push.

“The cyberspace and digital economy remain largely undefined, the data law framework has become a geopolitical factor,” said NYU’s Ma. “Whatever country can lead the way in achieving breakthroughs in legislation or its development model, it can be a model for the next generation Internet.”

Ma said that if there is a digital economy version of World Trade Organization rules, countries with strong data laws could have “leadership.” The WTO is a group of 164 member states whose aim is to create rules around world trade.

“That’s why more and more people are talking about what the Chinese model is.”

China’s data protection law contains a section on government agencies that process information.

In theory, the state should adhere to similar principles around data collection as a private company – but there is debate as to whether that is the case.

“We often think of the PIPL in terms of applications for Alibaba or Tencent, but we forget that the Chinese government agencies are the country’s largest data processors,” said Kendra Schaefer, a partner at Trivium China, a research firm based in Beijing.

“There is a lively debate in the Chinese legal and academic communities about how the PIPL should be applied to administrative activities,” she said. “A specific problem is that the PIPL gives individuals the right to give informed consent when their data is collected, but this could conflict with, for example, police investigations by law enforcement officials.”

“What’s interesting is that a national conversation is starting on what the Chinese government can or cannot do with citizen data and how the law should define the state’s obligations,” Schaefer added.