The new data protection law: what is changing in China

China, which is perfectly integrated into the global technological landscape, after updating its Data security law and Cyber-security law in 2017, is focusing on its data protection system. Just last August, on the 20th, the Standing Committee of the National People’s Congress approved the PIPL, Personal Information Protection Law.

This new privacy law will come into effect on November 1st and it will aim to reduce data collection from citizens. Furthermore, drawing inspiration from the European GDPR (General Data Protection Regulation; EU 2016/679), it will also seek to protect them more against companies.

The PIPL consists of 70 articles where the main themes fall on transparency, fairness, data accuracy, accountability, purpose limitation, minimization and limited retention. The affected categories are both Chinese companies and entities that direct their business out of China while interfacing with the Chinese data protection system.


What is changing in China?

Chinese companies should face changes imposed by the new data protection law, such as:
consent, which should be as transparent as possible to express the true will of citizens;
– the limitation of protection only for the fulfillment of purposes. Moreover, they will have to delete information once the legal basis for its use and storage no longer exists;
– the right of access;
– hiring of a data controller.

These laws, however, do not include the right to data portability, which would prevent users from encrypted transmission of their data to the final companies. The reason for this is linked to the impact that this would have on the power of China’s most powerful platforms.

Of course, there is no shortage of penalties for those who will not comply with the new law. In fact, at the moment, substantial fines of 5% of annual turnover are expected, but also the suspension or closure of the business license, depending on the seriousness of the transgression.


The consequences for Chinese big tech companies

On the tech landscape, Chinese companies, such as Alibaba, Tencent, or Didi, will face a completely new management of their businesses. In fact, they know they have to adapt their way of dealing with users and their standards to the new law in the shortest possible time.

Also, on the international level, it seems that the law brings changes for foreign companies active in China: probably they won’t be able to exchange information about their users’ profiles if their headquarters are located on territory other than China without first obtaining approval from the Chinese authorities. That’s because outside of China the same standards on data protection are more flexible.

Such approval should be required also for citizens’ personal data when transferring them to foreign courts or law enforcement agencies. The consequences, in this case, consist of sanctions and inclusion on an ad hoc list.


Data strings on a black monitor to refer to the new data protection law



The effects of the data protection law for Italian companies

According to the first information that have emerged, although the law entails adapting to the new regulations, Italian companies whose online sales and communication management takes place on Chinese marketplace and social network should rest easy: the data policy updates fall on Chinese tech companies. The biggest changes, in Italy, should instead affect companies that are used to managing such data themselves.

In the case of proprietary e-commerce, for example, companies will necessarily have to comply with the new legislation introducing PIPL. At the moment, it seems that foreign companies in China – including Italian ones – will have to be in possession of specific documents, which may be requested by Chinese authorities in case of controls. In particular, they will have to be able to prove that customer and contact data were collected with the users’ consent.

In addition, if the company doesn’t have an office in China, it should hire a corporate representative present there, a role that will likely be assigned to local partners. Although it is not yet clear, companies will also have to comply with new rules regarding data transfer to foreign countries – e.g, a company’s headquarters. Users should be guaranteed maximum transparency and information about how their data will be processed and for what purpose.

So, we have to wait until November 1st to understand what the real consequences will be for companies that want to develop business in China. In any case, to avoid ending up on a blacklist, companies will have to make sure they comply with the new regulations introduced by PIPL as soon as possible.