China's New Data Privacy Law Doesn't Protect People Against the Biggest Threat: The Government
The law just addresses use of individuals' data by private companies, carving out exceptions for government harvesting of data.
Over the last few years, China has established thousands of checkpoints in its western provinces, designed to surveil the ethnic minorities who must scan their IDs (and faces) regularly so their every movement can be tracked. China now also apparently cares very deeply about protecting citizens' data, this week passing a strict new privacy law designed to protect consumers from data collection by large tech companies.
Casting aside for a moment the jarring incongruity of a government fixating on data collection by big tech companies while ignoring its own authoritarian trampling on citizens' privacy rights, it's worth noting that the law, called the Personal Information Protection Law (PIPL), necessarily weakens big tech companies, forcing onerous regulations that they will now have to comply with.
While many observers have drawn comparisons between PIPL and Europe's General Data Protection Regulation (GDPR), the benefit to consumers may be a mixed bag if GDPR is any example. Europe's consent-based frameworks (where most consumers just read through yet another set of mumbo-jumbo legalese disclosures before robotically clicking "agree") sometimes fail to provide enhanced data privacy. Amusingly with GDPR, "a company that lacks the consent for their current data practices could also lack the consent to email people to gain their consent," Andrea O'Sullivan wrote for Reason back in 2018.
Still, limiting what data companies may collect and what said companies can do with the data once collected could feasibly be a boon to consumers—although China's law predictably contains large carveouts for the government to violate people's privacy for ill-defined national security purposes. PIPL—which is quite popular among Chinese consumers, who, like their Western counterparts, are in the throes of a nascent techlash moment—prohibits excessive collection of consumer data; requires that sensitive information be stored in China; requires that facial recognition surveillance tech be explicitly marked as such; and fines companies that violate the new law.
"The privacy rules threaten to severely curtail a raft of online commerce services that rely on personalized data to target consumers and peddle their wares," reports Bloomberg. "Drafts of the latest personal data law would tighten rules on user profiles that companies keep and the recommendations that apps can make."
This all comes against the backdrop of a regulatory crackdown on companies that list overseas, as well as allegations that the Uber equivalent DiDi has been mishandling customer data. China has also sabotaged domestic initial public offerings, threatened the online tutoring software sector, and foisted new onerous regulations on popular messaging platforms like WeChat.
"The vast majority of people in China don't expect to ever be part of police investigations, but they do expect to conduct most of their life through online services," so it provides useful protection for them, says Jeremy Daum, senior research fellow at the Yale Law School Paul Tsai China Center.
"I hope to see some initial citizen lawsuits to protect their own rights," says Daum. There have been "lawsuits about the use of facial recognition technology already, and the highest court recently issued detailed guidelines for when such suits should succeed. We might start to see them for collection or use of personal information beyond the minimum necessary to provide services, or for denials of service due to refusal to consent to such collection."
Of course, as I've noted before, China's emerging data protections are largely BETWEEN PRIVATE ACTORS including corporations, and the government still has great access to personal information.
— China Law Translate (@ChinaLawTransl8) August 20, 2021
The law, which takes effect November 1, has big implications for multinational companies operating in China, as it will probably force them to direct a lot of time and attention to compliance.
But the upshot is almost too obvious to need stating: Protection of consumer data, while fine and good, means nothing if there's no true rule of law binding governments to privacy-protecting standards as well. If your country of 1.4 billion does a decent job protecting the rights of ethnic Han Chinese who support the Communist Party, well, bully for you. That leaves some 25 million people living in Xinjiang province—roughly half of whom are Uyghur—as well as other ethnic minorities scattered throughout the country, who are denied even basic privacy protections and due process, whose every step remains surveilled by an enormous government apparatus designed to capture and interrogate people if they engage in such milquetoast activities as refueling someone else's car with gas or refraining from using the front door of their own home. And that's assuming they're not one of the roughly 1.5 million who are denied basic freedom of movement by nature of being forced to live in internment camps.
Privacy protections for consumers are important, but it's the state, with its monopoly on force, that remains the most threatening potential privacy-violator of all.