Privacy Law Will Help China Flex Muscles on Digital Trade

“[Chinese lawmakers] make it no secret that they intend to be a player in this space,” said Omer Tene, chief knowledge officer at the International Association of Privacy Professionals.

The PIPL’s framework is generally similar to that of the European Union’s General Data Protection Regulation, privacy experts say. Both require firms to justify their data collection and provide consumers the right to access or delete their information.

But the Chinese law’s approach to how companies transfer data internationally is more restrictive than the GDPR in certain ways, said David Hale, a shareholder at law firm Brownstein Hyatt Farber Schreck LLP.

“I would be looking at what types of export approval I need to get if I am processing information outside of China,” said Mr. Hale, the former chief privacy officer of brokerage TD Ameritrade.

Tech firms such as Microsoft Corp. and Apple Inc. in recent years increasingly have stored customer data inside China as the Chinese market expanded and the government began unveiling a web of data-security rules. The new privacy statute could push more firms to follow suit after it comes into force on Nov. 1, Mr. Hale said.

Companies that wish to transfer information internationally will have to use state-approved contracts, receive certification of data practices by a state-approved body or undergo a security review by Chinese cyber regulators, said Barbara Li, head of corporate at the Rui Bai Law Firm in Beijing.

Firms deemed to be “critical information infrastructure operators,” along with businesses that handle large amounts of user data, generally are required to store data inside China, Ms. Li said. The GDPR has no such explicit data-localization requirements, which privacy experts say aim to prevent foreign surveillance and allow local authorities greater access to data.

Beijing this month released separate rules giving the state power to define businesses as critical in sectors such as technology, telecommunications and finance based on company networks’ importance to the overall sector or potential damage of a hack. Still, it is unclear what the precise criteria are for getting that designation and, in turn, facing greater potential penalties under the law, said Gabriela Zanfir-Fortuna, director of global privacy at the Future of Privacy Forum, a think tank.

The cybersecurity review of ride-hailing giant Didi Global Inc. , during which the state forced app stores to remove Didi products, suggests Beijing may interpret the category broadly, Dr. Zanfir-Fortuna said. Beijing last month sent regulators including security officials and police to the company’s offices to conduct the investigation.

“We don’t tend to look at ride-hailing companies as being such a critical information company,” she said. “This shows us either that it’s arbitrary how this category is thought of, or that, indeed, the Chinese government thinks Didi has some extraordinarily sensitive data.”

Didi didn’t respond to a request for comment.

The Chinese law opens the door for Beijing to strike international deals that enable some data flows, according to a translation by the DigiChina Project, a tech policy center at Stanford University. But unlike the GDPR, which gives power to the European Commission to evaluate other countries’ privacy protections, the Chinese statute doesn’t detail a similar process for establishing that other foreign safeguards meet local standards.

That approach gives the Chinese state more latitude in the long term to negotiate agreements with other governments, said Paul McKenzie, managing partner of the law firm Morrison Foerster’s Shanghai and Beijing offices.

As for countries that curb data flows into China in the name of privacy, the law says, Beijing could reciprocate with digital trade restrictions of its own.

Write to David Uberti at [email protected]