With the adoption of the new Personal Information Privacy Law, China has become the second major player after Europe to formulate its own rules in the industry. Not all tech companies now have an understanding of how to comply with the new law.
The law, seen as the Chinese version of the General Data Protection Regulation (GDPR) in Europe, is a set of rules that govern the collection, use, processing, exchange and transfer of personal data by organizations. The legislative initiative aims to protect Chinese citizens from private sector entities, while government agencies retain access to personal data. In May, American business representatives sent comments to the National People’s Congress in which they protested against the vague wording in the bill, as well as the stipulated monetary fines and criminal liability. Overly prescriptive and onerous rules, according to American businessmen, will become a deterrent to innovation.
Given the fact that now in the United States there is no federal data privacy law at all, European and Chinese regulations may become defining in the world arena. And tech companies doing business in China will have to adhere to vague new rules, which can be costly. Any company that in its activities involves the processing of data from Chinese users must undergo security checks by the relevant regulator in the PRC, appoint local representatives to resolve issues of confidentiality and risk management – for violation of the law, fines of up to 5% of annual revenue are provided, license revocation as well as the personal responsibility of the management.