China’s GDPR-inspired data privacy law is now in effect
China has quietly released the final version of a new data privacy standard that goes even further than the European General Data Protection Regulation (GDPR) and places EU and Chinese data legislation on a far more level footing than American data law.
That is according to Samm Sacks, senior fellow for the technology policy programme at thinktank CSIS. Speaking at the CloudFlare Internet Summit in London, Sacks was uniquely privy to conversations with the lead behind the draft Chinese privacy law.
China’s Internet Security Law had been in the making since at least 2014, when CPC president Xi Jinping was appointed head of the Central Leading Group for Cyberspace Affairs. This was when ‘maintain cybersecurity’ was first officially written into Chinese legislature. [Timeline – PDF] The cybersecurity law came into effect in June 2017, covering everything from critical infrastructure through to data governance.
Sacks opened her talk, moderated by Cloudflare chief revenue officer Chris Merritt, by dispelling some common misconceptions about the way the internet works in China, referring to two almost paradoxical ‘tracks’ that observers should keep in mind.
Firstly, yes, China does have the most sophisticated and far-reaching censorship system in the world. Secondly, the digital economy in China is also one of the most advanced in the world.
To an outsider it might seem like introducing extremely strict privacy rules could be contradictory (and to some extent they are), but Sacks said that “one is about what companies are able to do, and the other is about what the government can do”.
“The government recognised that their ability to control and monitor these new technologies was falling behind, so they’ve put in place what I think is one of the most comprehensive regulatory legal systems in the world on cyberspace,” Sacks said. “Further ahead than in any other place in the world, in terms of how you regulate digital content, what they call critical information infrastructure, and controls on what kind of data can float in and out of the country.”
She added that there is a “misconception” that data privacy awareness does not exist in China. Even in the past year, there had been outcries on Chinese social media where citizens were concerned their data was being mined illegitimately by private companies and sold on the black market.
“There have been a number of scandals, so at the end of last year China issued their first data protection standard,” she explained. “It spells out very granular rules around what is consent: the conditions upon which companies can collect, process, store, share or transfer your personal data.
Going further, Sacks says that the Chinese legislation was in fact inspired by GDPR. “I’ve been in conversations with the lead drafter of this standard to try to understand the intentions behind it. Believe it or not, he modelled it after GDPR, and there was an effort made to strengthen Chinese users’ control over their information,” she said.
Every IT manager in Europe will be aware of GDPR, but the wide-reaching data privacy rules were also felt in China. Sacks said that some Chinese companied were “really freaked out” by the regulation, and said that a day before it took effect there were businesses in the country “scrambling” to see how they could comply.
“I heard one company say: ‘wait, do we now need to get consent from all of our users on our privacy policies?’ These are companies that are also expanding into Europe – how are they going to be compliant? I don’t know if that’s even possible.”
Alibaba Cloud’s general manager for EMEA region recently outlined how that company plans to aggressively expand in Euorpe – challenging the cloud heavyweights.
Yeming Wang described the enormous scale with which Alibaba operates in China, processing 360,000 transactions per second during ‘Singles Day’, which is the equivalent to Black Friday in China – and supporting fintech app Ant Financial’s more than 500 million users.
The aspirations of businesses like Alibaba and Tencent to perform competitively outside of their domestic market is clear as day. Just recently, Alipay announced it is expanding into 20 new European markets in 2018.
But there is an ongoing “dance” between these private businesses and the Chinese government in terms of how well they will be able to perform at home and abroad, said Sacks.
“I’ve had conversations with Alibaba and Tencent, and anecdotally what I’ve heard is, you’re inside a relatively closed ecosystem in China – think about that cyber policy model we talked about before – how does that translate to global markets?
“We know companies like Alibaba are looking at Europe, they’re looking at Asia, it’s going to be a hard nut to crack. At the same time, you have the Chinese government – Xi Jinping gave a speech in April talking about his vision for cyber space, and again he reiterated the point about the need to have big and strong Chinese internet companies. In a previous speech he mentioned specifically Alibaba, Tencent and Huawei. This is part of the global aspiration.
“I think there’s a dance that goes on with these companies and the Chinese government, sometimes there’s a perception they’re one and the same. [Alibaba founder] Jack Ma has this great quote describing his relationship with Beijing: he said ‘just because you love somebody doesn’t mean you should marry them’.”
These are companies, Sacks added, where their success is “only possible” with the support of the Chinese government. But at the same time, they are private companies funded by private investor money.
“I think their ability to be successful globally is only possible if they can keep the government just out of their way,” she said. “If we think about things like the cyber security law – very strict regulatory tools on companies – Alibaba is going to be the one on the front lines when you’re controlling the ability to send data across borders.
“Alibaba is trying to expand aggressively in Europe and Asia, how are they going to do that if they can’t send data outside of China? There’s a dance we have to keep in mind.”
China’s ascendancy into global superpower could offer a competing model for what the Internet itself looks like. Traditionally in the west there has been the veneer of an open and democratic model (albeit with surreptitious spying without the users’ knowledge, as the 2013 Edward Snowden leaks confirmed, and the end of net neutrality in America).
But countries that are on the periphery of American influence could increasingly look to China for inspiration on infrastructure and internet access management, as an article by Sacks in the coming days will argue.
Vietnam recently codified its cyber security law, closely resembling the Chinese model. Tanzania, meanwhile, has had a close working relationship with Chinese cyber officials to develop its own approach to the digital economy, ranging from censorship tools to data localisation and introducing standards.
“I think for the first time we have a real alternative competitive model for the internet,” Sacks said. “China, in countries they’re investing in, these countries are also beginning to take lessons from Beijing’s playbook about how do you govern the Internet.
“There’s an innate appeal to many countries to the China cyber policy model – the internet can be used as a weapon against people’s own citizens, think about hate speech, the use of social media to galvanise genocide in places like Myanmar. So for countries like this, I think there is maybe an appeal to the way Beijing is going about it.”
“I don’t want to overstate this: I don’t think there’s a master plan by the Chinese government to go and confront the western-led internet model,” Sacks added. “I think sometimes countries are doing it on their own, and saying these tools have an innate appeal. Sometimes, like in the Tanzania case, there is more direct engagement and influence to try to spread that model.”
IDG News Service