China's new privacy law leaves U.S. behind
While China's sweeping new data privacy laws have left tech companies confused about how to comply, they also put the U.S. even further behind in the global race to set digital standards.
What's happening: China enacted its Personal Information Privacy Law earlier this month, following Europe as the second major international player to have its own sweeping data privacy regulations.
- The law, regarded as China's version of Europe's General Data Protection Regulation, is a set of rules for how businesses can collect, use, process, share and transfer personal information. Another Chinese data regulation, the Data Security Law, went into effect Sept. 1.
- The laws aim to protect Chinese citizens from the private sector, while the Chinese government still has easy access to personal data.
- In May, influential U.S. business groups sent comments, viewed by Axios, to the National People’s Congress protesting that the draft law’s vague language, monetary penalties and criminal liabilities were harsh. They also said it would hurt innovation by being overly prescriptive and burdensome.
Why it matters: The U.S. still does not have a federal data privacy law, and China's move could allow it to set future global norms on its terms. Meanwhile, tech companies doing business in China will have to navigate the vague new rules, and that could be expensive.
- Not having a federal privacy law "impairs America's global leadership on the issue, and the fact that there is this patchwork makes it difficult to have meaningful interaction on the international stage on these issues," Martijn Rasser, senior fellow and director of the technology and national security program at the Center for a New American Security, told Axios.
The big picture: While reeling in its own companies such as Alibaba and Tencent, China is making it increasingly difficult for non-Chinese companies to do business in the country. That complicates the global tech landscape, in which companies rely on sending, holding and receiving data overseas.
- "When you have power growing in China, the government ensures its supremacy is kept," said Omer Tene, chief knowledge officer at the International Association of Privacy Professionals. "In that regard, it's another piece of a very quickly accumulating puzzle of market and tech regulation in China more generally."
What they're saying: "If I were a corporate leader with major business in China, I'd frankly be quite concerned right now," said Rasser, who found the law's language vague, and said the Chinese Communist Party could make compliance difficult. "That type of uncertainty makes it challenging for business leaders."
- "The U.S. is meant to be the world geopolitical and technological leader, and it is being left behind from a policy perspective on the global stage as it relates to its view on data privacy," said Cillian Kieran, CEO of Ethyca, a company that creates developer tools for data privacy. "[The U.S.] becomes the laggard in what are acceptable rights around data usage in consumer-facing technology businesses."
Just like GDPR, China's law has broad extraterritorial reach, said Tene.
- Companies will "have to submit to a security assessment by the Chinese regulator before performing data transfers, appoint local representatives to handle privacy issues and manage exposure to steep fines and penalties, including criminal, under the law," he said.
- Companies who violate the law could be subject to fines of up to 5% of annual revenue, revocation of their licenses to do business in China and personal penalties against executives, according to a blog post by attorneys at Morgan Lewis, an international law firm.
- "There are really significant compliance requirements for any company that handles Chinese user data — and they're re-evaluating their exposure, and asking is it worth it or not," said Samm Sacks, a cyber policy fellow at the New America Foundation.
Our thought bubble, from Axios China reporter Bethany Allen-Ebrahimian: China's data law addresses a real issue, and does so in more or less legitimate ways, posing a significant concern for those who prefer a democratic data governance model. Without its own data governance framework, the U.S. is leaving open a regulatory void.