A few reflections on China’s draft data protection law, proposed Oct 21. First off: it’s a HUGE deal. China is an economic, tech, and trade uber-superpower. Its policies have profound global impact. English translation courtesy of @NewAmerica here: https://www.newamerica.org/cybersecurity-initiative/digichina/blog/chinas-draft-personal-information-protection-law-full-translation/

The law is still in draft form and input has been solicited until next month. Expect it to pass at the next NPC March 2021.

By proposing a data protection law, China recognizes the value of *trust* in the digital economy. Cases in point: Huawei, TikTok, and Ant's jumbo IPO.

The law has the imprimatur of GDPR, but in the best Chinese fashion is incredibly succinct. At 17 pages, it’s like a work of Du Fu compared to GDPR’s Goethe.

While elegant and even understated, the law packs a muscular superpower punch. Art 43 says (warns?): “Where any country or region adopts discriminatory data protection prohibitions, limitations or similar measures against the PRC, the PRC may adopt retaliatory measures...”

Muscular punch #2: Art 12 talks of “mutual recognition of DP rules of other countries” (heads up EU: MUTUAL adequacy). It also provides, “The State vigorously participates in the formulation of international rules for data protection”. That’s correct, vigorously.

Muscular punch #3: And the law imposes strict penalties and fines, including (heads up!) stiff *personal* liability for privacy officers. Up to 1M RMB = $150K. Individually.

Muscular punch #4: Art 42 provides, “If foreign organizations or individuals process data in a way that harms the rights and interests of PRC citizens, or the national security or public interest of PRC, the CAC may put them on a list limiting or prohibiting their activity”

Muscular punch #5: Art 59(3) authorizes the data protection regulator to “Conduct on-side inspections and investigations of suspected unlawful data processing activities”.

The law doesn't set up a new data protection agency. The CAC (cyber agency) will administer it.

Fun fact: the law refers to a data controller as a “data processor”. (A processor is “a party entrusted to handling personal data”). I can only imagine the tongue twisting discussions consolidating controller to processor agreements to Mandarin terms...

The law provides rights and protections against automated decision making (Art 25) and facial recognition (Art 27). This is quite striking for China, which probably deploys advanced automated decision making and FR tools more than any other country around the world.

It also places great focus on consent, more than even GDPR. Which is interesting for a country/culture as collectivist as PRC.

The law requires data localization by government entities, critical infrastructure providers and large data controllers (threshold TBD by CAC). It also has data transfer restrictions. One transfer method is prior approval by the CAC.

The law has extraterritorial effect, similar to GDPR (companies targeting Chinese consumers). Foreign companies caught by its web are required to establish an entity or appoint a representative in China, and register them with the authorities. (Art 52).

Large data controllers (threshold TBD by CAC) must appoint a privacy officer (Art 51). Not quite a DPO, but still a budding data protection profession in China. Art 50(4) also requires data protection training and education for all employees.

A lot more to come on this. Reactions welcome. And look forward to seeing China advance this important law.