1) I've not heard much analysis on the new Personal Information Protection Law draft in China. This is pretty major since it borrows from EU's GDPR (aka fines) and will have major impact on Chinese tech and beyond. Overview on the draft below and some emerging thought. Thread..

2) Draft was released to the public on Oct. 20th 2020. It's the most comprehensive legislation on personal data to date in China. Additionally, the law will provide protection of personal information of PRC residents processed outside of mainland China

3) Under PIPL a data processor may process personal data based on:
-consent of the data subject
-the necessity of executing or performing a contract
-the necessity of performing a legal obligation or legal duty
-a response to an emergent public health event or the necessity...

4) of protecting the safety of an individual’s life and property
- the publication of news and the supervision by public opinion for the public interest within reasonable scope

5)Separate opt-in consent is required for processing sensitive personal data and processors will need to require parental consent if they aware the data subject is under 14 years of age.

6) Additionally, when using automated decision-making systems or sharing personal data, separate consent as well as specific disclosure in the privacy notice is required.

7) Consumers get the right to information and explanation on the data processing, right to access and request for a copy of personal data, right to correction, right to object processing, right to withdrawing consent and right to deletion.

8) The data should be help for only the 'reasonable' time scope to do the processing. That bit is quite vague but similiar to what GDPR says.

9) For foreign entities who want to transfer data, they have three options
-obtaining certification issued by the organization as authorized by CAC
- signing cross-border data transfer agreement with overseas data receiver(s)
- other mechanisms as provided by other laws

10) Serious violations, such as illegal processing of personal data or failure to adopt necessary safeguards to protect personal data, can be fined up to RMB 50m ($7.4 million) or up to 5% of the preceding year’s revenue. Not yet confirmed whether global or just in China.

11) If GDPR experience was anything to go by I'm not looking forward to the wave of pop-ups and notification I'll be getting once this goes into effect.

12) This could put a dent in the data rich AI recommendation engines that power a lot of Chinese tech. Could Ant's risk prediction engine still be useful when they are separate from Ali and only have access to masked data?

13) Data masking and compliance is going to take off in China. Though the flip side is that start-ups now have to bear addition burden of being PIPL compliant (like in EU)

14) Chinese consumers can go either way. I know the more sophiscated ones are already weary of their data being overused but maybe large swaths may not care / understand what is at stake. We'll find out.

15) This regulation is still in draft phase and can only come out next year at the earliest, so still lots of time to change. Though it's good that the first draft is relatively aggressive as a starting position

16) Further readings: https://www.newamerica.org/cybersecurity-initiative/digichina/blog/chinas-draft-personal-information-protection-law-full-translation/