China is expanding and strengthening its control over data collected by tech companies, including US-based companies, by enacting new laws and measures, The Wall Street Journal reported on June 12.
The Chinese government is demanding big tech companies like Tencent, Alibaba, and ByteDance to open up the data they collect from users to help the government make “objective and accurate analyses”, the report stated. These demands are driven by the belief that the government should be able to access the huge troves of data collected by tech giants and because of the worry that tech giants might create alternative power centres in the country, the report added.
Two new laws to help China on this front
The following two laws, which build on the 2017 Cybersecurity Law, “will subject almost all data-related activities to government oversight, including their collection, storage, use and transmission,” the report states:
Data Security Law: The Data Security Law, which was passed last Thursday and goes into effect on September 1, sees private-sector data classified according to its importance to the interests of the state. The vaguely worded provision will make it easier for authorities to demand data they deem essential to the state and make it harder for businesses to refuse, the report stated.
Personal Information Protection Law: The proposed Personal Information Protection Law, which was updated by China’s legislature in April, limits the types of data that private-sector firms can collect. But unlike the European Union’s data protection regulation, on which it is modelled, the Chinese version does not place any restrictions for data collection by government entities, the report stated.
China’s 14th five-year plan, the blueprint that will shape the country’s policies for the next five years, emphasizes the need for the government to strengthen control over private firms’ data, the first time a five-year plan has done so, the report stated.
Data localisation requirements for foreign firms operating in China
Foreign firms are not being spared by the Chinese government’s expanding control over data. In 2017 the Chinese government passed a data localisation law requiring companies to store personal information and important data that is collected in China within China. Although the law only applies to “critical infrastructure providers,” this is a loosely defined category that includes foreign banks and tech companies, the report stated. Since last year, the data localisation law is a prerequisite for foreign companies wanting to do business in China. Citigroup and Blackrock were only given licenses once they agreed to comply with this law, the report stated.
Tech companies like Apple and Microsoft, which generally pride themselves in safeguarding the privacy of their users, agreed to comply with the new law. Apple, in fact, agreed to comply with this law and move its Chinese customers’ data onto servers in a data centre owned and physically managed by a Chinese state-owned company. In addition to this, Apple made several other compromises in China: using different encryption technology for Chinese customer data and storing the encryption key in China, sharing customer data with Chinese authorities by making a state-owned company the legal owner of Chinese customers’ iCloud data, and proactively removing apps that might offend Chinese authorities.
US electric-car maker Tesla also agreed last month to build more data centres in China to store information generated by the vehicles it sells there, the report stated.
India too is currently working on the draft Personal Data Protection (PDP) Bill, 2019, which mandates that sensitive personal data must be mirrored in the country and that critical personal data (which will be defined in a later stage) cannot be transferred outside the country.
Centralised data storage
The Chinese banking authorities proposed new regulations last year that require fintech firms like Ant and Tencent to transmit credit statistics that they have gathered into either a centralized system run by the central bank or a credit-rating agency controlled by the state. This came after both these companies started gathering better credit statistics than the state-owned banks because of the data they could collect from users on their apps, the report stated.
China is also testing out another initiative where private-sector firms share data with authorities through a unified data centre. For example, the city of Shenzhen is building a data centre that would “centralize the storage, sharing and supervision of data collected by government entities as well as companies in finance, education, telecommunications and other areas,” the report stated. Although the specifics of this initiative are not yet known, the city government in a draft regulation said that “public data is a new type of state-owned asset, and its data rights belong to the state.”