China drafted its new privacy legislation, in part, after the European GDPR, in order to better compete against American companies. Modeled primarily after the European Union’s General Data Protection Regulation, the Personal Information Protection Law of the Peoples’ Republic of China (PIPL) is China’s first national data privacy statute, and it comes with accompanying regulations. This is a major milestone because China’s government is the largest collector of digital information in the world, and China’s military and law enforcement have access to virtually every piece of data that passes through Chinese data servers and data centers, private or not. As noted in our Conversations in Cybersecurity, there is a problem with Chinese applications because the Chinese legal system offers little protections to individuals. Does the PIPL solve for this concern? The answer is no.
Notably, China’s new sweeping data privacy law does not provide its people with adequate protections against law enforcement and does not provide adequate protections against government agencies amassing large amounts of data about their people. To be fair, none of the consumer privacy protections in California, or in Europe, apply to military, government, or law enforcement uses either; and there is little protecting American businesses from government demands for consumer data. But unlike China, The United States and Europe have robust protections against law enforcement use of evidence, and constitutional rights to due process. These legal protections limit how the government can use information against citizens. Indeed, in Europe and in America, there is continued debate regarding the boundaries of government surveillance, and strict transparency requirements for government agencies.
Yet another key distinction is that when American or European companies collect data in private enterprise, it is often just for the purposes of advertising or shared service enablement. But countries like China utilize collected data for counterintelligence, espionage, policing, and national security purposes.
Given the fact that China is famously recognized as a surveillance state, why would China pass its own set of data protection standards? Aside from positioning themselves as a rising global regulator, a closer look reveals that the PIPL creates competitive advantages for companies in China while stifling competition and making compliance more difficult for foreign businesses, particularly American businesses. It makes sense, then, that PIPL was modeled after the GDPR because even the GDPR was enacted, in part, to slow American technological competitiveness.
One of the policies behind the EU’s proposals to regulate AI is a recognition that Europe’s innovation economy has not kept up with the rapid pace of American and Asian technological development. In the past ten years, some of the most successful billionaires in Europe made their fortune by cloning American tech companies abroad, often with the hope of being acquired by the companies they emulate.
Considering this, China has begun to build the necessary processes and systems that will allow them to act as the world’s most influential digital regulator. Following the example set by the European Union to use privacy as a means of stifling American competition, China has now joined the global stage as one of the most important data regulators and has drafted its law and regulations in a way that weighs against foreign technology companies, and in favor of Chinese ones. What this means for a changing globalized future is yet to be seen.