Regulation of cyberspace and the ability to access personal user data is a global, sweeping phenomenon that is undergoing immense change. Countries and societies around the world have had to confront questions about: What is private? What is sacred? What rights do individuals have to privacy? Where should the ability of corporations to access personal user information begin and end?
There is no overarching data protection law in the United States. Europe has instituted the G.D.P.R., which restricts what information can be collected and stored. And now, China has entered into the mix, with what purports to be a significant, stringent set of personal privacy regulations that is influenced by G.D.P.R. but has its own distinctive framework: the Personal Information Protection Law or PIPL.
Data Security and Cybersecurity Law in China
Going into effect November 1st, the PIPL is a sweeping set of requirements that act in conjunction with their new “Data Security Law” and “Cybersecurity Law”. Among many other rules, it requires any cross-border data transfers be submitted to the Chinese “Cyberspace Administration”. It requires consent when obtaining sensitive biometric information, including facial recognition software. It requires the suspension or termination of services for apps that illegally processed personal data, with violations of the law resulting in fines ranging between $7.7 million or up to 5% of the previous year's business revenue.
Still there is little way to “watch the watchmen”
Even though it is described in terms of personal privacy, according to Yale Law Professor Paul Tsai, there is little to indicate "anything resembling legal limits on government surveillance. ... Chinese civil society still has very limited means of ‘watching the watchmen.'"
Be that as it may, the regulations are sweeping and companies will need to be prepared. To quote IAPP VP Omer Tene "If you're doing business in China…get legal advice. They're not playing around."