Chinese leaders are expected to vote on a Data Security Law early next year. Last month at The Diplomat, Marcel Green wrote about the broad intentions and implications of the draft law for Chinese citizens:
[…] While the Chinese government has taken significant steps to ensure the security of military and national security efforts, prior to last July it had shown less interest in protecting the consumer and personal data of Chinese citizens. Consumer and personal data security, at that time, was largely obtained or implemented by (1) a patchwork of federal, provincial, and local regulations that were inconsistently applied, and/or (2) the data security policies, provisions, and good intentions of individual organizations. In such an environment of dueling policies, or no policies at all, it is not surprising to find a number of domestic and international ventures in China are operating in a manner where data security is not a priority.
The Draft Data Security will finally upgrade the protection of consumer and personal data to the comparable level of importance afforded to military and national data. That is, ostensibly, once the law is passed, citizens will have legal recourse when their consumer or personal data is stolen, misused, or otherwise corrupted. To accomplish this, the law will impose control and order on the consumer and personal data market to an extent never been experienced. [Source]
A law strengthening data security for Chinese citizens may come as a surprise for some observers alongside China's extensive efforts to establish a network of surveillance across the country through sophisticated and repressive technologies—most significantly in Xinjiang, which has been described as a "laboratory" for such surveillance practices. In recent months, India and the United States have cited data privacy concerns while retaliating against Chinese tech firms by banning or threatening specific apps. But, as Karen Hao reported for the MIT Technology Review in August, domestic demand for greater privacy protections has grown in recent years amid rising instances of identity theft and the mismanagement of user data:
In the West, it's widely believed that neither the Chinese government nor Chinese people care about privacy. US tech giants wield this supposed indifference to argue that onerous privacy laws would put them at a competitive disadvantage to Chinese firms. In his 2018 Senate testimony after the Cambridge Analytica scandal, Facebook's CEO, Mark Zuckerberg, urged regulators not to clamp down too hard on technologies like face recognition. "We still need to make it so that American companies can innovate in those areas," he said, "or else we're going to fall behind Chinese competitors and others around the world."
In reality, this picture of Chinese attitudes to privacy is out of date. Over the last few years the Chinese government, seeking to strengthen consumers' trust and participation in the digital economy, has begun to implement privacy protections that in many respects resemble those in America and Europe today. [Source]
What is significant about the draft law's approach to data security is that it seeks to draw a distinction between data collection by companies and private entities, and data collection and surveillance by state actors. In an accompanying August podcast for the MIT Technology Review, Karen Hao discussed the appeal of this "third model" of data security for countries looking to straddle the line between consumer data protection and state surveillance:
[…] it’s not just about Chinese tech companies. The way that data privacy legislation develops around the world is very much connected. When the EU released GDPR, China was not the only one watching. There were a number of countries around the world that started adopting very similar models, Brazil, for example. China's data privacy law is going to have a very similar impact.
They're essentially proposing a new model to the world of how countries can have strong consumer protections without limiting state surveillance. And I think that's going to be a very persuasive and appealing proposition to a lot of countries around the world. [Source]
At least two clauses of the draft law (Articles 2 and 24) have drawn particular concern for their extraterritoriality, eliciting global concerns. As translated by New America:
Article 2: This Law is applicable to the conduct of data activities within the mainland territory of the People’s Republic of China.
Where organizations or individuals outside of the mainland territory of the People’s Republic of China engage in data activities that harm the national security, the public interest, or the lawful interests of citizens or organizations of the People’s Republic of China, legal liability will be investigated according to the law.
[...] Article 24: For any country or region that adopts discriminatory prohibitions, limitations or other such measures toward the People’s Republic of China with respect to investment or trade related to data, data development and use, or technology, the People’s Republic of China may, according to the actual circumstances, adopt corresponding measures toward that country or region. [Source]
As Allison Lapehn wrote for SupChina, these articles vastly extend China's jurisdiction over digital companies, presenting a challenge for businesses operating beyond the country's borders:
What makes data and cybers law so difficult to implement is that they often have extraterritorial applications. Digitization and big data changed international law by introducing a new challenge: regulation of a borderless entity. When the GDPR was instituted, many businesses in the U.S. decried the extraterritorial reach of the legislation. The law impacted any entity that uses the personal data of EU citizens, which includes many U.S. companies active in the EU.
However, China’s DSL does more than just emphasize the protection of data subjects and their privacy. In fact, the Cybersecurity Law of 2017 and the subsequent Personal Information De-identification Guidelines focused much more on privacy and anonymity than the proposed DSL. The draft Data Security Law focuses more on protecting China from individuals or governments wishing to do it harm. [Source]
The Digital Security Law is not the first Chinese law to draw fire this year for its extraterritorial jurisdiction. In June, the draft Hong Kong National Security Law (which became law on July 1) shocked observers when it declared global jurisdiction. That law may also have had implications for data security—some activists and legal experts have expressed concerns that the NSL may have compromised the security of data stored on large foreign technology companies' platforms.
At the Financial Times last month, Gideon Rachman warned about the broad implications of China's growing willingness to flex the reach of its domestic laws overseas:
Welcome to the world of extraterritoriality. The US and China are increasingly seeking to extend the reach of their domestic law overseas — compelling foreign companies and people to do the bidding of Washington or Beijing. The rise of extraterritoriality is the latest sign of the sad decline of our old friend, the rules-based international order, under which big powers at least pretended to play by the same rules as everybody else.
In the extraterritorial world, there is one set of rules for superpowers and another for everybody else. This looks less like the 21st century, as imagined by international lawyers and more like the 19th century, in which imperial powers imposed their will on others. [...] [Source]
Read more about growing public concerns over data security in China, via CDT.
Correction: The draft Digital Security Law will not be reviewed at this month's NPC Standing Committee meeting, as was earlier indicated in this post. Thank you to NPC Observer for pointing out our error.