China’s User Data Storage Regulation: Potential MSSP, MSP Compliance Implications
China’s ruling party has passed a new law restricting how its tech giants gather, store, use and handle data collected on individuals, according to Xinhua, the state-run media outlet (via Reuters), expanding its tightening regulation of cyberspace and internet industries.
The measure, called the Personal Information Protection Law (PIPL), requires technology makers, particularly app developers, to let users decide how their personal information is sold, used and leveraged for marketing purposes based on personal preferences and other behaviors, the report said. The PIPL also requires data aggregators to obtain an individual’s consent to process personal private information, such as biometrics, medical records, financial information and location data. And, it additionally limits the storing of personal information to the “minimum scope necessary.”
Potential MSSP and MSP Implications: Similar to GDPR?
Why should MSSPs and MSPs care about this? In some respects, the Chinese law mimics some of the European Union’s (EU) General Data Protection Regulation (GDPR) that also safeguards individuals’ personal information and carries stringent penalties for those that do not comply. MSSPs and MSPs working with companies in the 28-member EU are already versed in adhering to GDPR requirements.
Similar to the GDPR, the Chinese regulation expands beyond China’s borders. Any company based outside its borders but doing business locally must adhere to the law, including reporting to state agencies.
The glaring difference is the GDPR makes no connection to governments collecting personal data for its own purposes. By comparison, Chinese government officials placed no such limitations on the state’s extensive machinery to surveil the movements and behavior of its own citizens, although according to the Reuters report State agencies were mentioned in earlier drafts of the PIPL.
The PIPL bookends with data privacy regulations the Chinese government announced in March 2021 that confine the personal data mobile app makers can obtain from users to “necessary” information that allow the app to operate. Users can decline to provide any other personal information and still be able to use the basic functions and services of certain apps without obstruction. That regulation, which covers the basic functions and services for 39 app categories, including messaging, online shopping, payments, ride hailing, short video, live stream and mobile games, became effective on May 1, the report said. It was jointly sanctioned by the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Public Security Bureau and the State Administration for Market Regulation, the South China Morning Post reported at the time.
A Data Security law, which goes into effect on September 1, establishes rules for companies to classify data based on economic value and importance to China’s national security, Reuters reported.
“The message from the government to internet platform businesses is clear: Future growth will only be possible within the limits of what is good for the Chinese nation, which in turn is defined by the Chinese Communist Party,” Rebecca Arcesati, an analyst at the Mercator Institute for China Studies, told the Associated Press. China wants its tech companies to profit from the digitization of public services and not clicks, she said.