The law just addresses use of individuals’ data by private companies, carving out exceptions for government harvesting of data.
Over the last few years, China has established thousands of checkpoints in its western provinces, designed to surveil the ethnic minorities who must scan their IDs (and faces) regularly so their every movement can be tracked. China now also apparently cares very deeply about protecting citizens’ data, this week passing a strict new privacy law designed to protect consumers from data collection by large tech companies.
Casting aside for a moment the jarring incongruity of a government fixating on data collection by big tech companies while ignoring its own authoritarian trampling on citizens’ privacy rights, it’s worth noting that the law, called the Personal Information Protection Law (PIPL), necessarily weakens big tech companies, forcing onerous regulations that they will now have to comply with.
While many observers have drawn comparisons between PIPL and Europe’s General Data Protection Regulation (GDPR), the benefit to consumers may be a mixed bag if GDPR is any example. Europe’s consent-based frameworks (where most consumers just read through yet another set of mumbo-jumbo legalese disclosures before robotically clicking “agree”) sometimes fail to provide enhanced data privacy. Amusingly with GDPR, “a company that lacks the consent for their current data practices could also lack the consent to email people to gain their consent,” Andrea O’Sullivan wrote for Reason back in 2018.
Still, limiting what data companies may collect and what said companies can do with the data once collected could feasibly be a boon to consumers—although China’s law predictably contains large carveouts for the government to violate people’s privacy for ill-defined national security purposes. PIPL—which is quite popular among Chinese consumers, who, like their Western counterparts, are in the throes of a nascent techlash moment—prohibits excessive collection of consumer data; requires that sensitive information be stored in China; requires that facial recognition surveillance tech be explicitly marked as such; and fines companies that violate the new law.
. . .
Protection of consumer data, while fine and good, means nothing if there’s no true rule of law binding governments to privacy-protecting standards as well. If your country of 1.4 billion does a decent job protecting the rights of ethnic Han Chinese who support the Communist Party, well, bully for you. That leaves some 25 million people living in Xinjiang province—roughly half of whom are Uyghur—as well as other ethnic minorities scattered throughout the country, who are denied even basic privacy protections and due process, whose every step remains surveilled by an enormous government apparatus designed to capture and interrogate people if they engage in such milquetoast activities as refueling someone else’s car with gas or refraining from using the front door of their own home. And that’s assuming they’re not one of the roughly 1.5 million who are denied basic freedom of movement by nature of being forced to live in internment camps.
Privacy protections for consumers are important, but it’s the state, with its monopoly on force, that remains the most threatening potential privacy-violator of all.
China’s New Data Privacy Law Doesn’t Protect People Against the Biggest Threat: The Government
Forward!