Data protection law is not always about data protection or privacy; sometimes it is just about power. Last week I was bothered by tweets that touted a “momentous day” in data protection because China had enacted the Personal Information Protection Law (PIPL). Parts of PIPL deal with the rights to privacy and data protection, but PIPL also is about the government’s desire to assure its version of social harmony by gaining a monopoly on observation. That monopoly comes from controlling heavily what the private sector may do, creating a nexus for enforcement, and not touching the government’s massive powers to observe. In this case, the monopoly on observation amounts to surveillance. According to the dictionary, the difference between observation and surveillance is that observation is the act of observing and the fact of being observed, while surveillance is close observation of a person or a group of persons under suspicion. News articles are clear that the PIPL covers the private sector only. PIPL does nothing to reign in the state’s ability to watch and monitor people constantly and to turn the resulting raw data into social scores that may well determine the education people receive or the jobs they might hold. Now there is a law – PIPL – that controls how the private sector collects data and uses that data to create knowledge about people in China, but there is no law in China that controls how the Chinese government uses that data.
I personally have been working on privacy in China since 2005 when I began organizing a conference with a Chinese university. So why was PIPL adopted now? In looking for reference materials on PIPL and why it was enacted, the best article I found was Stephen Bartholomeusz’s opinion in “The Sydney Morning Herald” entitled “Billionaire crackdown: China’s risky new pathway to Mao’s ‘common prosperity.’” A biography on Chinese President Xi Jinping also adds context on the questions of why and why now?
The Chinese leadership has figured out the pathway to wealth and power is observed data that is translated by advanced analytics into actionable insights. This conclusion is not new. FTC Commissioner Rebecca Slaughter reached the same result in her paper “Algorithms and Economic Justice.” A big difference is that the Chinese leader has the power to act on the insight and not be tempered by competing authorities.
Xi’s tenure as president has been an endless consolidation of power. He first took on official corruption, then dissidents, and now the Chinese tech powers. Social harmony requires the reduction of their wealth and the tempering of their power.
PIPL has some very interesting provisions. It requires there to be legal permission to process data, and those permissible purposes include human resources data. However, the legal bases are narrower than those in the GDPR and very much narrower than those in the IAF model privacy legislation. For example, knowledge creation, the creation of insights, is not a stated legitimate use of data. The result is that the private sector’s ability to use data for insight development is governed by consent, and regulators can always challenge the effectiveness of consent, thereby limiting the fruits of observation.
Recital 4 of the GDPR reminds us that data protection is a human right that needs to be balanced with other rights. GDPR protects both individuals and data users. Under this construct, data users may argue the legitimacy of a data use to an independent authority and a very independent judiciary. There is nothing independent about the agencies that will enforce PIPL, and the Chinese judiciary is answerable to the Chinese Communist Party.
So, data protection law has added 1.3 billion Chinese to its domain. But please do not think that this is a momentous day for effective and fair data governance. It is not.