Table of contents
Share Post

China data privacy law is often mentioned in discussions on state surveillance and the legitimate concerns it raises. But the obligations weighing on private actors, like those under GDPR in Europe, are much more detailed. This post focuses on their evolution until 2023, culminating with the Personal Information Protection Law (PIPL) and its guidelines, and the comparison with data privacy rules in the U.S. and the EU.

[This article is regularly updated] This post summarizes my law review article “China’s Approach on Data Privacy Law: A Third Way Between the U.S. and the EU?” published in the Penn State Journal of Law and International Affairs, vol. 8.1, augmented with the most recent changes. It comprehensively details the results of a research that is part of my Ph.D at Shanghai Jiao Tong University. The present blog post only aims at “briefly” presenting the main findings in a more casual fashion.

Download the Full Research Paper (free)

My complete article (60 pages), published in the Penn State Journal of Law & International Affairs in 2020, is on the Social Science Research Network (SSRN).

This post answers three main questions:

  • What are China data privacy laws in 2023?
  • Where does it stand compared to the EU and U.S. approaches?
  • What are the specificities of Chinese laws, especially PIPL, on personal information protection?

These are broad issues opening many doors, including for research in political science and international relations.

1. Data privacy laws in China came 30 years later than in the EU and the U.S.

When China started to enact data privacy rules, the EU and the U.S. had long-standing stances on the issue. The two approaches feature important differences (the result of two contrasting philosophies and rationales). Therefore, China had two models it could transplant rules from, with the goal of accelerating the building of its own framework, and to benefit from the EU and the U.S. data protection laws experiences (to learn more on legal transplantation mechanisms and theories, see this research on comparative law).

1.1. EU’s Strong Protection or U.S.’s Minimalist Approach: The Two Models for China

Rules on data protection appeared in the 1970s in both the U.S. and in Europe. At the international level, the OECD issued its Privacy Guidelines in 1980. The Council of Europe (which is not an EU body) published its Convention 108 in 1981. Given the political and economic conditions of China at that time, the country did not show signs of interest for these initial legal developments.

The U.S. and the European Union developed different approaches to data protection. The U.S. data privacy laws stick to a minimal approach where relevant rules are scattered through many laws with narrow scopes. There, data privacy rules find themselves limited by the right to freedom of speech, which is constitutionally protected. To this day, influential scholars oppose the passing of more protective privacy rules on the basis of freedom of speech.

On the other hand, the EU chose an approach that largely differs from that of the U.S. In 1995, it enacted the Data Protection Directive, designed to regulate all data-privacy issues (through the implementation of the Directive’s goals in each Member state’s domestic legal framework). This choice for a comprehensive data protection law represents a main difference with the U.S. approach. Most importantly, privacy and personal information protection are now fundamental rights in the EU1 and should receive strong protection as such. In 2018, the General Data Protection Regulation (GDPR) became directly applicable in all Member states, reinforcing the EU model and its stringent requirements.

Will China choose the EU or the US approach? What will be China data privacy law in 2023? Let‘s find out.

For a more detailed overview of China’s legal evolutions, please refer to my article in the Penn State Journal of Law & International Affairs. I give a detailed presentation of the country’s evolution on data privacy, from the beginnings up to China’s Cybersecurity Law and the Personal Information Protection Law (PIPL).

China data privacy laws started decades after most Western countries. On the legal instruments, the country first hesitated between the EU approach (comprehensive data privacy law) and the U.S.’s (many narrow laws). Although China eventually started to develop its legal framework through sector-specific laws much like in the U.S., the country is now on the path of enacting a comprehensive data protection law (see below).

It has been argued that traditional Chinese culture was the cause for the lack of privacy protection. In my opinion, however, culturally similar regions show that the situation could have been different. Taiwan has data protection laws going beyond OECD standards. Hong Kong was the first jurisdiction in Asia to have enacted a comprehensive data privacy law. In mainland China, it’s rather the political situation, at a time when privacy was making a breakthrough at international and national levels, that decisively precluded the emergence of privacy protection and set China apart from the developments happening elsewhere.

China started a long march towards bringing out privacy and data protection rights with its Constitution from 1982,2 where the right to freedom and privacy of correspondence is protected under Article 40. Unfortunately, the Constitution cannot serve as the legal ground for a judicial decision or interpretation in China, which undermines the significance of these provisions.

Civil and criminal laws now provide privacy and personal information protection. Since 1986, the General Principles of the Civil Law (GPCL)3 protect the “right to reputation” and serve as a basis for privacy protection.4

On March 15, 2017, the GPCL received an update. They now provide rules for protection of personal data and underlines the responsibility of individuals and organizations (Article 111). The Criminal Law and its Amendment VII from 20095 sanction wrongdoings on privacy and personal information on several occasions.

Regulations of businesses’ use of personal data appeared following the emergence of innovations such as cloud computing and big data analytics, that convinced China to more vigorously regulate (a trend later further encouraged by Edward Snowden’s revelations and related fear over foreign intelligence practices).6

In December 2012, the Standing Committee of the National People’s Congress (NPC) promulgated the Decision on Strengthening Information Protection on Networks (the 2012 NPC Decision). Since this decision, China has made significant efforts and progress in terms of developing the protection of personal data, through including several principles and requirements as part of new rules. But rather than enacting a comprehensive data privacy law, China took a path resembling the U.S. approach. Data protection provisions were dispersed in laws for sectors such as banking and finance, consumer protection, postal services, healthcare, credit reporting, telecommunications and internet, etc.

China started to build this sector-specific data privacy protection framework following the line of the 2012 NPC Decision. For example, in 2013, the NPC’s Standing Committee updated the Consumer Protection Law,7 making data protection a distinct right for consumers in its Article 14. The law also includes the core data protection principles from the 2012 NPC Decision, especially on security and confidentiality, purpose specification and consent. Other examples exist for the Internet sector, the Credit Reporting Industry or for the protection of medical records.

This approach started to change a bit with China’s Cybersecurity Law and was confirmed in the Personal Information Protection Law (PIPL), the most important milestone in the country’s data protection legal landscape. Enacted on November 7, 2016 by the Standing Committee of the National People’s Congress, it entered into force on June 1, 2017. Requirements about data privacy are comprised among dispositions related to other aspects of cybersecurity. The PIPL has a broader scope than previous China data privacy laws and brings the country even closer to global standards. The most significant evolutions appeared in the non-binding guidelines accompanying the Cybersecurity Law (the 2018 Specification)8 And the PIPL incorporated them into binding law in 2021. The following sections analyse the rules existing in these texts.

To understand why non-binding rules such as the 2018 Specification is particularly significant in the Chinese legal system, see my article in the Penn State Journal of Law & International Affairs.

2. China’s PIPL as a New Direction: Stronger Than the U.S., Not as Strict as the EU?

The PIPL is, therefore, the latest China data privacy law. The Cybersecurity Law, accompanied by the 2018 Specification, a guidance dedicated to personal data security and privacy, remains in force.

Dr. Hong, who led the drafters of the 2018 Specification, argues that this text is “stricter than the U.S., but not as much as the EU”. At a time when maybe TikTok is getting banned from the US for privacy and national security reasons, that statement may seem surprising. Given China’s late awakening to the issue and the state-surveillance problems, this declaration is indeed bold and conveys the need for a deeper analysis.

Such analysis of Chinese rules show that they maintain similarities with the U.S. approach on several elements. But the PIPL, the Cybersecurity Law (and the 2018 Specification), feature important signs of convergence with EU law. This is a significant change for China, in favor stronger data protection requirements than the U.S. but without going as far as the EU. Ultimately, it is the enforcement of those rules that will matter.

Download the Full Research Paper (free)

My complete article (60 pages), published in the Penn State Journal of Law & International Affairs in 2020, is on the Social Science Research Network (SSRN).

2.1. Where China Resembles More to the U.S.

Data breach Notification

Another topic where China’s data protection laws remain closer to the U.S. approach relates to data breach notification. In the U.S., requirements for data breach notification exist but are not as strict as in the EU. 

Once a data breach occurs, the notification requirement obliges the entity in charge of the data to notify the supervisory authority and/or the affected individuals. Such obligations of notifying personal data breaches exist in the U.S. since 2002,9 with a large timeframe for notification, e.g. 30 days10 or even up to a reasonable time.11 A data breach notification requirement was absent from the EU Directive in 1995 (although included in some Member States national laws). Drawing on rules from Member States and the European Union Telecommunications Framework, the EU now goes further than both the OECD and the U.S. and compels data controllers to notify supervisory authorities of a security breach within 72 hours after it became aware of it.12

In China, the Cybersecurity Law requires data controllers to inform authorities as well as individuals in case of a data breach.13 The 2018 Specification gives more details and requires companies to draft a personal information security incident response plan and organize drills annually. In case of a breach, affected entities should record a set of information about the incident, assess its impact, and promptly report it. It further requires to promptly inform data subjects and provides a non-exhaustive list of information to be included in the notice. The PIPL states the content of the notification (art. 57) but does not give more details regarding the timeframe for notification.

By requiring prompt notification, the Chinese legislator may want to gain more experience before setting a clear timeframe. Meanwhile, it should be done without undue delay, and companies should be able to explain why notification took a long time if that’s the case.

Supervisory Authorities

The authority to which the notification should be made is not apprehended in the same way in the EU and the U.S.  Europe requires an independent and dedicated authority. The U.S. does not provide for a regulatory oversight by an independent data protection authority, but rather a combination of “the US Federal Trade Commission, state attorneys general, the Federal Communications Commission, the Securities and Exchange Commission, the Consumer Financial Protection Bureau (and other financial and banking regulators), the Department of Health and Human Services, the Department of Education, the judicial system, and […] the US plaintiffs’ bar.”14 The FTC has grown to become the most important privacy enforcement agency in the US.

China’s data privacy Law does not establish an independent authority dedicated to data privacy enforcement. The Cyberspace Administration of China is dominant in this role, but there are several regulators responsible for data protection enforcement efforts. Therefore, in a manner that recalls that of the U.S., there are several authorities in charge of enforcing privacy provisions on their own sector, and the allocation of competence is not always clear.15 China’s Cybersecurity Law did not change the situation that still resembles the U.S. approach more than the EU’s.

2.2. Where Chinese Data Privacy Laws Converge with the EU Model

New Chinese rules on data privacy showcase transplants of EU rules, bringing more protection to individuals than most U.S. laws. The rapprochement first came from the non-binding 2018 Specification (China’s Cybersecurity Law is often too vague to soundly demonstrate convergence with EU rules) but finally arrived in binding law with the PIPL.

The Personal Information Protection Law (PIPL): China’s GDPR, a Comprehensive Law

First, China progressively moved towards the adoption of a single and comprehensive data protection law, as the EU promotes. To briefly summarize, rules for the Internet sector progressively gain in scope, up to the Cybersecurity Law which broadly targets “network operators” and the 2018 Specification which goes further and makes clear that it is applicable to “all types of organizations’ activities handling personal information,”16 in a similar way as the GDPR. This was reinforced and became binding with the PIPL.

The PIPL was foreseen soon after the CSL was enacted. The NPC Standing Committee’s Five-year Legislative Plan for the period 2018-2023 features a “Personal Information Protection Law”. The draft has been published in October 2020 (and promptly translated in English here). The drafting of this law was commented in 2019 by Zhang Yesui, spokesman for the second session of the 13th National People’s Congress, when he outlined that provisions on personal information were too scattered and so there is a need “to have a law specifically on the protection of personal information to form a unified force of regulation.” Eventually, the PIPL was enacted and effective from 1 November 2021 (translation here).

The other main areas where China gets closer to EU rules concern obligations for data controllers towards data subjects. They mainly relate to limitations on data processing activities and direct rights for individuals. Explaining why, how and to what degree there is convergence here is crucial but requires longer explanations. I can only redirect you to the law review article I wrote to get this analysis; written in 2020, the trend exposed remains true with PIPL. Here, for the sake of brevity, I will only skim over these issues.

Requirements for Data Collection and Processing

With the PIPL, China data privacy law now goes further than most U.S. rules and resembles more to the EU. The EU provides six different legal bases for the processing of personal data, with stringent obligations attached to them and notably rejects the concept of implicit consent. The U.S., in most cases, requires only implicit consent. Before the PIPL, China was heavily relying on consent as well but now, all the EU legal bases exist in China, except for legitimate interest. Unfortunately, legitimate interest is a very common legal basis for companies operating in the EU, and finding the corresponding adequate Chinese legal basis may be complex.

Limits on Further Processing

The fact that personal data cannot be used for other purposes than those stated to the individual is also a clear requirement. Here, China is in the wake of the European rules and diverges from the U.S., which does not afford the same level of protection and for example allows internet providers to sell users’ data without their consent to this purpose.17

Data Minimization

The EU allows data collection and processing only to the extent that such data is necessary to the purpose specified – this is data minimization. This principle is either absent or very weak in U.S. legislation. China’s Cybersecurity Law requires a soft minimization, as network operators are forbidden to collect personal information unrelated to the services they provide. But the 2018 Specification clearly sets a strict data minimization principle, with data processing permitted for only what is necessary to the purposes.18 This is another example where the China Cybersecurity Law features loser requirements than the 2018 Specification itself closer to EU rules.

Sensitive Data

In a nutshell: Sensitive data are protected in China under the Personal Information Protection Law (PIPL), but their definition is broader than in GDPR.

The sensitivity principle is a clear distinction between the EU and the U.S. It means that the processing of sensitive data should be subject to additional safeguards. The requirement exists in EU rules for data such as ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, criminal convictions and the processing of genetic data, biometric data.19 U.S. laws do not protect sensitive data in such a wide manner.

China leans towards the EU approach, but in its specific way. The PIPL requires specific protection for sensitive data, but their definition differs significantly with EU rules (where sensitive data are clearly listed). The 2018 Specification20  defines it as data that, if “leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.” This risk-based definition is much broader than the GDPR’s.

Right to be Forgotten

In a nutshell: the right to deletion now exists under similar condition to GDPR’s, thanks to the Personal Information Protection Law (PIPL).

The creation of a right to be forgotten in the EU was received with scepticism in the U.S.,21 where critics like Eugene Volokh, a prominent scholar on American constitutional law, oppose the right to be forgotten on the basis of freedom of speech that the First Amendment of the U.S. Constitution protects.

The conceptual differences between China and the United Nations over the right to freedom of expression are well known. In addition to that, free speech activists sometimes criticize the right as a way to facilitate censorship. This could lead to think that a right to be forgotten would be less problematic in China than in the U.S. However, in May 2016 (before the Cybersecurity Law took effect), the Haidian District People’s Court in Beijing ruled in favor of Baidu, China’s main search engine, against a plaintiff invoking the right to be forgotten, from his right of name and right of reputation. The judges ruled there was no right to be forgotten in Chinese law.

The right to erasure that exists in China’s Cybersecurity Law but is limited to the cases where the network operator has violated laws or agreements between the parties.22 The 2018 Specification is in line with this.23 It goes further by requiring controllers to also notify third parties to whom data have been shared to delete them, as does the GDPR, but the requirement was still only applicable where a law or an agreement has been breached. Therefore, before PIPL, on the one hand the right to deletion is more established in China than in most laws in the U.S. On the other hand, it remained narrower than EU rules. In the context of the drafting China’s comprehensive data protection law that became the PIPL, several Chinese experts call for an extension of that right in the EU way.

The PIPL answered those call and the right to be forgotten has been granted in China, on similar grounds as in the EU. Article 47 states that individuals can request their data to be deleted when it is no longer needed for the initial purpose, when the retention period has expired, when the individual withdraws consent, or where the data processing was unlawful.

The requirements on the right to deletion in China’s data privacy laws under PIPL now mirror those stated in article 17 of GDPR.

Data Portability

The right to data portability allows individuals to ask an organization to port their data directly to another organization or to receive them in an interoperable format. In the U.S., data portability is required in California24 and for certain health data in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but there is no overarching requirement. Data portability as a data right that spans across sectors is a novelty from the GDPR.25

China follows the EU direction in the 2018 Specification, and then the PIPL, that grant the data portability right to individuals. The first requires data controllers to give their personal information to data subjects or directly transfer them to a third party. However, this right is more limited than in the EU because it concerns only individuals’ basic information and information about their identities, and health, psychological, education and work information.26 The PIPL specifies in art. 45 that data handlers shall provide a way to transfer data to another entity when individuals ask for such transfers. It is another example where China offers more data rights than the U.S. without going as far as the EU.

Automated Decision-making and Profiling

Finally, another area where China follows the EU in enhancing individuals’ rights is the restrictions on automated decision-making, including through profiling. In the EU, a “data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”27 This requirement is a feature that is specific to the EU approach on data protection.28 In the U.S., there are no similar general prohibition on decisions based solely on automated decision-making.29 U.S. residents do, however, enjoy certain rights to information or to contest in certain situations under specific laws, such as the Fair Credit Reporting Act or the Equal Credit Opportunity Act.

China’s Cybersecurity Law does not mention automated processing or profiling, nor did previous Chinese laws. The 2018 Specification is the first legal instrument to define profiling30 and to require that in case of an automated decision-making, the data controller should provide means for data subjects to lodge a complaint.31

The PIPL goes further and mandates data handlers to perform a PIPIA (Personal Information Privacy Impact Assessment), akin to the DPIA under GDPR.

Download the Full Research Paper (free)

My complete article (60 pages), published in the Penn State Journal of Law & International Affairs in 2020, is on the Social Science Research Network (SSRN).

3. Data Privacy With Chinese Characteristics in PIPL

The previous developments compared PIPL and other Chinese rules with foreign models. But China data privacy law showcases significant characteristics which are not found in either the EU or the U.S. approaches. These express China’s own rationale on personal data protection.

3.1. Data Localization and Cross-Border Data Transfers: Impacts of China’s Cyber-Sovereignty Principle

In a nutshell: data localization is required by default in China. However, PIPL gives three possibilities to transfer data overseas (security assessment, certification, standard contractual clauses). Guidelines have been issued to help data handlers being compliant with China data privacy laws.

See my new research paper on data transfers with China, co-authored with Prof. Gregory Voss: China Data Flows and Power in the Era of Chinese Big Tech

Data localization provisions (requiring that at least a copy of personal data should remain within the country’s border) and restrictions applied to cross-border transfers of personal data are among the most contentious legal elements, featuring the less convergence between the three approaches. It is also where Chinese laws show most of their specificities, but have been the fuzziest for long.

The need for clear rules on data exchanges with China has only intensified with the years. Multinationals transfer data daily from their Chinese subsidiaries to their overseas headquarters. Chinese companies also go international now, and multiply cross-border operations. And, despite some recent setbacks, the globalization of the economy also intensified. Did you know, for example, that Normandy produces around 50% of the world’s linen, but almost all this flax goes to China to make linen bed sheets, clothes and so on, before exporting them back to Europe and elsewhere? Examples like this one and many others mean back and forth data transfers.

In the absence of an international treaty to which the EU, the U.S. and China would be parties, they each regulate data exchanges pursuant to their own requirements and philosophies. The U.S way is the simplest, as there are no special requirements for transferring personal data from the U.S. to a third country. The U.S. is also among the strongest opponents to data localization restrictions, seen as trade barriers.32 However, the US does practice some control over foreign data access by way of national security reviews (the CFIUS mechanism). When a foreign actor invests in a US data controller, it may have to go through such review, which can result in blocking the deal.

Under EU law, cross-border data transfers can happen only when respecting the level of protection set by the GDPR,  therefore to third countries with a level of data protection which the European Commission recognizes as equivalent to the EU’s, or by using appropriate safeguards such as standard contractual clauses or binding corporate rules. This difference with the U.S. has been labelled as a “dramatic distinction” by legal scholars.33

In China, the rules exist mostly within the Cybersecurity Law, the PIPL and its guidelines on cross-border data transfers (effective since 1 September 2022). The Cybersecurity Law establishes the principle of cyberspace sovereignty, or cyber-sovereignty, which influences China’s direction on this issue.34 Cyber-sovereignty is part of the broader cyber-strategy of China and geopolitical stance. Pursuant to this concept, the cyberspace is subordinated to the interests and values of a country within its borders, i.e. the application of state sovereignty to cyberspace; it’s opposed to the multi-stakeholder governance model that supports a free and open Internet. The cyber sovereignty concept was spurred by Edward Snowden’s revelations on foreign access to population and national security confidential data and embraced by China. To ensure its sovereignty over the cyberspace, a country may exert control over the Internet architecture, content, and data flows (exports but also imports, e.g. by blocking foreign content), often for security purposes.

Regarding personal information protection, China’s cyber sovereignty principle means data localization requirements and restrictions on cross-border data transfers. Article 37 of China’s Cybersecurity Law requires “critical information infrastructure operators” that gather or produce personal information or important data during operations in China to store it in China. Those can be transferred out of the country, when it is truly necessary and after a security assessment (which, at the time, lacked guidelines on how to perform it).

Then, arrived the Personal Information Protection Law (PIPL), with a chapter dedicated to the rules on cross-border data transfers (Chapter III, Articles 38-43). It gives three possibilities for outbound data sharing: passing a security assessment, being certified (akin to BCRs in Europe), or implementing China’s standard contractual clauses with the receiving party (the same approach as EU’s standard contractual clauses). Specific guidelines accompanying the PIPL on these three possibilities have been published. Given the low threshold for a security assessment to be the mandatory path to transfer data out of China, this will be the most relevant for many multinational companies under PIPL.

Data localization and restrictions on data transfers provisions are at the crossroads of China’s concerns involving privacy, surveillance, sovereignty and economic development. They are all addressed within China’s data privacy laws. Compared with EU and U.S. rules, they serve the need to retain data within the jurisdiction based on a rationale that goes beyond data privacy.

3.2. Surveillance and Privacy: The Data Protection Dichotomy in China

What is striking in China data privacy law is the difference between the strengthening of protection against private entities and the parallel increase of government’s access to personal data, as there is still no significant privacy protection against government intrusion.

Whereas the rights to privacy and data protection evolved favorably for the individuals/consumers in their relations with the private sector, considerable criticism still exists when those rights are assessed in the context of the relation between the citizen and the government, particularly for surveillance issues. A previous comparative study made by James D. Fry, Hong Kong Faculty of Law Professor, found that many rules exist in the U.S. to regulate surveillance activities, whereas the very few dispositions existing in China are inoperative in practice.35

In contrast, Chinese laws protect better and better individuals’ rights against private entities holding their data and grant them more control over it. However, these progresses are counterbalanced by the increase of the government’s access to data, spurred by innovations such as facial recognition. This dichotomy is observable in the Cybersecurity Law itself, which provides personal data protection but also contains articles limiting it on the basis of public and national security, such as building backdoors into software.

The Chinese rationale is different from both the EU and the U.S. approaches. In China, it is the Chinese consumer’s data privacy protection that progresses, rather than a citizen’s (see my article in the Penn State Journal of Law & International Affairs for more details).  This explains why individuals are gaining significant data protection rights in the private sectors but “cannot claim any remedies for the infringements of their privacy carried out by the state government.”36

To reinforce the issue, cybersecurity is conceptualized as a component of national security. China’s Cybersecurity Law indeed follows the enactment of the National Security Law,37 which touches on personal data aspects where it allows the government to access information, and the Counterterrorism Law38 which also contains provisions related to cybersecurity and data protection. The inherent consequence of this political and legal framework is that the collective interest outweighs individual freedoms and data privacy. The social credit system rating citizens, for law enforcement purposes, is a result of such balancing of interests. As says Xue Lan, former dean of the School of Public Policy and Management at Tsinghua University, “facial recognition may infringe on personal privacy to a certain degree, but it also brings a collective benefit, so it is a question of how to balance individual and societal benefits.”

This balance also goes the way of personal data protection. Despite this context and in contrary to a popular belief, Chinese people worry about the privacy of their personal data. According to a recent survey by the China Consumers Association, 85% of people suffered a data leak, spurring public anger. The leakage of personal data indeed grew to unbearable levels. In 2016, it caused an RMB 91.5 billion loss to the Chinese economy (about USD 13 billion). In addition, dramatic cases making the headlines move the public opinion and stimulate the debate around personal data protection. For example, the Xu Yuyu case: following the disclosure of personal information, a scammer stole this 18-year-old student’s money that her family had saved for her to go to college. The young girl then died of heart attack on the way back from the police station.

Facing this situation, China’s government has to act and better protect individuals’ data privacy. With a dual objective: Chinese consumers trust in the digital economy strengthens while the government becomes a privacy protector. China’s challenge is to secure the flow of personal data that is vital for the development of the digital economy, while ensuring government’s control. This explains why, on the one hand, concerns rise about surveillance – e.g. around the social credit system and facial recognition – while on the other hand, new rules go beyond the minimalist protections as found in the U.S., and towards the more protective EU model. This forms China’s dual approach on personal data protection.

The distrust on China regarding privacy is most often because of surveillance issues, perhaps because privacy “infringement” for business purposes are similarly likely to happen in countries with less laws or lax enforcement. Most recently, the sort of centralized Bitcoin which is China digital currency project, is one of the most concerning for foreigners. To the point that US Senators asked US athletes to boycott the e-yuan during the 2022 Olympic Games.

4. Conclusion on China Data Privacy Law

China data privacy law is the source of a lot of fear, controversies and skepticism. Whereas the protection of personal information was indeed lacking until recently, the country is now building its framework at a rapid pace.

This post shows that China gradually builds a data privacy system through legal transplantations from both EU and U.S. laws. It initially resembled the U.S. minimalist approach and now shows signs of convergence with the more stringent EU model. There are high chances that this trend will continue. The PIPL is the latest milestone in that direction.

China data privacy law doesn’t merely transplants EU and U.S. rules. Cyber-sovereignty, rules on data transfers and the dichotomy between privacy from private actors and privacy from the state are the most salient elements of the Chinese model. Given the country’s ambitions related to its cyber strategy, China’s voice on data privacy will have an increasing impact.

Currently, China is also shaping the related artificial intelligence regulations that are intertwined with personal data usage. Unlike for personal data protection stricto sensu, China is not a latecomer here and will now be able to push its vision on AI rules and AI ethics principles, and participate with the EU and the U.S to the competition for global regulatory clout. China’s significant improvements concerning consumer privacy will, hopefully, infuse into China’s future AI regulations.


  1. In its Article 8, the Charter of Fundamental Rights in the European Union provides that everyone has the right to the protection of personal data, which should be processed on a legitimate legal basis such as consent, that everyone has the right of access to their personal data and the right to have it rectified, and that an independent authority shall control compliance with these rules; European Union, Charter of Fundamental Rights of the European Union, ratified December 7, 2000, Art. 8.
  2. Constitution of the People’s Republic of China, 4 December 1982
  3. General Principles of the Civil Law of the People’s Republic of China, promulgated on April 12, 1986 and came into force on January 1, 1987.
  4. For further discussion of the protection of privacy by the GPCL, see Graham Greenleaf, Asian data privacy laws : trade and human rights perspectives 200–201 (2014).
  5. Criminal Law of the People’s Republic of China, adopted on July 1, 1979 (Criminal Law) and Amendment Seven to the Criminal Law, adopted on February 28, 2009.
  6. As underlined by Graham Webster, in a lecture given at New York University, Shanghai campus, December 6, 2017.
  7. Decision on Amending the PRC Law on the Protection of Consumer Rights and Interests, adopted by the Standing Committee of the Twelfth National People’s Congress on October 25, 2013, and took effect on March 15, 2014. Here is a translation of the law.
  8. The “Information Security Technology – Personal Information Security Specification – (GB/T 35273-2017)” has been issued by the National Information Technology Standardization Technical Committee (the TC260) on December 29, 2017 and took effect on May 1, 2018. The TC260 is jointly supervised by the Standardization Administration of China and the Cyberspace Administration of China for the purpose of setting standards.
  9. California S.B. 1386, effective on July 1, 2003 (California Data Security Breach Notification Law).
  10. E.g. in Colorado, where notification to the affected Colorado residents must be made within thirty days after the determination that a breach occurred, see Colorado Consumer Data Privacy Law at Sec. 3 (2).
  11. California Data Security Breach Notification Law, 1798.29.(a) and 1798.82.(a): “The disclosure shall be made in the most expedient time possible and without unreasonable delay.”
  12. GDPR, Article 33(1).
  13. China’s Cybersecurity Law, art. 42: “When the leak, destruction or loss of personal information occur, or might occur, remedial measures shall be immediately taken, and provisions followed to promptly inform users and to make report to the competent departments in accordance with regulations.”
  14. Alan Charles Raul, Frances Faircloth & Vivek K Mohan, United States – The Privacy, Data Protection and Cybersecurity Law Review 269 (Edition 4 ed. 2017).
  15. Bo Zhao & G.P. (Jeanne) Mifsud Bonnici, Protecting EU citizens’ personal data in China: a reality or a fantasy?, 24 International Journal of Law and Information Technology 128–150, 135 (2016).
  16. 2018 Specification, art. 1.
  17. In October 2016, the Federal Communications Commission (FCC) approved new rules for enhancing customers’ privacy on the internet, forbidding internet providers from selling personal information such as browsing history, app usage or mobile location without the customers’ explicit consent to this purpose. However, as other Obama administration’s data protection initiatives, it has been repealed by the Republicans, in 2017. See Brian Fung, The House just voted to wipe away the FCC’s landmark Internet privacy protections, The Washington Post, March 28, 2017.
  18. 2018 Specification, Article 4(d): “Minimization Principle: Unless otherwise agreed by the data subject, only process the minimum types and quantity of personal information necessary for the purposes for which the authorized consent is obtained from the data subject. After the purposes have been achieved, the personal information should be deleted promptly according to the agreement.”
  19. GDPR, Articles 9 and 10.
  20. PIPL, Article 28.
  21. Steven C. Bennett, The Right to Be Forgotten: Reconciling EU and US Perspectives, 30 Berkeley J. Int’l L. 161, 164–168. Most negative reactions revolved around supposed inconsistencies with the freedom of expression and interference with business demands for data.
  22. Cybersecurity Law, art. 43.
  23. 2018 Specifications art. 7.6.
  24. CCPA, § 1798.100.(d).
  25. GDPR, art. 20.
  26. 2018 Specifications art. 7(9).
  27. GDPR art. 22(1). This provision is subject to several exceptions, stated in art. 22(2).
  28. Graham Greenleaf, The influence of European data privacy standards outside Europe: implications for globalization of Convention 108, 2 Int’l Data Priv. L. 68, 74 (2012).
  29. Gabriela Bodea et al., Automated decision-making on the basis of personal data that has been transferred from the EU to companies certified under the EU-U.S. Privacy Shield (Fact-finding and assessment of safeguards provided by U.S. law), European Commission 40 (2018).
  30. 2018 Specification art. 3.7.
  31. 2018 Specification art. 7.10: “When a decision is made on the basis of information system automated decision-making and has significant impact on the data subject’s rights and interests (for example, when user profiling determines personal credit and loan amounts, or in user profiling for interview screening), the data controller should provide means for data subjects to lodge a complaint.”
  32. John Selby, Data localization laws: trade barriers or legitimate responses to cybersecurity risks, or both?, 25 Int’l J. L. and Info. Tech. 213 (2017).
  33. Schwartz, at 1977.
  34. Cybersecurity Law, art. 1: “This law is formulated in order to ensure cybersecurity; safeguard cyberspace sovereignty and national security, and social and public interests; protect the lawful rights and interests of citizens, legal persons and other organizations; and promote the healthy development of the informatization of the economy and society.”
  35. James D. Fry, Privacy, predictability and internet surveillance in the US and China: Better the devil you know, 37 U. Pa. J. Int’l L. 419 (2015).
  36. Lee, Jyh-An Lee, Hacking into China’s Cybersecurity Law, 53 Wake Forest L. Rev. (2018), at 101. Lee further states that “While the government has endeavored to continuously enhance the human rights protection it offers, the actions of the state government itself is mostly unconstrained by fundamental human rights.” The lack of access to effective remedies goes against another fundamental right in the EU, the right to an effective remedy and to a fair trial, which, at a higher level, is also part of the EU approach on data protection.
  37. National Security Law, promulgated the Standing Committee of the National People’s Congress on July 1, 2015, effective on July 1, 2015.
  38. The Counterterrorism Law passed by the NPC on December 27, 2015 and came into effect on January 1, 2016.

Emmanuel Pernot-Leplay

Stay in the loop

Subscribe to our free newsletter.