China's emerging data protection framework

Over the past 5 years, the People’s Republic of China has accelerated efforts to establish a legal architecture for data protection. With the promulgation of the Personal Information Protection Law (PIPL) and the Data Security Law (DSL) in the summer of 2021, the first phase of these efforts have been concluded. These will have a significant impact on data flows within China, but also merit foreign attention. They provide a new approach to data protection to be subjected to comparative analysis, and may influence the development of data protection legislation in other states, particularly those with close digital connections to China. Doing so requires a greater understanding of how this legislation is shaped by the Chinese political and economic context. Drawing on a thorough review of government documents, supplemented by Chinese-language academic sources, this article reviews the evolution of the two pillars of China’s data protection architecture, from the early stage of fragmentation via the promulgation of the Cybersecurity Law in 2016, up to the present day. It finds that the PIPL and its attendant regulations serve to primarily regulate the relationship between large technology companies and consumers, as well as prevent cyber crime. It does not create meaningful constraints on data collection and use by the state. Even so, the PIPL bears a clear family resemblance to personal data protection regimes elsewhere in the world. In contrast, the DSL is a considerable innovation, attempting to prevent harm to national security and the public interest inflicted through data-enabled means. While implementing structures for this Law remain under construction, it will likely herald a thorough reorganization of the way through which data is collected, stored, and managed within all kinds of Chinese actors.

[1]  Samir Forić Law and the Party in China. Ideology and Organisation , 2022, Europe-Asia Studies.

[2]  Rogier Creemers China’s Cybersecurity Regime: Securing the Smart State , 2022, SSRN Electronic Journal.

[3]  Daniel C. Lynch Xi Jinping Confronts the Network Society , 2021, Modern China.

[4]  J. Zeng Securitization of Artificial Intelligence in China , 2021, The Chinese Journal of International Politics.

[5]  C. S. Lee Online Fraud Victimization in China: A Case Study of Baidu Tieba , 2021, Victims & Offenders.

[6]  Anja Geller How Comprehensive Is Chinese Data Protection Law? A Systematisation of Chinese Data Protection Law from a European Perspective , 2020, GRUR International.

[7]  D. Clarke Order and Law in China , 2020 .

[8]  Avery E. Goldstein China's Grand Strategy under Xi Jinping: Reassurance, Reform, and Resistance , 2020, International Security.

[9]  Emmanuel Pernot-Leplay China's Approach on Data Privacy Law: A Third Way Between the U.S. and the E.U.? , 2020 .

[10]  Rogier Creemers Party Ideology and Chinese Law , 2020 .

[11]  Jinhe Liu China’s data localization , 2020, Chinese Journal of Communication.

[12]  Giulio Santoni Foreign Capital in Chinese Telecommunication Companies: From the Variable Interest Entity Model to the Draft of the New Chinese Foreign Investment Law , 2018 .

[13]  D. Xiaodong PERSONAL DATA PROTECTION: RETHINKING THE REASONS, NATURE, AND LEGAL FRAMEWORK , 2018 .

[14]  Kai-Fu Lee AI Superpowers: China, Silicon Valley, and the New World Order , 2018 .

[15]  L. Du,et al.  Characteristics of cybercrimes: evidence from Chinese judgment documents , 2018, Police Practice and Research.

[16]  Jan Pohle Data Privacy Legislation In The European Union Member States – A Pratical Overview , 2018, Computer Law Review International.

[17]  Shawn Marie Boyne,et al.  Data Protection in the United States , 2018, The American Journal of Comparative Law.

[18]  Abu Bakar Munir,et al.  Practitioner’s Corner ∙ Information Security Technology – Personal Information Security Specification: China’s Version of the GDPR? , 2018 .

[19]  Xu Jinghong,et al.  Evolving Legal Frameworks for Protecting the Right to Internet Privacy in China , 2015 .

[20]  P. Hert,et al.  The data protection regime in China,European Parliament, Committee on Civil Liberties , 2015 .

[21]  Rogier Creemers The Privilege of Speech and New Media: Conceptualizing China's Communications Law in the Internet Era , 2014 .

[22]  C. Covell,et al.  Tort Law of the People's Republic of China , 2012 .

[23]  Hao Wang Protecting Privacy in China: A Research on China’s Privacy Standards and the Possibility of Establishing the Right to Privacy and the Information Privacy Protection Legislation in Modern China , 2011 .

[24]  Hao Wang Protecting Privacy in China , 2011 .

[25]  Qianfan Zhang A constitution without constitutionalism?: The paths of constitutional development in China , 2010 .

[26]  T. Hui The legal protection of personal information in China , 2010 .

[27]  Graham Greenleaf,et al.  China’s Proposed Personal Information Protection Act , 2008 .

[28]  Cao Jingchun,et al.  Protecting the Right to Privacy in China , 2005 .

[29]  Lü Yao-Huai,et al.  Privacy and Data Privacy Issues in Contemporary China , 2005, Ethics and Information Technology.

[30]  D. Clarke Puzzling Observations in Chinese Law: When is a Riddle Just a Mistake? , 2003 .

[31]  Guobin Zhu,et al.  The Right to Privacy: An Emerging Right in Chinese Law , 1997 .

[32]  P. Lovelock,et al.  The "Golden Projects": China's National Networking Initiative , 1996 .

[33]  P. Keller Sources of order in Chinese law , 1994 .

[34]  Jerome Alan Cohen,et al.  Criminal Law of the People's Republic of China , 2012 .