[Guest post] China Passes Its First Comprehensive Data Protection Law

Last week, China passed the Personal Information Protection Law, a top-level comprehensive data protection law with noticeable parts compatible with the GDPR.

Upon that, The IPKat is delighted to host the following guest post co-authored by Anja Geller (PhD candidate at Ludwig-Maximilians-Universität and Junior Research Fellow at the Max Planck Institute for Innovation and Competition) and Zihao Li (PhD candidate at CREATe, University of Glasgow, on privacy and data protection in the Chinese Civil Code). 

Here is what Anja and Zihao write:

China Passes Its First Comprehensive Data Protection Law 

by Anja Geller and Zihao Li 

China’s long-awaited Personal Information Protection Law (PIPL) was adopted on 20 August 2021 and will enter into force on 1 November 2021 (an unofficial English translation is available here). It is the culmination of a long process. Interest in a law to protect personal information began 2003, when the Information Technology Office of the State Council officially launched legislative research. In 2005, scholars proposed an Expert Draft. Starting with the 2012 Decision of the National People’s Congress on Strengthening the Protection of Network Information, more and more laws were introduced. In recent years, the pace of development has accelerated considerably, as cases of data abuses have repeatedly generated great media interest and heated debates. This led to the enactment of the Cybersecurity Law of 2017 and a plethora of other data security and data protection regulations. In addition, data-related norms have been incorporated into general laws, the new Civil Code of 2020 being a particularly well-known example 
[Katposts here and here]Overall, data protections provisions were scattered, often limited to a specific sector, vague or at a relatively low hierarchical level. National standards like the Personal Information Security Specification were by far the most concrete and extensive, but they had no legally binding effect. 

Overview of the Rules 

Now, the PIPL is the first comprehensive data protection law at a high hierarchical level. It adopts many principles and rules of the GDPR. In this way, the legislator attempts to give it extraterritorial validity and strive for a common international legal system. First of all, the PIPL contains much-needed definitions, most of which are similar to those in the GDPR. Differences exist regarding sensitive personal information, which is defined in an open-ended and more security-oriented manner, including financial accounts, individual location and all information of minors under the age of 14. 

Furthermore, while “notification – consent” (告知 – 同意) is a core processing rule, the introduction of six alternative legal bases is an important change that moves the Chinese law closer to the European model. It reflects the tendencies of newer regulations such as the Civil Code, which no longer consider consent as the sole legal basis. That is very positively received by both legal scholars and practitioners, who criticised an over-reliance on consent as too rigid for processors and unsuitable for individual control. Compared to previous binding provisions, the PIPL also expands the processing principles in number and detail, offering important guidance for future legislation. It contains clearer provisions on individual rights and more obligations for personal information handlers as the main responsible party. Very controversial is the introduction of the right to portability, which is based on the GDPR counterpart and whose concrete requirements are open to further regulation. Some expect stronger control for individuals and less monopolistic behaviour, upon which some doubt could be achieved. 

Applicability to State Actors 

A central aspect raised by both Western and Chinese commentators is the applicability of the PIPL to state actors. Art. 1 PIPL refers to the Constitution, which elevates the legal significance of the PIPL and gives it primary applicability in the field of personal information protection. The state must respect and protect the right to personal information. However, the Chinese Constitution does not explicitly stipulate informational self-determination and privacy protection. Since there are significant differences between the constitutional systems, this constitutional basis is weaker than in the EU. 

As far as state actors are concerned, the PIPL nevertheless has other noteworthy norms. Art. 33 PIPL provides that processing activities by “state organs” fall under the PIPL, unless Arts. 33-37 PIPL contain more specific instructions. State organs are required to handle personal information in accordance with the powers and procedures set forth in the law. They may not exceed the scope or extent necessary to fulfil their statutory duties and responsibilities. Notification of individuals is necessary unless it interferes with the performance of their statutory obligations or when there is a specific statutory rule requiring confidentiality. 

So, at least in principle, the state must comply with the data protection norms of the PIPL. That is a major change compared to many older regulations that did not include state actors. Of course, questions remain as to whether and how state actors will actually comply with the PIPL and exactly which provisions and obligations apply. The exceptions are not clearly defined, and further guidelines are necessary to avoid arbitrary or overbroad interpretations. Nonetheless, the explicit inclusion of state actors is already a significant improvement. 

Regulation of Cross-Border Data Flows 

The PIPL constructs a clear and systematic set of rules for the cross-border flow of personal information. The aim is to satisfy the requirements of safeguarding the users’ data rights and the security of personal information while boosting international economic and trade transactions. However, most rules indicate that under the PIPL personal information must be stored locally unless the personal information handler could: 

(1) pass a security assessment organised by the national cyberspace authority. 
(2) obtain personal information protection certification. 
(3) sign a standard contract formulated by the national cyberspace authority with the recipient abroad. 

On the other side, the PIPL also promotes the mutual recognition of personal information protection rules and allows cross-border data flows through an international data transfer agreement. That indicates that the Chinese government seeks to participate in global data protection legislation and strives for a more substantial international presence in data protection. However, concrete guidance on how China will facilitate interoperability between the PIPL and other jurisdictions is still lacking. 

Furthermore, the PIPL could have a significant extraterritorial effect. According to Art. 3 PIPL, this law also applies to handling activities outside the territory of China with respect to personal information of natural persons within the borders if the handling is for: 

(1) providing products or services to natural persons within the territory, 
(2) analysing or evaluating activities of natural persons within the territory, or 
(3) other circumstances provided in laws or administrative regulations. 

Where this law applies, the personal information handler outside the territory must establish a dedicated entity or appoint a representative within China to be responsible for matters related to the personal information it processes. Meanwhile, the PIPL also has specific provisions on national cybersecurity and public interest. Suppose foreign organisations or individuals violate personal information rights or harm China's national security or public or private interests. In that case, the State cybersecurity department may limit or prohibit the transfer of personal information. 

Regulation of Automated Decision-Making (ADM) 

As private companies increasingly use Big Data to evaluate consumers and personalise their services, the issue of algorithmic bias is much debated in the public sphere. The most typical case in China is online price discrimination (大数据杀熟). The PIPL addresses this problem. It stipulates that personal information handlers must not unreasonably discriminate between individuals regarding trading conditions. Contrasting the GDPR, the PIPL establishes a higher level of responsibility for personal information handlers in relation to the use of Automated Decision-Making (ADM). According to Art. 24 PIPL, 

When personal information handlers use personal information to conduct automated decision-making, the transparency of the decision-making and the fairness and justice of the handling result shall be guaranteed, and they may not engage in unreasonable differential treatment of individuals in trading conditions such as trade price, etc. […] 

Those conducting information push delivery or commercial sales […] shall simultaneously provide the option to not target an individual’s characteristics, or provide the individual with a convenient method to refuse.

Additionally, the PIPL closed some of the gaps in the definition of ADM in the GDPR. According to Art. 73 PIPL, the term “automated decision-making” refers to the use of computer programs to automatically analyse or assess individuals, regardless of whether the decision is based solely or partially on automated processing. The public and scholars highly anticipate that this right will prohibit personalised pricing. However, although the law sets high requirements, it is still unclear how that will be implemented, and further legal clarification and guidance is needed. 


Aligning with the GDPR, the PIPL drastically increases the maximum fines. They may amount up to 50 million RMB (around EUR 6.5 million) or 5 % of annual revenue. Like other Chinese regulations in this area, administrative measures such as the suspension of the related business activities, cancellation of business licenses, entry of the acts into credit files and their publication are also possible. 

An essential difference to the GDPR is the lack of an independent law enforcement authority, although it has been repeatedly suggested that one should be established. Law professor Hanhua Zhou sees the reason for this in the central government’s current policy of only reducing and not increasing the number of authorities. As a result, the enforcement structure will continue to be very decentralised and involve many departments. That is frequently criticised with the proverb of “nine dragons governing the water” (九龙治水), which illustrates the inability of proper administration due to too many involved parties. Still, practitioners consider it possible for departments to jointly issue regulations to clarify the scope of powers and responsibilities. At the very least, the PIPL clarifies the overall coordination role of the State cybersecurity and informatisation department and defines its responsibilities. 

Furthermore, it is worth noting that shortly after the publication of the PIPL, the Supreme People’s Procuratorate published the “Notice on the Implementation of the Personal Information Protection Law and the Promotion of Public Interest Litigation for the Protection of Personal Information” (Notice). The Notice states that the people’s procuratorate and consumer organisations may file a lawsuit if a personal information handler violates the PIPL and infringes the rights and interests of numerous individuals. It is a significant clarification as there are relatively few individual litigations. The reason is the high cost and effort involved compared to minor individual damages, which only have a greater impact when added up. 


Now that the PIPL has finally been passed, one can expect a significant improvement in the protection of personal information. It may help drop the many statements that China has no unified, comprehensive data protection law. Especially concerning private actors, the PIPL offers much more clarity and comprehensive protection to data subjects. Although there still are some differences, most rules are largely compatible with the GDPR. 

Chinese laws like the PIPL are only intended to provide a general framework. The concretisation is supposed to take place in implementing regulations, standards and specifications. As a result, the PIPL is more principle-based and vague compared to the GDPR. Detailed rules are still needed, and the central question remains how the PIPL will ultimately be implemented.

Kat photo courtesy: Mochi & Cappuccino's mom

[Guest post] China Passes Its First Comprehensive Data Protection Law [Guest post] China Passes Its First Comprehensive Data Protection Law Reviewed by Tian Lu on Sunday, August 29, 2021 Rating: 5

No comments:

All comments must be moderated by a member of the IPKat team before they appear on the blog. Comments will not be allowed if the contravene the IPKat policy that readers' comments should not be obscene or defamatory; they should not consist of ad hominem attacks on members of the blog team or other comment-posters and they should make a constructive contribution to the discussion of the post on which they purport to comment.

It is also the IPKat policy that comments should not be made completely anonymously, and users should use a consistent name or pseudonym (which should not itself be defamatory or obscene, or that of another real person), either in the "identity" field, or at the beginning of the comment. Current practice is to, however, allow a limited number of comments that contravene this policy, provided that the comment has a high degree of relevance and the comment chain does not become too difficult to follow.

Learn more here: http://ipkitten.blogspot.com/p/want-to-complain.html

Powered by Blogger.