In the summer of 2021, China’s National People’s Congress passed two pieces of data-related legislation, the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). These laws, which entered into force in September and November respectively, form the centre of what will become a comprehensive regulatory architecture governing all important aspects of data collection, storage, processing, trading and export in China as well as, in some cases, abroad. With this process, Beijing is creating a model that borrows some elements from the EU’s approach, but also contains many novel elements. These may be influential outside its borders as well.
Data protection has not always been a priority for the Chinese government. Until the early 2010s, it was usually only present as one of many elements in sector-specific regulations. As a result, data protection efforts were fragmented, and few enforcement resources were devoted to it. However, things started to change following the rapid digitisation of Chinese society, particularly as AI and big data gained prominence as groundbreaking enabling technologies for further economic growth and governance reform.
These technologies also presented greater data-related headaches for Beijing. On one side, threats from abroad increased: there were the Snowden revelations as well as Microsoft’s decision to discontinue security support for Windows XP. This system, albeit obsolete, still powered around two-thirds of computers in China, and lack of security had the potential to expose large amounts of Chinese-held data to harm, espionage or disclosure. This episode revealed China’s vulnerability to moves by foreign corporations over which it had little control. At home, the incidence of data-related fraud and abuse increased, ranging from telecommunications fraud to corporate or government insiders illegally selling data to firms. In one incident that became infamous, a young woman died of a heart attack after she was swindled out of her family’s college savings.
The Beginnings of Data Protection Regulation
Responding to the evolving digital environment, in December 2012 the National People’s Congress Standing Committee passed a resolution to protect online data. This was the first data-related policy document with a general scope of application. It included broad norms on corporate behaviour, including establishing consent, necessity and legality as foundational principles for personal data collection and processing, and it called for a stricter responses to data-related abuses. Underscoring the relationship between data protection and other aspects of Chinese digital policies, it also contained provisions mandating Internet service providers cooperate in censoring undesirable online content.
The next step forward came with the promulgation of the Cybersecurity Law (CSL) in 2016. This law consolidated the principles from the 2012 resolution and added provisions on personal data localisation. However, the law also contained the first rules related to a category of information dubbed “important data”, declaring that it must be stored within Chinese territory. In both cases, the CSL provided little actual detail on compliance or procedure. This is common in Chinese legislation, which serves primarily to lay down fundamental principles and objectives and create mandates for administrative bodies to draft the implementing regulations that contain specifics. However, the CSL contained the embryonic form of the bifurcation that has come to characterise the Chinese data protection regime. On the one hand, the personal information protection side seeks to prevent harm to individuals arising from abuse of their data. On the other hand, the “important data” clauses would evolve into a framework to safeguard national security and the public interest from threats enabled by any kind of data, personal or otherwise.
The succinct and general language in the CSL thus required greater detail to be set out in administrative regulations. However, despite several efforts to draft such documents for general aspects of data protection as well as data export, none were ever adopted or took effect. Multiple factors contributed to this. Some were substantive: data regulation would involve many difficult trade-offs, technical specifications and definitions, presenting a steep learning curve to the administrative bodies involved. But there were also political considerations, most notably a turf battle between the Cyberspace Administration of China and the Ministry of Public Security. Gaining greater powers over data protection would come with increased budgets and administrative resources, as well as visibility and prestige. By 2018, the decision was taken to take data protection regulation out of the hands of the ministries and bring it back to the legislative level, under closer control by the central leadership. The legislative process for both the PIPL and the DSL took place in tandem, and they were finalised within weeks of each other in 2021.
From Fragmentation to Systematisation
The Personal Information Protection Law, in its final iteration, remains focused on preventing harm to individuals. However, the definition of harm expanded throughout the drafting process. While the initial focus lay on activities that involved clear elements of wrongdoing, such as data theft and fraud, the final version also targeted algorithm-based business models used by large platforms for content recommendation, labour planning, etc. Furthermore, the law created new responsibilities for companies, including obligations to establish internal data protection departments and requirements for corporate heads to participate in important corporate decisions. Present from the start were requirements for security reviews in case of data export, as well as a tripwire clause enabling retaliatory measures against foreign governments that impose sanctions against China. Perhaps unsurprisingly, the PIPL mostly targets private industry. It does not, unlike the GDPR, attempt to establish a general privacy framework enforceable against any actor in order to realise fundamental rights. In fact, the very notion of a fundamental right does not meaningfully exist in the Chinese legal order. The brief section outlining state bodies’ use of personal information creates wide discretion for them to act, as long as they do so to realise their statutory aim. Yet even if the PIPL contains elements that are distinctly Chinese, it remains very recognisable to data protection lawyers and experts worldwide.
The Data Security Law, in contrast, is completely novel among major digital players. Its aim is to ensure Chinese national security and the public interest are not threatened by the abuse of data. This includes any kind of data: personal information as well as data emerging from industrial processes, infrastructure, computer systems or financial transactions. To that end, it institutes a structure where all data must be classified into one of five tiers, depending on its importance and sensitivity. For higher-tiered data, more stringent and frequent security inspections, audits and reporting requirements apply. Furthermore, on top of the category of “important data” instituted in the CSL, the DSL adds a higher-priority tier of “national core data”. Yet innovative as the DSL is, it leaves many questions, or passes them back down to the administration. After long wrangling in successive drafts on the definition of important data, the final version requires individual ministries to compile data classification categories within their policy areas, a considerable administrative project which will likely take several years to complete and implement.
Since the summer of 2021, the first measures towards implementation of the DSL and PIPL have already been published in several areas. One interesting illustration is the area of smart cars. New vehicles are equipped with more and more sensors, cameras and radio stations, and authorities have become worried about the possible consequences of leaks and abuse, both on the personal information level and on the national security level. This concern particularly played out in relation to Tesla, whose products have been banned from military facilities and other government compounds. Other draft regulations provided greater detail on cross-border data provision, including new limits on Chinese companies holding personal information of over one million people listing on foreign stock markets. In other words, data protection is increasingly becoming an element of securities regulation as China seeks to minimise its vulnerability to foreign control.
To summarise, China’s data protection regime is a full-spectrum effort that combines several overlapping objectives. Much of what the PIPL does is similar to the consumer protection role of the GDPR, and it is interesting that China seems to be moving parallel to the EU in this regard. Yet it also serves some of China’s digital industrial policy goals: the mandated cybersecurity reviews and inspections will create considerable demand for the fledgling Chinese cybersecurity industry, which Beijing devoutly wishes to see grow. Lastly, they serve strategic interests, protecting the Chinese nation and the CCP regime against adversaries both at home and abroad.
Implications for the EU Data Governance Regime
How does this emerging regime affect European interests, or why should observers dedicate attention to it?
First and foremost, as a core regulatory regime in the world’s largest online population, it will have a significant impact on the operation of businesses. While large online platforms, such as Alibaba and Tencent, might come to mind first, the reality is that just about all companies – including European ones – have become data-centric. In terms of products, for instance, the focus on smart cars in implementing regulations underscores the extent to which data-related services and analytics have become central to the automobile industry. Yet companies also hold significant operational data which could fall either under the remit of the PIPL (such as HR data) or the DSL (such as data on the operation of plants and factories). A secondary question is the extent to which European companies might be exposed to the extraterritorial intentions of the DSL and PIPL. There is still little clarity about the jurisdictional approach and conflict-of-laws procedures that regulators will follow.
Second, these new laws matter from a political-diplomatic perspective, particularly in the area of personal information protection. Even though China now explicitly pursues self-reliance in many areas of the digital economy, it is also making moves towards greater international cooperation. It has, for instance, recently applied to join the Digital Economy Partnership Agreement (DEPA), an initiative of Singapore, New Zealand and Chile to develop more uniform rules for cross-border digital trade. Some of the academics involved in the drafting of personal information regulation have explicitly acknowledged the inspiration they derived from the GDPR, while other recent moves by the Chinese government on regulating algorithms and the platform economy rather resemble elements of Europe’s New Deal for Consumers and the Digital Markets and Services Acts currently in the works. China may make overtures towards negotiating an adequacy agreement with the EU in the near future. The low political likelihood of such a bid succeeding may further complicate relations between Brussels and Beijing, and create further barriers or uncertainties for European businesses operating in China.
Third, China’s data framework creates a new model that might inspire imitation elsewhere in the world, particularly where the DSL is concerned. While there is a clear family resemblance between the PIPL and other personal data protection systems around the world, the DSL breaks new ground in its attempt to create a legal regime to safeguard national security and the public interest from data-enabled threats, and is the only legislative framework to currently do so among major digital powers. Yet China is not unique in facing these issues, and so other governments are looking for solutions as well. It is possible that the Chinese approach turns into an example of how not to realise those aims, but at the very least, it is an example. If the DSL is successful, we may see the emergence of a “Beijing effect” to mirror the Brussels effect that makes the EU a major regulatory power.
About the Author
Rogier Creemers is a postdoctoral scholar in the Law and Governance of China, working for both the Van Vollenhoven Institute and the Leiden Institute for Area Studies. His main research interests are the interaction between law, governance and information technology in China, and Chinese political-legal ideology. His work has been published in, amongst others, The China Journal and the Journal of Contemporary China. He also edits China Copyright and Media, a database of translated Chinese policy and regulatory documents in his fields of interest. He has regularly contributed to reports in media such as the New York Times and the Financial Times, and has provided input into policy processes such as the Sino-EU Cyber Dialogue.