China’s sweeping data privacy overhaul reset digital ground rules in China, but it’s not without global precedent. In many respects, China’s recent laws resemble data and privacy protections in America and Europe. Still, there are important differences, not just in the action needed to be compliant, but also the law’s aims. And at a deep level, China’s law operates differently to western legal systems.
China data privacy law
China’s legal system has, in the past couple of decades, become increasingly sophisticated, with a body of high quality legislation and an impressive legal fraternity. This is, in part, thanks in part to the Chinese government’s encouragement of a strong "rule of law’", which was announced as a priority in 2014’s 18th Party Congress, as well as exponential growth in Chinese legal education. However, it’s evolved along a different trajectory to the West.
China privacy law, like Chinese law in general, includes more flexibility to allow the courts to rule in China’s national interest. In congressional testimony, international lawyer, Dan Harris, describes this risk as the "China 90:10 rule":
"Ninety percent of the time the Chinese courts will rule fairly because that allows China’s economy to function and that benefits the CCP. But when a case is important for the CCP, fairness instantly gets tossed out the window as the court will always rule to benefit the CCP. Legal scholars describe this as rule by law, as opposed to rule of law."
In other words, Harris is saying that organisations acting in accordance with the law will, 90% of the time, win in case of a dispute. However, failing to comply with China’s laws leaves organisations 100% exposed.
National priorities
Chinese people have shown a growing concern for data privacy issues for several years. China's government has responded by enacting a series of data and privacy protections. The suite of legislations aims at strengthening trust and participation in the digital economy. But the laws also set out to protect China’s national security. They include stringent rules, with broad scope, around the export of nationally "significant" data.
Companies that could be described as a “major internet service platform” or having a “large number” of users or “engaging in complex business activities” face additional restrictions. Anyone looking to export a large amount of personal data beyond a certain threshold needs approval from the Cybersecurity Administration of China (CAC).
In conversation with Sinorbis, Harris notes that there is always a risk for organisations in China whose activities are seen to harm national interest. But, he says, the risk depends on the type of organisation, its activity, and effort to comply.
"China is one of the least vindictive, most reasonable governments, I’ve ever dealt with [outside of political and national security concerns]. If their goal is privacy protection, they’re not necessarily going to crush you if you did a little thing wrong. I’m sure people are worried that they’re going to violate these rules without knowing it, and then get in big trouble. That’s probably not going to happen.”
The Personal Information Protection Law
Key to China’s data privacy overhaul is its sweeping Personal Information Protection Law (PIPL). The law not only restricts how personal data is handled within China, but increases the penalties companies, and individuals, face for breaches. The law, which came into effect on 1 November 2021, was a final China market hurdle too high for some. Yahoo announced it was pulling out of China because of ‘challenging’ business conditions on the same day the law came into effect, following Microsoft’s LinkedIn, which announced its exit in the previous month. However, exposure to the new law, and how an organisation must respond, varies on a case-by-case basis.
The PIPL versus the GDPR
The PIPL shares many commonalities with other personal data protection laws around the world, including Europe’s seminal General Data Protection Regulation (GDPR).
The seminal GDPR, which came into force in 2018, spurred many global companies to audit and overhaul their handling of personal data. Its extraterritorial reach includes tough regulations on how personal data is handled, mandatory security measures for data handlers, and outlines an individual’s personal data rights.
| Organisations must comply with a customer’s request to… | GDPR | PIPL |
| access their personal data | YES | YES |
| correct or amend their personal data | YES | YES |
| erase their personal data | YES | YES |
| object to and restrict the processing of their data | YES | YES |
| data portability | YES | Yes, if the request is in accordance with CAC regulation. |
| not be subject to automated decision making | YES | YES |
| withdraw consent | YES | YES |
Conclusion
The PIPL and the GDPR share some similarities. Both laws aim to protect the individual’s welfare by restricting the use of their data and requiring data collectors to get consent for its use. There is even some cross over in how they categorise the way an organisation or individual relates to the data handling process. However, the PIPL isn’t a copy of the GDPR. China's data privacy laws differ both in content and ambition to many international data privacy laws. Organisations must work through their own compliance with China’s new laws.
