Jan. 4, 2021
This article is part of the DigiChina Project, based at the Stanford University Cyber Policy Center and a joint effort with New America.
In October, China’s National People’s Congress (NPC) released a long-awaited draft of the Personal Information Protection Law (PIPL, translation here), a milestone in China’s years-long effort toward a comprehensive privacy and data governance regime. If enacted, not only would the law reshape privacy law in China, but it would also be a major force in the evolving global privacy landscape and a highly consequential regulatory framework for international business.
China’s draft PIPL represents a third way between the sectoral U.S. approach, which applies different rules for specific industries or classes of consumers, and the European Union’s comprehensive General Data Protection Regulation (GDPR) framework, which enshrines fundamental rights across contexts. With the draft law, China’s evolving data governance regime emphasizes consumer privacy while also prioritizing national security through data localization measures, cross-border data flow restrictions, and continued surveillance and law enforcement powers.
The draft law is a significant step in the Chinese government’s overall data governance strategy that seeks to balance data protection and technological advancement for 940 million Chinese internet users. However, the draft also highlights Beijing’s increased national security concerns related to the international digital economy, including data localization measures that go beyond the 2017 Cybersecurity Law (in Articles 37 and 40 of the draft), a potential blacklist banning certain overseas data controllers and processors (Article 42), and reciprocal actions against countries that take discriminatory measures against Chinese companies (Article 43).
Prior to the release of the draft law, China has relied on scattered provisions on personal information protection and various measures from the Cybersecurity Law. To consolidate those efforts, China gradually built out its data privacy systems through the release of the Personal Information Security Specification in May 2018, the same month the EU’s GDPR took effect. Since then, though it is technically nonbinding, the specification has served as the primary regulatory reference within China to respond to the increasing public concerns about online fraud and misuse of personal information. While enforcement against a thriving trade in stolen personal information increased, it is still difficult for citizens to prove violations and seek damages. That changed somewhat in May 2020, when the NPC approved the Civil Code, naming “data privacy” as one of several newly codified “personality rights (人格权).” If enacted, the PIPL would be central to governing personal information use for Chinese citizens and contribute alongside the Cybersecurity Law, the draft Data Security Law, and the Civil Code as a pillar of the Chinese data governance regime. However, these laws and provisions reveal a lack of harmonization within the Chinese government and limited legislative capacity in the current system.
China’s draft law, Europe’s GDPR, and barriers to interoperability
Any major privacy law is inevitably compared with Europe’s GDPR. This is in part because it provides a comprehensive framework that inspired regulation in other jurisdictions, including China, but also because the European rules apply to how Europeans’ data is handled around the world, making GDPR a reference point for anyone handling multinational personal data.
In many respects, the Chinese draft law shows similarities with the GDPR, not least when it comes to its reach outside China’s borders. The draft’s extraterritoriality provisions apply to personal information processing outside China to provide products or services to Chinese citizens or to analyze and evaluate the behavior of Chinese citizens. Several widely-adopted privacy best practices in the GDPR, including data minimization and purpose limitation, are also reflected in the draft. Broadly speaking, the definitions of personal information, sensitive information, individual rights, and legal bases for processing all have similarities with the GDPR, though there are important differences.
The most significant difference between the GPDR and Chinese draft law lies in the provisions related to national security. The GDPR, in principle, promotes the free flow of data across borders, providing several legal transfer mechanisms. However, while some European Commission officials have been publicly critical of data localization measures, others seem supportive of the concept. The draft PIPL, on the other hand, does not send mixed messages, requiring Cyberspace Administration of China (CAC) security assessments before an extremely broad array of actors—critical information infrastructure (CII) operators and personal information handlers operating at a certain (yet to be defined) volume—may transfer personal data abroad.
Broad requirements, however burdensome, do not make things simple. According to the Cybersecurity Law, CII data, including personal data, must be stored within China. The PIPL not only expands that requirement to personal data handled by non-CII operators, but it also raises questions about the division of responsibilities between the CAC and the Ministry of Public Security (MPS)—bureaucracies engaged in a turf war over critical infrastructure protection and other matters since the CAC’s inception in 2014. Additionally, the draft law requires that personal information processed by the state be stored in China. Those requirements would represent an expansion of the existing data localization measures in the Cybersecurity Law and the draft Data Security Law, which are all at odds with GDPR’s mechanisms to enable data flows when conditions are met. While some differences with GDPR are to be expected, internal inconsistencies could undermine data protection and could hinder work toward implementation and interoperability among data regimes.
In a further departure from the GDPR model, the draft PIPL would allow the government to establish a blacklist of overseas data controllers and processors banned from processing Chinese personal data if they are found to be violating China’s national security or public interests, and it would allow the Chinese government to take reciprocal actions against countries deemed to engage in discriminatory regulatory measures in the name of data protection against China or Chinese companies. Together, these measures reflect the Chinese government’s efforts to protect and control Chinese citizens’ data from disclosure or abuse by untrusted parties globally, and to protect Chinese companies overseas amidst increased international concerns about privacy and government access to data.
In the context of this draft law, privacy is pursued mainly against private sector risks. Although the draft would apply personal data processing rules to the government, the Chinese system lacks clear measures and boundaries to protect citizens privacy when national security or the public interest are invoked. In the post-Snowden era, citizens and governments around the world have pushed to protect individual privacy against government surveillance, but there still is no global solution that balances the heightened privacy concerns against national security needs. However, the recent Schrems II ruling from the Court of Justice of the European Union, which invalidated a major mechanism for transferring data from the European Union to the United States, illustrates the need for solutions at a global level and for reforms and greater transparency in global surveillance practices, especially when it comes to proportionality and individual redress rights. Given the lack of measures balancing government surveillance against citizen privacy within China, it is unclear how the Chinese government could meaningfully engage with these pressing questions globally, absent significant reforms and transparency regarding its own surveillance practices. Despite its status as one of the top data importers and exporters and its ambition expressed in Article 12 of the draft PIPL to gain mutual recognition of data protection rules with other countries, China is likely to face heightening challenges advancing its model of data governance on the global stage.
In the global privacy landscape post-Schrems II, regulators around the world certainly focus on U.S. tech companies that control a large amount of personal information. However, regulators may also realize the risk of transferring data to China is difficult to mitigate, due to Chinese authorities’ broad ability to access data. As Chinese companies increasingly operate globally, the heightened call for data protection will put Chinese companies at a competitive disadvantage. It is unclear how the potential for retaliatory measures may further affect China’s pursuit of mutual adequacy with other data protection regimes around the world.
For international business, a global regulatory burden and geopolitical risk
Still, because China is such an important market, its data rules have major implications for international businesses that deal with China in a number of ways. Given that the reach of the PIPL extends beyond China’s borders, many organizations based outside mainland Chinese territory but handling Chinese citizens’ data will still be affected. Ultimately, this means that almost every major corporation in the world will need a China PIPL compliance strategy. Companies would need to conduct data mapping, review privacy practices and consent requirements, assign a data protection officer (DPO) within China (Article 52), and create procedures around data breach reporting (Article 55).
As drafted, compliance would not be easy:
- Unclear allocation of accountability between data controllers and processors—or is it “handlers” and “entrusted parties”? Under GDPR and in its own terms, data controllers are responsible for protecting the privacy of data subjects—even if they engage outside data processors—ensuring that citizens have a single point of contact when exercising their rights. The draft PIPL uses a different but overlapping vocabulary, referring to what earlier Chinese practice had called personal information “controllers” (控制者) as personal information “chǔlǐzhě” (处理者). Not only has the term changed, but personal information chǔlǐzhě has been used elsewhere in Chinese to specifically mean “processors” in the GDPR sense. To avoid confusion, DigiChina thus translates chǔlǐzhě in the PIPL as “handler.” Meanwhile, having already used the term generally reserved for processing, the draft PIPL refers to what are commonly referred to as data processors as “entrusted parties” (受托方) (Article 22).
The draft PIPL suggests a heavy reliance on consent, even more so than GDPR, for legitimacy of data activities among handlers, entrusted parties, and third parties. Requirements for “separate consent” (单独同意, also translated as “specific consent”) throughout the draft law, especially in the context of providing data to a third party (Article 24), raise the potential of major burdens in obtaining separate consent. And the draft sends mixed signals as to whether contractual arrangements with an overseas recipient are sufficient to allow cross-border data transfer under Article 38, or whether additional notice and consent is required as indicated in Article 39.
- No independent authorities. The PIPL does not establish an independent data protection authority (DPA) as the GDPR and some other privacy regimes do. CAC is the enforcer while also being a policymaker.
- Risks if a company or its home government runs afoul of China’s government. Article 42 would establish a CAC list of foreign companies limiting or banning their processing of Chinese personal data, and Article 43 authorizes reciprocal measures against any country adopting discriminatory measures toward China, providing a legal basis to stifle competitors. Required company representatives in China could be subject to fines under Article 62 for the company’s violations. It is hard to predict and envision under what circumstances the Chinese government would trigger those provisions, and there is no guarantee that expensive privacy compliance efforts can prevent multinational companies from becoming targets.
The exact future of China’s data privacy rules is still uncertain. The PIPL, if enacted, will likely be revised at least in small ways following this first public draft, and it may take months or years to take effect and to fill out the inevitable array of implementing rules. Enforcement will be a challenge regardless, and China’s system lacks an independent data protection authority, leaving bureaucracies like the Cyberspace Administration of China and the Ministry of Public Security in the position of being regulators and enforcement agencies at the same time. Combined with the overlapping personal data rules in the Cybersecurity Law, the Personal Information Security Specification, the Civil Code, and elsewhere, officials will have much to navigate, and likely a high degree of discretion.