February 1, 2021


CHINA: Digital privacy law is a bid for global lead in internet governance

BY Gabriel Wildau

Share on twitter
Share on whatsapp
Share on facebook
Share on linkedin
Share on email
Share on reddit

Listen to our reports with a personalized podcasts through your Amazon Alexa or Apple devices audio translated into several languages

( 4 mins)
  • China’s legislature released the draft of a new Personal Information Privacy Law (PIPL) for public comment in October and may approve a final version this year.
  • Once enacted, the law will impose substantial new compliance requirements on both Chinese and foreign companies.
  • Like the EU’s General Data Protection Regulation (GDPR), the PIPL may affect companies’ global data management policies, given some extraterritorial provisions.

The draft PIPL is the latest addition to China’s developing data governance regime. The first major element was the Cybersecurity Law, which took effect in 2017 but remains only partially implemented. In June 2020, the National People’s Congress Standing Committee also published the draft of a new Data Security Law. While those two laws emphasize cybersecurity, national security, and national interests, the PIPL focuses on protecting individual privacy rights. The law is partly a response to public anger over a thriving black market in stolen personal data.


The PIPL has significant similarities with the EU’s GDPR. Like that law, PIPL aims to serve as a comprehensive framework for regulating companies’ collection and processing of personal data. The definitions of key terms – like personal information, sensitive information, individual rights – and the permitted purposes for data collection that the law stipulates are similar to GDPR. Principles like individual consent, data minimization (collecting the minimum amount of data required for a specified purpose), and purpose limitation (only using the data for a specified purpose) are also common to GDPR and PIPL. Like GDPR, PIPL also asserts some extraterritorial jurisdiction. The law seeks to regulate data processing outside China, if the purpose of such processing is to provide products or services to Chinese citizens or evaluate their behavior.

There are also important differences with GDPR, notably a greater emphasis on national security, as exemplified by stricter regulation of cross-border data transfer. While GDPR is generally encouraging of cross-border transfer, PIPL requires a wide range of data handlers to apply for a security assessment by the Cyberspace Administration of China before they are permitted to send personal data abroad. In this respect, the PIPL expands on data localization requirements specified in the 2017 Cybersecurity Law, which requires local storage of data only for so-called “critical information infrastructure” operators but not for other handlers of personal data.

PIPL also creates punitive mechanisms that could potentially be used against foreign companies or as a tool for geopolitical leverage. The law empowers regulators to create a blacklist of foreign data controllers and processors that are found to be acting against China’s national security or public interests. The law also authorizes “retaliatory measures” against “any country or region that adopts discriminatory prohibitions, limitations or other similar measures.” But as previously noted, China has shown restraint on retaliating against foreign companies, so we believe this new authority will be used sparingly.

A bid for global leadership

Finally, the PIPL says that China will “vigorously participate in the formulation of international rules” on personal data privacy and “promote mutual recognition” of data privacy rules with other countries and international organizations. This provision signals that the PIPL is likely to serve as a tool for Beijing’s pursuit of global leadership in internet governance, as embodied in the Global Data Security Initiative that the foreign ministry unveiled in September. That initiative was a response to the US State Department’s “Clean Network” initiative, announced in August 2020, which aimed to build an international coalition to exclude Chinese technology companies like Huawei from foreign networks.

The Biden administration has not yet signaled whether it intends to pursue Clean Network, but the administration is likely to seek ways to counter China’s influence in the development of global technology norms and standards. Washington’s efforts in this area may be hampered, however, by the fact that the US lacks a comprehensive legal and regulatory framework for personal data privacy, which is instead governed by a patchwork of industry-specific rules. Just as GDPR did for Europe, PIPL – whatever its substantive strengths and weaknesses – is likely to increase China’s global influence on this issue.

More by

CHINA: Power shortages lead to durable market reforms

( 5 mins) Severe power rationing has led to significant long-term reforms to China’s electricity pricing system that go beyond emergency stop-gap measures. Under the new system, coal-powered generators can pass on higher coal prices to electricity users;

Read More »

ASIA: What the Quad’s evolution means for Asia

( 6 mins) The evolution of the Quadrilateral Security Dialogue into new areas of cooperation at this week’s summit has important implications for the delicate balance of political and economic relations across Asia. For Japan, the Quad represents

Read More »