The China Model for Privacy Rights? Examining China’s Draft Laws on Data Security and Protection

By: Grace Pyo, Staff Member

In July and October 2020, China released draft versions of the Data Security Law (English and Chinese versions) and the Personal Data Protection Law (English and Chinese versions) for public comment.  As the first unified national legislation on data security and personal data privacy, these laws, combined with the 2017 Cybersecurity Law, mark crucial steps in China’s progress towards a comprehensive legal structure for regulating cyberspace.  But they may also pose unique challenges for foreign companies operating in China or accessing data from China.  Perhaps most significantly, in a digital climate dominated by U.S. and E.U. legal standards, these laws further clarify the meaning of the “China model” for regulation of data, privacy, and the Internet.

The Data Security Draft Law

The Data Security Law (DSL), containing 51 articles, sets forth a comprehensive, top-down system for managing and protecting data.  First, the law defines key terms such as “data” and “data security” and establishes the scope of the law’s application.  Article 2 notably extends the jurisdiction of the DSL to “organizations or individuals outside of the mainland territory of the People’s Republic of China (PRC).” 

Second, the law makes it clear that national security is at the core of the DSL, with Articles 1 and 4 specifically mentioning national security and Articles 6 and 7 highlighting the role of the national security departments in implementing and enforcing the law. 

Third, the DSL imposes a wide range of obligations on the Chinese government, or State.  Chapters II (Articles 12–18) and III (Articles 19–24) include requirements such as “implement[ing] a big data strategy” (Article 13) and “establish[ing] … a mechanism for data security risk assessment” (Article 20).  For example, Article 19 requires the State to differentiate between types of data based on its relevance to economic development, impacts on national security, and the public interest.  One provision with international implications, Article 24, authorizes the State to adopt “discriminatory prohibitions, limitations, or other such measures” towards countries or regions that use similar measures against China. 

The broad and somewhat vague language of the law reflects China’s approach to these pieces of national legislation.  Instead of providing specifics, these laws lay a framework for detailed implementation of regulations and standards.

The Personal Data Protection Draft Law

The Personal Data Protection Law (PDPL), with 70 articles, focuses on data protection for private individuals and establishes significant fines — up to RMB 50,000,000 ($7.4 million USD) — for violations. 

There are several notable provisions.  First, the PDPL defines personal information broadly in Article 4 as “all kinds of information recorded by electronic or other means related to identified or identifiable natural persons.”  Sensitive personal information, per Article 29, includes information on race, ethnicity, religion, finances, location and health. 

Second, the PDPL has multiple references to the extraterritorial applicability of the law.  Article 3 specifies that the law applies to entities outside of China that handle the personal information of people within China.  Chapter III of the law (Articles 38 – 43) sets regulations for the handling of cross-border data transfers.  Articles 42 and 43, which allow the Cyberspace Administration of China to employ countermeasures against any entity, individual, nation, or region that “infringes the personal information interests,” mirrors Article 24 of the DSL. 

Transnational Impact of the Draft Laws

The most significant area of concern to foreign companies and governments is the extraterritorial application of the draft laws, as mandated in Article 2 of the DSL and Article 3 of the PDPL.  As one publication noted, “[I]f it is collecting data, it will likely come under the law’s jurisdiction.”  

But the extraterritorial application is not unique to Chinese laws — multiple sources highlight that the extraterritorial provisions in the PDPL are similar to those of the General Data Protection Regulation (GDPR), and are perhaps even narrower than the GDPR’s provisions.  However, while the PDPL’s application of extraterritoriality may be similar to that of the GDPR on paper, in practice, China’s laws lack both the limiting influence of the E.U.’s common law and the limiting principles enshrined in the GDPR.  Concerns about the DSL and PDPL invoking legal liability for entities outside of China are thus valid.

The data localization and cross-border data transfer regulations will also have an impact on foreign companies operating within China.  While many provisions of the PDPL resemble those of the GDPR, the data localization requirements in Article 40 are unique to China.  Requiring “personal information handlers” to store data within China’s physical borders is a key aspect of China’s vision of “cyber sovereignty.”  Companies wanting to transfer personal data across borders are required under Article 38 to pass a State security assessment.  However, in a hopeful sign for foreign companies, Article 38 also lists exceptions to the security review that indicate that the new laws will mandate a more flexible standard than previous iterations of China’s cross-border data transfer regulations had required.

Finally, the DSL and PDPL both include highly flexible laws that could permit China to block companies or implement “countermeasures” against countries when it determines that there has been an infringement on personal data protections (in the PDPL) or when the state has imposed “discriminatory” data regulations against China (in the DSL).  In light of the similarly justified obstacles that Chinese companies have faced in India and the United States, as well as in other countries, China is asserting its ability to employ these steps as countermeasures.  One news source with ties to the PRC mentioned data breaches at Twitter and Facebook in its discussion of the PDPL, hinting that U.S. companies could become subject to these restrictions.

A “China Model” for Data Security and Privacy Law?

More broadly, the DSL and PDPL further clarify China’s vision for data security, privacy, and Internet regulation.  While the PDPL resembles the GDPR, its robust articulation of personal data privacy for individuals in China applies only in the context of commerce.  The draft laws lack any mention of privacy expectations or rights for individuals against the State.  For governments seeking to maintain their ability to surveil individuals while fostering economic growth, China’s model is highly appealing.

China’s model, as seen in the PDPL, is responsive to strong domestic demand for consumer privacy protections.  As China has over 900 million Internet users, a thriving digital economy, and widespread instances of data theft and fraud, it is no wonder that there is increasing demand for data security and privacy.  A 2018 case before the Beijing Internet Court, where the plaintiff sued after being scammed out of 300 RMB when an airline leaked their data, is emblematic of the concerns around data privacy.   Chinese consumers have expressed growing discomfort with unrestricted data collection by private firms.  With these factors in mind, the PDPL’s consent-based regime for use of personal data and articulation of individual rights in Articles 44–49 align with these consumer concerns.

At the same time, China’s model carries contradictions in that it maintains strong privacy rights within the private sector but has no standard for personal privacy rights against the State.  China has managed to persist in maintaining an invasive surveillance regime and utilizing facial recognition software while simultaneously including biometric data as part of its definition of “sensitive personal information” in Article 29 of the PDPL.

The Draft Data Security Law and Personal Data Protection Law represent China’s efforts to fill a crucial gap in its technology law and, in many ways, “catch-up” to the E.U.’s GDPR.  As China’s technological capabilities — particularly with regard to artificial intelligence — advance, and as long as the United States lacks a similarly comprehensive legal framework on cybersecurity, China is moving towards taking a role of global leadership and influence in data regulation and cybersecurity.  In light of the concerns raised by the draft DSL and PDPL, foreign companies and states are right to view such a development with caution. 

Grace Pyo is a second-year student at Columbia Law School and a Staff member of the Columbia Journal of Transnational Law.  She graduated from Wheaton College (IL) in 2015.  Prior to law school, she worked as a management consultant for Accenture on robotic process automation and predictive analytics projects.