On August 20th, the National People’s Congress Standing Committee passed the Personal Information Protection Law (PIPL), the most comprehensive data protection law in China to date.
Alongside the 2021 Data Security Law and the 2016 Cybersecurity Law, it forms the foundation of a cybersecurity and data governance regime for the world’s largest online population (nearly 1bn internet users) and a market expected to contribute nearly 30% of the world’s data by 2025.
Join our WhatsApp ChannelThe law mirrors important elements of the Europe’s General Data Protection Regulation (GDPR), considered by many to be the gold standard for data privacy and protection. Both notably grant specific rights to users (such as the right to access, correction, erasure, or complaint), seek to minimize data collection and require companies to disclose how they use personal data and to obtain individual consent for data collection and processing.
Both also include the possibility of fines in case of non-compliance – fines that the EU is starting to enforce, as in the recent $267m WhatsApp decision.
There are, however, important differences. For instance, PIPL requires entities seeking to transfer Chinese data outside of the country to undergo a “security assessment” if they are from a critical infrastructure sector or transferring large quantities of personal information.
By contrast, the GDPR only requires that certain data protection safeguards be met. The law does not provide details about the nature of the security assessments or when they get triggered, only that the Cyberspace Administration of China is responsible for developing them.
Another difference lies in how extra-territorial authority is exercised. While both PIPL and GDPR have a system for listing jurisdictions and entities they deem inadequate in terms of protection, the former allows to block data flows altogether, whereas GDPR can still allow it provided explicit consent is given freely.
The critical importance attached to data under PIPL reflects a combination of national and international strategies. Back in 2020, the National Development and Reform Commission – one of China’s most important agencies – defined data as a key factor of production, along with labor, capital, land and technology.
This makes data a central part of economic planning and reflects China’s vision that technology (and the data it relies on) should serve national objectives – hence the more selective approach to encouraging certain technologies and sectors, while clamping down on others like gaming or edtech.
At the international level, PIPL makes clear the importance of establishing global data protection standards and China’s intent to actively shape them. Indeed, nearly 130 countries now have some form of data privacy and protection legislation in place. China’s tech sector reforms, too, are part of a global trend of governments seeking to do the same.
What distinguishes China is the abruptness and strength of reforms, which has led tech stocks to lose more than a trillion in market capitalization in a matter of weeks.
The hope among some foreign investors that China’s tech sector would evolve in a free-market way has thus proven to be a short-lived one.
Instead, China is showing that it reserves the right to place the interests of the state over that of shareholders. As Ray Dalio warns in a recent post: “Capitalists have to understand their subordinate places in the system or they will suffer the consequences of their mistakes.”
Follow Us