On 20 August 2021, China’s national legislative body passed into law the country’s first-ever personal data privacy policy known as the Personal Information Protection Law (PIPL). The PIPL will formally take effect on 1 Nov 2021 and may have far-reaching implications for international standards regarding personal data protection.
Divided into 8 Chapters with a total of 74 Articles, the PIPL details a range of regulations and principles guided by 3 main objectives:
1. to “protect the rights and interests of individuals”;
2. to “regulate personal information processing activities”;
3. and to “promote the rational use of personal information” (Article 1).
The broader significance of the PIPL will make it so that China is now, in concept, equal to the UK/EU under the GDPR. In some cases, the PIPL may even surpass the GDPR in terms of the strictness and scope of protections.
For example, the PIPL authorises the Chinese government to blacklist foreign entities and individuals if needed to prevent access to Chinese citizens’ data. It also entitles the government to issue retaliatory actions against countries or regions that adopt “discriminatory measures” against China in regards to personal data protection. These provisions (found in Article 42 & 43) are written vaguely, and their wider impacts are yet to be ascertained.
In another instance, if a company wants to transfer personal data of Chinese citizens outside of China, it must obtain approval from the national cyberspace department (Article 38). There is speculation that the cyberspace department will not approve data transfers from China to countries that have lower standards of personal data protection. If true, this may discourage Chinese or China-based companies from sharing data with overseas parties, and/or incentivise companies to pressure foreign parties to comply with Chinese laws and regulations.
Protective measures such as these convey a distinct nationalistic tone and may help China emerge as a world leader within in the data protection industry. In fact, incorporated into the PIPL is an Article dedicated to this external ambition: Article 12 mandates China to “actively [participate] in the formation of international rules” for personal data protection, and promote personal data protection standards “with other countries, regions, and international organisations.”
The extent of how much the PIPL will change the global perspective on personal data protection depends entirely on China’s dedication to enforcing the law. If successful in its implementation, the PIPL may be considered equivalent to the GDPR. What impacts this will have on Sino-European relations depends entirely on whether the European Commission will grant China an adequacy decision, which would allow the trade of data between China and Europe. Politics aside, only time will tell how the PIPL operates in practice and how it stands up in comparison against the GDPR.
