Graham Greenleaf (University of New South Wales, Faculty of Law) has posted “China Issues a Comprehensive Draft Data Privacy Law” ((2020) 168 Privacy Laws & Business International Report 1, 6-10) on SSRN. Here is the abstract:

The long-anticipated Law of the People’s Republic of China on the Protection of Personal Information (Draft) (‘PPIL’) was released by the Standing Committee of the National People’s Congress (SC-NPC), the second-highest legislative body in China, on 21 October 2020. Its enactment will be the culmination of a decade-long evolution. The article analyses the draft PPIL and considers where it goes beyond the previous benchmark, the CyberSecurity Law (CSL) of 2016, and compares aspects of the EU’s GDPR.

The article concludes that, while detailed conclusions await enactment, some things are clear enough. China’s draft law is well within the normal global range of data privacy laws, shows many GDPR influences, and goes beyond the GDPR on some points. It goes further in many respects than the 2016 CSL, and the 2017 PI Standard. The ‘enforcement toolkit’ is diverse, with ‘dissuasive’ sanctions, as the GDPR puts it. These apparently strong data privacy rights in the private sector must co-exist with a high level of government surveillance (including the ‘Social Credit’ system) but they are likely to be enforceable because China needs there to be public trust in its e-commerce sector, and aspects of e-governance, so credible data privacy laws are necessary.

Other than the absence of a DPA (specialised, or independent), the most important departure from ‘European’ norms is that the data export restrictions are largely at the discretion of the CAC, with no objective criteria, and other forms of data localisation are similar. Multiple risk points for foreign and local companies will result.

For other countries attracted to ideologies of ‘data sovereignty’, the ‘Chinese model’ (explained in the article) may prove an attractive one to emulate. Internationally, this will fit uncomfortably with both the EU’s GDPR and US laissez-faire. Disputes before international trade forums are likely to result.

David Erdos (University of Cambridge – Faculty of Law; Trinity Hall) has posted “The UK and the EU Personal Data Framework After Brexit: Another Switzerland?” on SSRN. Here is the abstract:

The UK-EU Trade and Cooperation Agreement sets out a pathway for the UK to have the closest relationship on personal data with the EU outside of the European Economic Area (EEA) and Switzerland. This is principally apparent in the area of justice and security where there is very extensive provision for data exchange including DNA and fingerprints. This exchange rests on specified common standards and will likely be complemented by the first ever EU adequacy agreement under the Law Enforcement Directive. In some contrast, understandings in the general area of data protection (at least outside direct marketing) point only to mutual adequacy. Whilst mandating “essentially equivalent” (GDPR, recital 104) protection, significant flexibility is retained. Given the UK’s distinct approach to data protection, the EU may find that it adopts a more divergent approach in the medium term than, for example, Switzerland. Bona fide implementation of the Council of Europe’s Data Protection Convention 108+ may provide a good lodestar for a more graduated regime which also seeks to clearly reconcile data protection with competing rights. The paper tentatively examines what that might entail for the proactive transparency rules, sensitive data regime, integrity provisions and specific restrictions. Any such reform would require great care and should not detract from the need for much more effective practical enforcement.

Recommended.