Greenleaf on China’s Comprehensive Draft Data Privacy Law

Graham Greenleaf (University of New South Wales, Faculty of Law) has posted “China Issues a Comprehensive Draft Data Privacy Law” ((2020) 168 Privacy Laws & Business International Report 1, 6-10) on SSRN. Here is the abstract:

The long-anticipated Law of the People’s Republic of China on the Protection of Personal Information (Draft) (‘PPIL’) was released by the Standing Committee of the National People’s Congress (SC-NPC), the second-highest legislative body in China, on 21 October 2020. Its enactment will be the culmination of a decade-long evolution. The article analyses the draft PPIL and considers where it goes beyond the previous benchmark, the CyberSecurity Law (CSL) of 2016, and compares aspects of the EU’s GDPR.

The article concludes that, while detailed conclusions await enactment, some things are clear enough. China’s draft law is well within the normal global range of data privacy laws, shows many GDPR influences, and goes beyond the GDPR on some points. It goes further in many respects than the 2016 CSL, and the 2017 PI Standard. The ‘enforcement toolkit’ is diverse, with ‘dissuasive’ sanctions, as the GDPR puts it. These apparently strong data privacy rights in the private sector must co-exist with a high level of government surveillance (including the ‘Social Credit’ system) but they are likely to be enforceable because China needs there to be public trust in its e-commerce sector, and aspects of e-governance, so credible data privacy laws are necessary.

Other than the absence of a DPA (specialised, or independent), the most important departure from ‘European’ norms is that the data export restrictions are largely at the discretion of the CAC, with no objective criteria, and other forms of data localisation are similar. Multiple risk points for foreign and local companies will result.

For other countries attracted to ideologies of ‘data sovereignty’, the ‘Chinese model’ (explained in the article) may prove an attractive one to emulate. Internationally, this will fit uncomfortably with both the EU’s GDPR and US laissez-faire. Disputes before international trade forums are likely to result.