Greenleaf on China’s Completed Personal Information Protection Law

Graham Greenleaf (University of New South Wales) has posted “China’s Completed Personal Information Protection Law: Rights Plus Cyber-security” ((2021) 172 Privacy Laws & Business International Report 20-23) on SSRN. Here is the abstract:

On 20 August 2021 the Standing Committee of China’s National People’s Congress (SC-NPC, not the NPC itself) enacted the Personal Information Protection Law (PIPL), the culmination of over a decade of incremental legislative reform. Businesses were required to adjust rapidly to the law’s starting date of 1 November 2021. Since the first draft of the PIPL was released by the SC-NPC in October 2020, it was revised in a succession of drafts. One purpose of this article is to detail these changes. The other purpose is to place the PIPL in the context of China’s near-complete cyber-security laws, of which it is part.

Of the 74 sections in the final Law, half have had non-trivial amendments since the first draft. Some of the amendments are significant, although none involve fundamental changes to the direction of the first draft. Significant amendments include: tightening controls over automated decision-making; right of data portability added; possibility of litigation by ‘privacy NGOs’; special obligations on providers of platform services; extra-territoriality is potentially extra-vague; local representatives required within PRC; and other forms of data localisation widened.

The argument is made that these export conditions are not ‘just Chinese adequacy’ but something considerably different, which seem to open the way for China to negotiate mutual data export agreements, multilateral or bilateral.

PIPL also plays a role in China’s emerging cyber-security structure. The Cybersecurity Law (CSL) of 2016, the Data Security Law (DSL) of 2021, and other more subordinate parts of China’s array of legislation, are other parts of this emerging structure.