Creemers on China’s Emerging Data Protection Framework

Rogier Creemers (Leiden University) has posted “China’s Emerging Data Protection Framework” on SSRN. Here is the abstract:

Over the past five years, the People’s Republic of China has accelerated efforts to establish a legal architecture for data protection. With the promulgation of the Personal Information Protection Law (PIPL) and the Data Protection Law (DSL) in the summer of 2021, the first phase of these efforts have been concluded. These will have a significant impact on data flows within China, but also merit foreign attention. They provide a new approach to data protection to be subjected to comparative analysis, and may influence the development of data protection legislation in other states, particularly those with close digital connections to China. Doing so requires a greater understanding of how this legislation is shaped by the Chinese political and economic context.

Drawing on a thorough review of government documents, supplemented by Chinese-language academic sources, this article reviews the evolution of the two pillars of China’s data protection architecture, from the early stage of fragmentation via the promulgation of the Cybersecurity Law in 2016, up to the present day. It finds that the PIPL and its attendant regulations serve to primarily regulate the relationship between large technology companies and consumers, as well as prevent cyber crime. It does not create meaningful constraints on data collection and use by the state. Even so, the PIPL bears a clear family resemblance to personal data protection regimes elsewhere in the world. In contrast, the DSL is a considerable innovation, attempting to prevent harm to national security and the public interest inflicted through data-enabled means. While implementing structures for this Law remain under construction, it will likely herald a thorough reorganization of the way through which data is collected, stored and managed within all kinds of Chinese actors.