A new paper by Anja Geller

When I told people that I am writing an article about Chinese data protection law, the most common reaction was the question “does that even exist?” The surprised and doubtful undertone motivated me to find a convincing answer. On my way, I encountered some obstacles. There is a plethora of regulations with different scopes, legislation bodies and legal effects. Even for specialised Chinese lawyers, it can be difficult to figure out which norms apply in a certain case. In the end, I chose to restrict my analysis to the 13 most important Chinese regulations with a nationwide scope of application.

Lacking a unified law, these norms have to be seen in combination to determine the comprehensiveness of Chinese data protection law. As the European General Data Protection Regulation (GDPR) is one of the most comprehensive and modern data protection regimes, I used it as a framework. When viewing the Chinese norms against this backdrop, it quickly becomes clear that especially the non-binding norms and drafted provisions are the most progressive and strict ones. They show that the Chinese legislators are moving towards the European system rather than the US or a taking a third way.

However, as is common for such cases of legal orientation, “Chinese characteristics” remain. For example, strong divergences exist in the area of administrative penalties. Instead of a focus on severe monetary penalties similar to the GDPR, there are many different sanctions. Starting with warnings and orders to correct, infringers may face a suspension or closure of their business, revocation of their business licences or even a definitive ban from the profession. Furthermore, measures of “naming and shaming” such as the publication of these sanctions in the “Social Credit Register” and other public announcements may be ordered. Compared to the European medieval equivalent of the pillory, such punishments have a long and living tradition in China. Especially the emerging “Social Credit System” relies on such punishments and is presented as a crucial tool for making citizens and companies comply with the law.

Another “Chinese characteristic” is the “real-name registration” requirement, which has already existed in many other fields for quite some time. Providers of network access and other digital services have to require users to provide true identity information before allowing access. Although this may help law enforcement in digital environments, there are well-founded fears concerning its negative implications on privacy and the freedom of speech.

Nevertheless, there are also a lot of positive developments from a European data protection perspective. The Chinese legislators have been very active in recent times and many new regulations and drafts appear on an annual basis. In fact, on 21 October 2020, one month after the online publication of my article, perhaps the most significant draft was published: the “Law of the People’s Republic of China on the Protection of Personal Information (Draft)” (中华人民共和国个人信息保护法（草案）). In the article, I covered an already very promising draft of the same name, which was proposed by several delegates of the National People’s Congress (NPC) in 2017. The 2020 draft, on the other side, was published by the Standing Committee of the NPC as a whole, which gives it much more weight. Both drafts intend to become the first national “laws” that aim to protect the right to personal information as a primary goal. All other regulations that share this as a central objective are on a lower level in the hierarchy of norms.

A quick comparison of their lengths and the amount of their articles – 70 compared to 44 – suggests that the 2020 draft is even more comprehensive. Among the most striking innovations is the broad extraterritorial applicability of the 2020 draft, which is relatively similar to the GDPR. One could say that reciprocity prevails here. As the introduction of the European rules have led to much discussion and controversy, it will be interesting to see what the international response will be as this draft becomes more widely known. Since a more detailed treatment of this new draft would go beyond the scope of this blog post, I refer to the comparisons here, here and here (all in Chinese), and a comprehensive analysis here (English). When and in which form this draft will be enacted is still unclear. Nonetheless, it shows yet again that the Chinese lawmakers are actively working to create an increasingly comprehensive data protection regime.

Therefore, to the question whether or not a Chinese data protection law exists, the short answer is: yes.

The paper “How Comprehensive Is Chinese Data Protection Law? A Systematisation of Chinese Data Protection Law from a European Perspective” appeared in GRUR International 2020, 1191-1203. It is available via open access here.

Anja Geller is a PhD candidate at the Ludwig-Maximilians-Universität and a junior research fellow at the Max Planck Institute for Innovation and Competition, Munich, Germany. Contact her via Anja.Geller@ip.mpg.de or via Linkedin.