China’s Approach on Data Privacy Law: A Third Way Between the U.S. and the EU?
70 Pages Posted: 9 Mar 2020 Last revised: 20 May 2020
Date Written: 2020
Abstract
Because of state surveillance, data privacy in China is often assumed to be inexistent. Yet, the country regulates differently privacy from the state and privacy from private actors. Consumer data privacy in China is at the forefront of new regulations issued during the last years to create a legal framework on data protection, up to the Cybersecurity Law. Despite the tremendous increase of data transfers from the West to China, there is a scarcity in the legal research about Chinese data protection rules, the building of China’s approach on this domain and its consequences.
This Article compares China’s data privacy laws (most notably the Cybersecurity Law and its guidelines) to the dominant approaches coming from the EU and the U.S. The goal is to identify China’s direction, whether it transplants their rules, and the specificities that make China’s approach different from Western models. The results of this comparative study show that China initially followed a path resembling the U.S. approach, before recently changing direction and converge with the more stringent EU rules on several legal elements, especially through the Cybersecurity Law and the Personal Information Security Specification. Up to the point that China now has a comprehensive data protection law on its legislative agenda and encourages privacy protection for consumers that sometimes surpasses U.S. rules.
This research identifies and decrypts specificities of data protection in China that make China’s voice special with the potential to gain influence in this field, whereas Western rules are the only bearing regulatory clout so far. These Chinese characteristics, such as the paradoxical – yet parallel – increase of both state surveillance and consumer privacy and the cyber-sovereignty principle impacting personal data protection, now compose China’s approach. This “data privacy with Chinese characteristics” will bear consequences on the country’s forthcoming regulations on artificial intelligence and for future policy developments in the EU and the U.S.
Keywords: China, Cybersecurity, Privacy, European Union, GDPR, United States, Data Protection, Data Privacy, Cybersecurity Law, Surveillance, Artificial Intelligence
Suggested Citation: Suggested Citation