China’s Approach on Data Privacy Law: A Third Way Between the U.S. and the EU?

70 Pages Posted: 9 Mar 2020 Last revised: 20 May 2020

See all articles by Emmanuel Pernot-Leplay

Emmanuel Pernot-Leplay

Tilburg University - Tilburg Institute for Law, Technology, and Society (TILT); Shanghai Jiao Tong University (SJTU) - KoGuan Law School

Date Written: 2020


Because of state surveillance, data privacy in China is often assumed to be inexistent. Yet, the country regulates differently privacy from the state and privacy from private actors. Consumer data privacy in China is at the forefront of new regulations issued during the last years to create a legal framework on data protection, up to the Cybersecurity Law. Despite the tremendous increase of data transfers from the West to China, there is a scarcity in the legal research about Chinese data protection rules, the building of China’s approach on this domain and its consequences.

This Article compares China’s data privacy laws (most notably the Cybersecurity Law and its guidelines) to the dominant approaches coming from the EU and the U.S. The goal is to identify China’s direction, whether it transplants their rules, and the specificities that make China’s approach different from Western models. The results of this comparative study show that China initially followed a path resembling the U.S. approach, before recently changing direction and converge with the more stringent EU rules on several legal elements, especially through the Cybersecurity Law and the Personal Information Security Specification. Up to the point that China now has a comprehensive data protection law on its legislative agenda and encourages privacy protection for consumers that sometimes surpasses U.S. rules.

This research identifies and decrypts specificities of data protection in China that make China’s voice special with the potential to gain influence in this field, whereas Western rules are the only bearing regulatory clout so far. These Chinese characteristics, such as the paradoxical – yet parallel – increase of both state surveillance and consumer privacy and the cyber-sovereignty principle impacting personal data protection, now compose China’s approach. This “data privacy with Chinese characteristics” will bear consequences on the country’s forthcoming regulations on artificial intelligence and for future policy developments in the EU and the U.S.

Keywords: China, Cybersecurity, Privacy, European Union, GDPR, United States, Data Protection, Data Privacy, Cybersecurity Law, Surveillance, Artificial Intelligence

Suggested Citation

Pernot-Leplay, Emmanuel and Pernot-Leplay, Emmanuel, China’s Approach on Data Privacy Law: A Third Way Between the U.S. and the EU? (2020). Penn State Journal of Law & International Affairs, Vol. 8, No. 1, 2020, Available at SSRN:

Emmanuel Pernot-Leplay (Contact Author)

Shanghai Jiao Tong University (SJTU) - KoGuan Law School ( email )


Tilburg University - Tilburg Institute for Law, Technology, and Society (TILT) ( email )

P.O.Box 90153
Prof. Cobbenhagenlaan 221
Tilburg, 5037

Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics