China’s Emerging Data Protection Framework

25 Pages Posted: 14 Dec 2021

See all articles by Rogier Creemers

Rogier Creemers

Leiden University - Leiden Institute for Area Studies

Date Written: November 16, 2021


Over the past five years, the People’s Republic of China has accelerated efforts to establish a legal architecture for data protection. With the promulgation of the Personal Information Protection Law (PIPL) and the Data Protection Law (DSL) in the summer of 2021, the first phase of these efforts have been concluded. These will have a significant impact on data flows within China, but also merit foreign attention. They provide a new approach to data protection to be subjected to comparative analysis, and may influence the development of data protection legislation in other states, particularly those with close digital connections to China. Doing so requires a greater understanding of how this legislation is shaped by the Chinese political and economic context.

Drawing on a thorough review of government documents, supplemented by Chinese-language academic sources, this article reviews the evolution of the two pillars of China’s data protection architecture, from the early stage of fragmentation via the promulgation of the Cybersecurity Law in 2016, up to the present day. It finds that the PIPL and its attendant regulations serve to primarily regulate the relationship between large technology companies and consumers, as well as prevent cyber crime. It does not create meaningful constraints on data collection and use by the state. Even so, the PIPL bears a clear family resemblance to personal data protection regimes elsewhere in the world. In contrast, the DSL is a considerable innovation, attempting to prevent harm to national security and the public interest inflicted through data-enabled means. While implementing structures for this Law remain under construction, it will likely herald a thorough reorganization of the way through which data is collected, stored and managed within all kinds of Chinese actors.

Suggested Citation

Creemers, Rogier, China’s Emerging Data Protection Framework (November 16, 2021). Available at SSRN: or

Rogier Creemers (Contact Author)

Leiden University - Leiden Institute for Area Studies ( email )

Matthias de Vrieshof 3
Room 10
Leiden, 2311

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics