China’s Completed Personal Information Protection Law: Rights Plus Cyber-security

(2021) 172 Privacy Laws & Business International Report 20-23

UNSW Law Research Paper No. 21-91

7 Pages Posted: 27 Dec 2021 Last revised: 14 Apr 2022

See all articles by Graham Greenleaf

Graham Greenleaf

University of New South Wales, Faculty of Law

Date Written: October 1, 2021

Abstract

On 20 August 2021 the Standing Committee of China’s National People’s Congress (SC-NPC, not the NPC itself) enacted the Personal Information Protection Law (PIPL), the culmination of over a decade of incremental legislative reform. Businesses were required to adjust rapidly to the law’s starting date of 1 November 2021. Since the first draft of the PIPL was released by the SC-NPC in October 2020, it was revised in a succession of drafts. One purpose of this article is to detail these changes. The other purpose is to place the PIPL in the context of China’s near-complete cyber-security laws, of which it is part.

Of the 74 sections in the final Law, half have had non-trivial amendments since the first draft. Some of the amendments are significant, although none involve fundamental changes to the direction of the first draft. Significant amendments include: tightening controls over automated decision-making; right of data portability added; possibility of litigation by ‘privacy NGOs’; special obligations on providers of platform services; extra-territoriality is potentially extra-vague; local representatives required within PRC; and other forms of data localisation widened.

The argument is made that these export conditions are not ‘just Chinese adequacy’ but something considerably different, which seem to open the way for China to negotiate mutual data export agreements, multilateral or bilateral.

PIPL also plays a role in China’s emerging cyber-security structure. The Cybersecurity Law (CSL) of 2016, the Data Security Law (DSL) of 2021, and other more subordinate parts of China’s array of legislation, are other parts of this emerging structure.

Keywords: China, data privacy, data protection, localization, North Asia, data security

Suggested Citation

Greenleaf, Graham, China’s Completed Personal Information Protection Law: Rights Plus Cyber-security (October 1, 2021). (2021) 172 Privacy Laws & Business International Report 20-23, UNSW Law Research Paper No. 21-91, Available at SSRN: https://ssrn.com/abstract=3989775 or http://dx.doi.org/10.2139/ssrn.3989775

Graham Greenleaf (Contact Author)

University of New South Wales, Faculty of Law ( email )

Sydney, New South Wales 2052
Australia
+61 2 9385 2233 (Phone)
+61 2 9385 1175 (Fax)

HOME PAGE: http://www2.austlii.edu.au/~graham

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
297
Abstract Views
1,038
rank
150,907
PlumX Metrics