Protocol | China

Unpacking China’s game-changing data law

Its emphasis on digital sovereignty could fragment the global privacy landscape.

lock and key on keyboard

China's new Personal Information Protection Law is its next step in promoting national security.

Photo: Patrick Pleul/Picture Alliance/Getty Images

China's National Congress passed the highly anticipated Personal Information Protection Law on Friday, a significant piece of legislation that will provide Chinese citizens significant privacy protections while also bolstering Beijing's ambitions to set international norms in data protection.

China's PIPL is not only key to Beijing's vision for a next-generation digital economy; it is also likely to influence other countries currently adopting their own data protection laws.

The new law clearly draws inspiration from the European Union's General Data Protection Regulation, and like its precursor is an effort to respond to genuine grassroots demand for greater right to consumer privacy. But what distinguishes China's PIPL from the GDPR and other laws on the books is China's emphasis on national security, which is a broadly defined trump card that triggers data localization requirements and cross-border data flow restrictions.

"It provides an additional justification, if you will, to countries that were keen to pursue a similar agenda [about] tech sovereignty [and] localization," Clarisse Girot, director for Asia Pacific at the nonprofit organization Future of Privacy Forum, told Protocol. "And it really signals [China]'s intention to have an influence that's commensurate with the size of its economy and its technological capabilities."

A special breed of data protection

Cross-border data transfer provisions are by now a staple in data protection laws globally, Girot said, but China's approach to data transfer is more heavy-handed; transfers can be restricted or banned if they harm China's national security, and China defines national security more broadly than most other countries.

The PIPL contains provisions requiring all data processed by national agencies and so-called critical information infrastructure operators be stored in China. Entities that handle personal information reaching a certain threshold are also required to store user data within China. And the law requires companies to pass a security assessment organized by cybersecurity agencies, like the Cyberspace Administration of China, or to meet other compliance requirements, if they wish to transfer data abroad. If they pass compliance requirements, they need to make sure those overseas data recipients also follow PIPL.

The PIPL reinforces Beijing's ambition to defend its digital sovereignty. If foreign entities "engage in personal information handling activities that violate the personal information rights and interests of citizens of the People's Republic of China, or harm the national security or public interest of the People's Republic of China," China's enforcement agencies may blacklist them, "limiting or prohibiting the provision of personal information to them." And China may reciprocate against countries or regions that adopt "discriminatory prohibitions, limitations or other similar measures against the People's Republic of China in the area of personal information protection."

Many Asian governments are in the process of writing or rewriting data protection laws. Vietnam, India, Pakistan and Sri Lanka have all inserted localization provisions in their respective data protection laws. "[The PIPL framework] can provide encouragement to countries that would be tempted to use the data protection law that includes data transfer provisions to add this national security component," Girot said.

This new breed of data protection law could lead to a fragmented global privacy landscape. Localization requirements can be a headache for transnational tech companies, particularly cloud service providers. And the CAC, one of the data regulators in charge of implementing and enforcing the PIPL, is also tasked with implementing a national security policy, which could present a challenge to international cooperation.

"When regulators come from a cybersecurity agency, it's not going to be very easy to build the necessary trust with your partners, with your colleagues or counterparts, that it will be necessary to activate this international cooperation," Girot said. "This is not trivial because today, tech is global."

Stateside impact

China's PIPL will also have an impact on the United States. Text in the PIPL, as well as in China's Data Security Law, would prevent foreign law enforcement from accessing Chinese citizen data held by companies in China without going through strict clearance procedures. Samm Sacks, a cyber policy fellow at New America, told Protocol that this provision was meant to respond to the CLOUD Act, a U.S. federal law that grants law enforcement agencies the authority to reach into any other country and pull out local data in criminal law enforcement investigations.

"If a U.S. company held data in China, for example, that U.S. law enforcement needed as part of a criminal proceeding," Sacks said, "[the PIPL] could create a blocking mechanism to prevent them from complying with that request."

The U.S. does not have a federal privacy law. And privacy and cybersecurity experts say China's progress in its privacy law won't make the U.S. accelerate its own long-stalled privacy law-making process. But Sacks nonetheless anticipates a negative response from the U.S. to China's data protection law. "I think in an environment of increasing hawkishness about China, it's going to be viewed as another tool that the Communist Party can use to control the private sector and to control the data that the private sector holds," Sacks said, adding that she disagrees with this view.

In protecting consumer privacy, PIPL will rein in China's Big Tech to a certain extent. But that's not the PIPL's major function; Beijing has demonstrated that if it wants to target the industry, it can make it happen overnight — see, for example, the sudden ed-tech crackdown. The immediate impact of the PIPL, said Jeremy Daum, a senior fellow of Yale Law School's Paul Tsai China Center, is to better protect citizen data.

"I think to some extent, you have to be willing to accept that this law is doing what it says it's going to do," Daum said.

Zeyi Yang contributed to research.

Consumers increasingly view secondhand gifting as a fun, cheaper and more meaningful way of giving.

Image: Jon Pulido

Click banner image for more Shopping Week coverage

Tracy DiNunzio started Tradesy over 10 years ago, a time when she says people were, for the most part, "ick about pre-owned."

Keep Reading Show less
Michelle Ma
Michelle Ma (@himichellema) is a reporter at Protocol, where she writes about management, leadership and workplace issues in tech. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at mma@protocol.com.

The Bureau of Labor Statistics indicates that by 2026, the shortage of engineers in the U.S. will exceed 1.2 million, while 545,000 software developers will have left the market by that time. Meanwhile, business is becoming increasingly more digital-first, and teams need the tools in place to keep distributed teams aligned and able to respond quickly to changing business needs. That means businesses need to build powerful workplace applications without relying on developers.

In fact, according to Gartner, by 2025, 70% of new applications developed by enterprises will use low-code or no-code technologies and, by 2023, there will be at least four times as many active citizen developers as professional developers at large enterprises. We're on the cusp of a big shift in how businesses operate and how organization wide innovation happens.

Keep Reading Show less
Andrew Ofstad
As Airtable’s co-founder, Andrew spearheads Airtable’s long-term product bets and represents the voice of the customer in major product decisions. After co-founding the company, he helped scale Airtable’s original product and engineering teams. He previously led the redesign of Google's flagship Maps product, and before that was a product manager for Android.

Can we bring malls into the metaverse?

Soon you might buy digital sneakers to wear on your digital date in a digital world.

Combined with the hype around digital goods and cryptocurrency, companies and futurists are starting to imagine what shopping in the metaverse might look like.

Photo illustration: Mark Abramson/Bloomberg via Getty Images; The Fabricant; Protocol

Click banner image for more Shopping Week coverage

Before the internet, the mall was the spot for watching movies, hanging out, listening to music, finding love — and an embodiment of all-American consumerism. "The shopping center was Amazon, it was Facebook, it was Tinder, it was Spotify, it was Netflix," said retail futurist Doug Stephens. "It was the gathering point in the community."

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

It’s still too hard to give crypto this holiday

Here's how the industry Scrooged itself out of a big opportunity.

If only giving bitcoin were this simple.

Photo illustration: gpointstudio/Getty Images Plus; Protocol

Click banner image for more Shopping Week coverage

Crypto took huge steps toward the mainstream this year. Bitcoin soared in value, Coinbase went public and VCs poured even more money into the industry. In case consumers didn't get the message, they'll surely notice when the Staples Center turns into Crypto.com Arena next month and FTX airs its first Super Bowl ad in February.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Signal at (510)731-8429.

It’s time to rethink Black Friday

The pandemic didn't end Black Friday, but it'll never look the same again.

We can expect Black Friday to stick around but lose relevance as retailers effectively dilute its meaning and purpose.

Illustration: Christopher T. Fong/Protocol

Click banner image for more Shopping Week coverage

"I'm selling meditation, so I shouldn't be stressed," said Charlie Rousset, the co-founder of sleep and relaxation gadget-maker Morphée. But even deep breathing can't help Rousset feel less on edge this Black Friday.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Latest Stories