Unpacking China’s game-changing data law

Its emphasis on digital sovereignty could fragment the global privacy landscape.

lock and key on keyboard

China's new Personal Information Protection Law is its next step in promoting national security.

Photo: Patrick Pleul/Picture Alliance/Getty Images

China's National Congress passed the highly anticipated Personal Information Protection Law on Friday, a significant piece of legislation that will provide Chinese citizens significant privacy protections while also bolstering Beijing's ambitions to set international norms in data protection.

China's PIPL is not only key to Beijing's vision for a next-generation digital economy; it is also likely to influence other countries currently adopting their own data protection laws.

The new law clearly draws inspiration from the European Union's General Data Protection Regulation, and like its precursor is an effort to respond to genuine grassroots demand for greater right to consumer privacy. But what distinguishes China's PIPL from the GDPR and other laws on the books is China's emphasis on national security, which is a broadly defined trump card that triggers data localization requirements and cross-border data flow restrictions.

"It provides an additional justification, if you will, to countries that were keen to pursue a similar agenda [about] tech sovereignty [and] localization," Clarisse Girot, director for Asia Pacific at the nonprofit organization Future of Privacy Forum, told Protocol. "And it really signals [China]'s intention to have an influence that's commensurate with the size of its economy and its technological capabilities."

A special breed of data protection

Cross-border data transfer provisions are by now a staple in data protection laws globally, Girot said, but China's approach to data transfer is more heavy-handed; transfers can be restricted or banned if they harm China's national security, and China defines national security more broadly than most other countries.

The PIPL contains provisions requiring all data processed by national agencies and so-called critical information infrastructure operators be stored in China. Entities that handle personal information reaching a certain threshold are also required to store user data within China. And the law requires companies to pass a security assessment organized by cybersecurity agencies, like the Cyberspace Administration of China, or to meet other compliance requirements, if they wish to transfer data abroad. If they pass compliance requirements, they need to make sure those overseas data recipients also follow PIPL.

The PIPL reinforces Beijing's ambition to defend its digital sovereignty. If foreign entities "engage in personal information handling activities that violate the personal information rights and interests of citizens of the People's Republic of China, or harm the national security or public interest of the People's Republic of China," China's enforcement agencies may blacklist them, "limiting or prohibiting the provision of personal information to them." And China may reciprocate against countries or regions that adopt "discriminatory prohibitions, limitations or other similar measures against the People's Republic of China in the area of personal information protection."

Many Asian governments are in the process of writing or rewriting data protection laws. Vietnam, India, Pakistan and Sri Lanka have all inserted localization provisions in their respective data protection laws. "[The PIPL framework] can provide encouragement to countries that would be tempted to use the data protection law that includes data transfer provisions to add this national security component," Girot said.

This new breed of data protection law could lead to a fragmented global privacy landscape. Localization requirements can be a headache for transnational tech companies, particularly cloud service providers. And the CAC, one of the data regulators in charge of implementing and enforcing the PIPL, is also tasked with implementing a national security policy, which could present a challenge to international cooperation.

"When regulators come from a cybersecurity agency, it's not going to be very easy to build the necessary trust with your partners, with your colleagues or counterparts, that it will be necessary to activate this international cooperation," Girot said. "This is not trivial because today, tech is global."

Stateside impact

China's PIPL will also have an impact on the United States. Text in the PIPL, as well as in China's Data Security Law, would prevent foreign law enforcement from accessing Chinese citizen data held by companies in China without going through strict clearance procedures. Samm Sacks, a cyber policy fellow at New America, told Protocol that this provision was meant to respond to the CLOUD Act, a U.S. federal law that grants law enforcement agencies the authority to reach into any other country and pull out local data in criminal law enforcement investigations.

"If a U.S. company held data in China, for example, that U.S. law enforcement needed as part of a criminal proceeding," Sacks said, "[the PIPL] could create a blocking mechanism to prevent them from complying with that request."

The U.S. does not have a federal privacy law. And privacy and cybersecurity experts say China's progress in its privacy law won't make the U.S. accelerate its own long-stalled privacy law-making process. But Sacks nonetheless anticipates a negative response from the U.S. to China's data protection law. "I think in an environment of increasing hawkishness about China, it's going to be viewed as another tool that the Communist Party can use to control the private sector and to control the data that the private sector holds," Sacks said, adding that she disagrees with this view.

In protecting consumer privacy, PIPL will rein in China's Big Tech to a certain extent. But that's not the PIPL's major function; Beijing has demonstrated that if it wants to target the industry, it can make it happen overnight — see, for example, the sudden ed-tech crackdown. The immediate impact of the PIPL, said Jeremy Daum, a senior fellow of Yale Law School's Paul Tsai China Center, is to better protect citizen data.

"I think to some extent, you have to be willing to accept that this law is doing what it says it's going to do," Daum said.

Zeyi Yang contributed to research.


2- and 3-wheelers dominate oil displacement by EVs

Increasingly widespread EV adoption is starting to displace the use of oil, but there's still a lot of work to do.

More electric mopeds on the road could be an oil demand game-changer.

Photo: Humphrey Muleba/Unsplash

Electric vehicles are starting to make a serious dent in oil use.

Last year, EVs displaced roughly 1.5 million barrels per day, according to a new analysis from BloombergNEF. That is more than double the share EVs displaced in 2015. The majority of the displacement is coming from an unlikely source.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (

Sponsored Content

Foursquare data story: leveraging location data for site selection

We take a closer look at points of interest and foot traffic patterns to demonstrate how location data can be leveraged to inform better site selecti­on strategies.

Imagine: You’re the leader of a real estate team at a restaurant brand looking to open a new location in Manhattan. You have two options you’re evaluating: one site in SoHo, and another site in the Flatiron neighborhood. Which do you choose?

Keep Reading Show less

The limits of AI and automation for digital accessibility

AI and automated software that promises to make the web more accessible abounds, but people with disabilities and those who regularly test for digital accessibility problems say it can only go so far.

The everyday obstacles blocking people with disabilities from a satisfying digital experience are immense.

Image: alexsl/Getty Images

“It’s a lot to listen to a robot all day long,” said Tina Pinedo, communications director at Disability Rights Oregon, a group that works to promote and defend the rights of people with disabilities.

But listening to a machine is exactly what many people with visual impairments do while using screen reading tools to accomplish everyday online tasks such as paying bills or ordering groceries from an ecommerce site.

Keep Reading Show less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.


The crypto crash's violence shocked Circle's CEO

Jeremy Allaire remains upbeat about stablecoins despite the UST wipeout, he told Protocol in an interview.

Allaire said what really caught him by surprise was “how fast the death spiral happened and how violent of a value destruction it was.”

Photo: Heidi Gutman/CNBC/NBCU Photo Bank/NBCUniversal via Getty Images

Circle CEO Jeremy Allaire said he saw the UST meltdown coming about six months ago, long before the stablecoin crash rocked the crypto world.

“This was a house of cards,” he told Protocol. “It was very clear that it was unsustainable and that there would be a very high risk of a death spiral.”

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at or via Google Voice at (925) 307-9342.

A DTC baby formula startup is caught in the center of a supply chain crisis

After weeks of “unprecedented growth,” Bobbie co-founder Laura Modi made a hard decision: to not accept any more new customers.

Parents unable to track down formula in stores have been turning to Facebook groups, homemade formula recipes and Bobbie, a 4-year-old subscription baby formula company.

Photo: JIM WATSON/AFP via Getty Images

The ongoing baby formula shortage has taken a toll on parents throughout the U.S. Laura Modi, co-founder of formula startup Bobbie, said she’s been “wearing the hat of a mom way more than that of a CEO” in recent weeks.

“It's scary to be a parent right now, with the uncertainty of knowing you can’t find your formula,” Modi told Protocol.

Keep Reading Show less
Nat Rubio-Licht

Nat Rubio-Licht is a Los Angeles-based news writer at Protocol. They graduated from Syracuse University with a degree in newspaper and online journalism in May 2020. Prior to joining the team, they worked at the Los Angeles Business Journal as a technology and aerospace reporter.

Latest Stories