Unpacking China’s game-changing data law

Its emphasis on digital sovereignty could fragment the global privacy landscape.

lock and key on keyboard

China's new Personal Information Protection Law is its next step in promoting national security.

Photo: Patrick Pleul/Picture Alliance/Getty Images

China's National Congress passed the highly anticipated Personal Information Protection Law on Friday, a significant piece of legislation that will provide Chinese citizens significant privacy protections while also bolstering Beijing's ambitions to set international norms in data protection.

China's PIPL is not only key to Beijing's vision for a next-generation digital economy; it is also likely to influence other countries currently adopting their own data protection laws.

The new law clearly draws inspiration from the European Union's General Data Protection Regulation, and like its precursor is an effort to respond to genuine grassroots demand for greater right to consumer privacy. But what distinguishes China's PIPL from the GDPR and other laws on the books is China's emphasis on national security, which is a broadly defined trump card that triggers data localization requirements and cross-border data flow restrictions.

"It provides an additional justification, if you will, to countries that were keen to pursue a similar agenda [about] tech sovereignty [and] localization," Clarisse Girot, director for Asia Pacific at the nonprofit organization Future of Privacy Forum, told Protocol. "And it really signals [China]'s intention to have an influence that's commensurate with the size of its economy and its technological capabilities."

A special breed of data protection

Cross-border data transfer provisions are by now a staple in data protection laws globally, Girot said, but China's approach to data transfer is more heavy-handed; transfers can be restricted or banned if they harm China's national security, and China defines national security more broadly than most other countries.

The PIPL contains provisions requiring all data processed by national agencies and so-called critical information infrastructure operators be stored in China. Entities that handle personal information reaching a certain threshold are also required to store user data within China. And the law requires companies to pass a security assessment organized by cybersecurity agencies, like the Cyberspace Administration of China, or to meet other compliance requirements, if they wish to transfer data abroad. If they pass compliance requirements, they need to make sure those overseas data recipients also follow PIPL.

The PIPL reinforces Beijing's ambition to defend its digital sovereignty. If foreign entities "engage in personal information handling activities that violate the personal information rights and interests of citizens of the People's Republic of China, or harm the national security or public interest of the People's Republic of China," China's enforcement agencies may blacklist them, "limiting or prohibiting the provision of personal information to them." And China may reciprocate against countries or regions that adopt "discriminatory prohibitions, limitations or other similar measures against the People's Republic of China in the area of personal information protection."

Many Asian governments are in the process of writing or rewriting data protection laws. Vietnam, India, Pakistan and Sri Lanka have all inserted localization provisions in their respective data protection laws. "[The PIPL framework] can provide encouragement to countries that would be tempted to use the data protection law that includes data transfer provisions to add this national security component," Girot said.

This new breed of data protection law could lead to a fragmented global privacy landscape. Localization requirements can be a headache for transnational tech companies, particularly cloud service providers. And the CAC, one of the data regulators in charge of implementing and enforcing the PIPL, is also tasked with implementing a national security policy, which could present a challenge to international cooperation.

"When regulators come from a cybersecurity agency, it's not going to be very easy to build the necessary trust with your partners, with your colleagues or counterparts, that it will be necessary to activate this international cooperation," Girot said. "This is not trivial because today, tech is global."

Stateside impact

China's PIPL will also have an impact on the United States. Text in the PIPL, as well as in China's Data Security Law, would prevent foreign law enforcement from accessing Chinese citizen data held by companies in China without going through strict clearance procedures. Samm Sacks, a cyber policy fellow at New America, told Protocol that this provision was meant to respond to the CLOUD Act, a U.S. federal law that grants law enforcement agencies the authority to reach into any other country and pull out local data in criminal law enforcement investigations.

"If a U.S. company held data in China, for example, that U.S. law enforcement needed as part of a criminal proceeding," Sacks said, "[the PIPL] could create a blocking mechanism to prevent them from complying with that request."

The U.S. does not have a federal privacy law. And privacy and cybersecurity experts say China's progress in its privacy law won't make the U.S. accelerate its own long-stalled privacy law-making process. But Sacks nonetheless anticipates a negative response from the U.S. to China's data protection law. "I think in an environment of increasing hawkishness about China, it's going to be viewed as another tool that the Communist Party can use to control the private sector and to control the data that the private sector holds," Sacks said, adding that she disagrees with this view.

In protecting consumer privacy, PIPL will rein in China's Big Tech to a certain extent. But that's not the PIPL's major function; Beijing has demonstrated that if it wants to target the industry, it can make it happen overnight — see, for example, the sudden ed-tech crackdown. The immediate impact of the PIPL, said Jeremy Daum, a senior fellow of Yale Law School's Paul Tsai China Center, is to better protect citizen data.

"I think to some extent, you have to be willing to accept that this law is doing what it says it's going to do," Daum said.

Zeyi Yang contributed to research.


Election markets are far from a sure bet

Kalshi has big-name backing for its plan to offer futures contracts tied to election results. Will that win over a long-skeptical regulator?

Whether Kalshi’s election contracts could be considered gaming or whether they serve a true risk-hedging purpose is one of the top questions the CFTC is weighing in its review.

Photo illustration: Getty Images; Protocol

Crypto isn’t the only emerging issue on the CFTC’s plate. The futures regulator is also weighing a fintech sector that has similarly tricky political implications: election bets.

The Commodity Futures Trading Commission has set Oct. 28 as a date by which it hopes to decide whether the New York-based startup Kalshi can offer a form of wagering up to $25,000 on which party will control the House of Representatives and Senate after the midterms. PredictIt, another online market for election trading, has also sued the regulator over its decision to cancel a no-action letter.

Keep Reading Show less
Ryan Deffenbaugh
Ryan Deffenbaugh is a reporter at Protocol focused on fintech. Before joining Protocol, he reported on New York's technology industry for Crain's New York Business. He is based in New York and can be reached at
Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.

The Uber verdict shows why mandatory disclosure isn't such a bad idea

The conviction of Uber's former chief security officer, Joe Sullivan, seems likely to change some minds in the debate over proposed cyber incident reporting regulations.

Executives and boards will now be "a whole lot less likely to cover things up," said one information security veteran.

Photo: Al Drago/Bloomberg via Getty Images

If nothing else, the guilty verdict delivered Wednesday in a case involving Uber's former security head will have this effect on how breaches are handled in the future: Executives and boards, according to information security veteran Michael Hamilton, will be "a whole lot less likely to cover things up."

Following the conviction of former Uber chief security officer Joe Sullivan, "we likely will get better voluntary reporting" of cyber incidents, said Hamilton, formerly the chief information security officer of the City of Seattle, and currently the founder and CISO at cybersecurity vendor Critical Insight.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at


Delta and MIT are running flight tests to fix contrails

The research team and airline are running flight tests to determine if it’s possible to avoid the climate-warming effects of contrails.

Delta and MIT just announced a partnership to test how to mitigate persistent contrails.

Photo: Gabriela Natiello/Unsplash

Contrails could be responsible for up to 2% of all global warming, and yet how they’re formed and how to mitigate them is barely understood by major airlines.

That may be changing.

Keep Reading Show less
Michelle Ma

Michelle Ma (@himichellema) is a reporter at Protocol covering climate. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at


Inside Amazon’s free video strategy

Amazon has been doubling down on original content for Freevee, its ad-supported video service, which has seen a lot of growth thanks to a deep integration with other Amazon properties.

Freevee’s investment into original programming like 'Bosch: Legacy' has increased by 70%.

Photo: Tyler Golden/Amazon Freevee

Amazon’s streaming efforts have long been all about Prime Video. So the company caught pundits by surprise when, in early 2019, it launched a stand-alone ad-supported streaming service called IMDb Freedive, with Techcrunch calling the move “a bit odd.”

Nearly four years and two rebrandings later, Amazon’s ad-supported video efforts appear to be flourishing. Viewership of the service grew by 138% from 2020 to 2021, according to Amazon. The company declined to share any updated performance data on the service, which is now called Freevee, but a spokesperson told Protocol the performance of originals in particular “exceeded expectations,” leading Amazon to increase investments into original content by 70% year-over-year.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Latest Stories