Updated: Sep 22
Why China's new data privacy law empowers state surveillance.
On 20th August 2021, the Personal Information Protection Law was passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress of the People’s Republic of China. The Personal Information Protection Law will come into effect on 1st November 2021. The law relating to data protection is being pushed at a time when China has announced unprecedented measures on regulating tech companies in China.
Stark Difference with EU GDPR and Other Countries
Many nations around the world have passed laws regarding the enforcement of data protection laws. Most of these nations have modelled their data protection laws on European Union’s General Data Protection Regulation. This includes the State of Pakistan, which has close ties with China but has modelled its data protection bill on EUGDPR. However, the recently passed Personal Information Protection Law differs significantly from EU GDPR and offers little to no help in contributing anything new to the world. First of all, the basic premise on which EU GDPR is based is that there exists the right to privacy of the citizens of the European Union. This is clearly evident from Article 8 (1) of the Charter of Fundamental Rights of the European Union which guarantees that “Everyone has the right to the protection of personal data concerning him or her.” However, there is no implicit or explicit recognition of privacy being a fundamental right in China.
One of the key hallmarks of EUGDPR has been the recognition of the concept of the Right to be Forgotten, which finds mention in Article 17 of EUGDPR. Right to be Forgotten as a concept means that the data controller (like Whatsapp and Facebook) shall ensure the erasure of data when it is asked by the data subject (the user of the application) of the information which is when it is no longer necessary. There are other factors also such as withdrawal of consent, unlawful processing, etc, which constitute a part of the Right to be Forgotten. There is no mention of ‘Right to be forgotten’ in China’s recently released Data Protection Bill. Unfortunately, there is also no mention of the Right to be rectification also which gives the Data Subject the right to rectify the incorrect information. These differences expose a huge chasm between the model adopted by China and other nations, which have found EU GDPR to be certainly a better template for the formation of their own data protection laws.
Perfect Law for State Surveillance
While most of the laws modelled on GDPR have tried to reduce the scope of surveillance to a great extent, China’s version of the Data Protection Bill does the opposite. Article 26 of the Bill gives sweeping power to the State for “ The installation of image collection or personal identity recognition equipment in public venues shall occur as required to safeguard public security and observe relevant State regulations, and clear indicating signs shall be installed.” China already has one of the biggest state surveillance models in the world, and Article 26 further strengthens this model, making the Orwellian State a reality apart from existing in fiction. There is no provision either in EU GDPR or India’s proposed Data Protection Bill which gives unlimited power to the State for carrying out mass surveillance in the public with the help of technology such as Artificial intelligence or facial recognition.
Stringent rules for Cross-Border Transfer of Data
Cross-Border provisions for the transfer of Data Subjects residing in China make it very difficult for the companies to store data of the users in a third country. There are essentially four conditions which have been laid down for cross-border transfer of data, which are as follows- 1)Passing a security assessment, undergoing personal information protection certification conducted by a specialised body, 2) Concluding a contract with foreign receiving side in accordance with a standard contract formulated by the State cyberspace and informatization department, 3)And in case the State (People’s Republic of China ) concludes a treaty with a nation. In comparison to China, neither India nor EU GDPR has such strict guidelines on cross border transfer of data to a third country. (refer to Article 44-50 for EU G D P R and Chapter VII of India’s proposed Data Protection Bill)
Continuation of Wolf Warrior Diplomacy
One of the key traits associated with Chinese Diplomacy in recent times has been its usage of “Wolf Warrior Diplomacy,” where Chinese Diplomats and officials engage with their counterparts in a much more aggressive style through words as well as actions. Article 43 of the Bill of Information Protection Law gives the State the right to adopt reciprocal measures in case a country adopts discriminatory practices against the users who are residing in China. This particular provision can be seen as a continuation of aggressive diplomacy by China where there is no budging or compromise on the part of the State to give another nation or even a corporate body an undue advantage over it.
With the Personal Information Protection Law slated to come into effect on 1st November 2021, one thing which is crystal clear is that there will hardly be takers for the Bill as most of the nations have relied on the lines of EU GDPR to make their own data protection laws. Lastly, it makes China look more inward and totalitarian at a time when it is looking to construct its own narrative of digital governance.
(The translation of China’s Personal Information Protection Law has been taken from Standford University’s Digi China, Cyber Policy Center, which is available at :
(Siddharth Chaturvedi is a student-scholar and researcher at Dharmashastra National Law University, India.)