Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
China’s draft Personal Information Protection Law
Journal of Data Protection & Privacy,
4
(3),
235-259
(2021)
Abstract
In October 2020, China published a draft of the Personal Information Protection Law of the People’s Republic of China (PRC) for public comment. The draft law is intended to be the first consolidated and comprehensive law targeting the protection of personal information in China. If enacted in its current form, the law would introduce a suite of obligations that apply to organisations in both the private and public sectors and individuals that process Chinese residents’ personal information. The scope, structure and substance of the draft law not only resemble that of the European Union (EU) General Data Protection Regulation (GDPR) in a number of key ways but also diverge from the GDPR in many respects. The draft Chinese law also has some similarities with various US privacy laws, although the United States has not enacted a comprehensive federal privacy law that applies across the country. Despite the variations among the regimes of China, the EU and the United States, organisations that do business in these geographies can leverage the privacy compliance programmes they may have established for the United States and EU to prepare for the implementation of the draft Chinese Personal Information Protection Law. This paper summarizes the key requirements of the draft Chinese law and provides high-level observations regarding its similarities to and differences from the GDPR and key US privacy laws.
Keywords: China; PRC; Personal Information Protection Law of the PRC; PRC Cybersecurity Law; PRC Data Security Law; Chinese privacy laws; Cyberspace Administration of China; comparative analysis; EU General Data Protection Regulation; California Consumer Privacy Act; Virginia Consumer Data Protection Act; US Health Insurance Portability and Accountability Act
The full article is available to subscribers to the journal.
Author's Biography
Lothar Determann teaches computer, internet, data privacy and commercial law at Freie Universität Berlin, the University of California, Berkeley, School of Law, and Hastings College of the Law, and he practices law as a partner at Baker McKenzie, where he has been counselling companies since 1998 on privacy law compliance and taking products and business models international. He has authored numerous articles, treatise contributions and books, including Determann’s Field Guide to Data Privacy Law and California Privacy Law: Practical Guide and Commentary.
Zhenyu (Jay) Ruan specialises in corporate and regulatory advisory matters in China. He is a member of Baker McKenzie’s Global TMT Steering Committee, making him instrumental in the TMT space for China and the whole of Asia Pacific. He has advised on significant deals which include technology companies’ joint ventures and technology licensing transactions, e-commerce and data privacy matters for multinational fashion and retail and healthcare companies, and regulatory and cybersecurity law for financial institutions and technology companies.
Tingting Gao is an associate at Baker McKenzie, primarily focusing on China-related corporate, regulatory and compliance advisory matters, with an expertise in data privacy and cybersecurity. She has advised clients from a wide range of sectors with their data privacy and cybersecurity compliance in China. She is admitted to practice in PRC (inactive) and New York.
Jonathan Tam is a senior associate at Baker McKenzie focusing on global privacy, technology transactions and cybersecurity. He started in Baker McKenzie’s Toronto office in 2012 and transferred to the firm’s San Francisco office in 2018. He is a co-chair of the IAPP’s Silicon Valley KnowledgeNet chapter and a member of the Executive Committee of the San Francisco Bar Association’s Privacy and Cybersecurity Section.
