China’s new data protection legislation: Are there lessons to be learned from Europe?

As an indispensable factor in modern communication, the use of data by public and private organizations has spread to all aspects of social life. In Europe, the General Data Protection Regulation (GDPR) has provided what is widely considered as the world’s toughest framework to protect people’s privacy. On May 25, the first anniversary of the GDPR, China’s Standing Committee announced that its next major project focusing on national security and social governance would be to implement the national personal information protection law (also known as the Personal Information Security Specification) and China’s Cyber Security law.

A brief history of data security law in China

As early as 2003, the expert proposal draft of the Personal Information Protection Law was started and submitted to relevant authorities in 2005. “Due to the importance and urgency of legislation on personal information protection,” Hanhua Zhou, head of the research team and a researcher at the Institute of Law at the Chinese Academy of Social Sciences, said he believed drafting the law would “not take too long”. For now, the law is still in the works as China’s legislators are trying to keep up with rapidly evolving online business models.

In the recent years, data protection has become more of a prominent issue in China’s booming online economy: According to CCTV, the Beijing district court alone has confirmed the disclosure of more than 160 million pieces of citizens’ personal information between 2010 and 2016. An investigation report on APP Personal Information Leakage released by the China Consumers’ Association in September 2018 also showed that 80% of respondents had been exposed to personal information leakage.

In March 2017, at the “two sessions” of the National People’s Congress, Xiaoling Wu, deputy director of the financial business management department, the director of the National People’s Congress, the President of the People’s Bank of China Xue-dong Zhou, and 45 members of the Standing Committee of the National People’s Congress submitted a bill ” To develop the personal information protection law of the People’s Republic of China as soon as possible”. The bill included a first draft of the Personal Information Protection Specification as an annex.

The Personal Information Protection law falls into category I of the legislative plan released in March 2019, which means that the implementation of the law has the highest priority, and that it could be introduced very rapidly by the end of 2020.

In the meantime, the 10th session of the standing committee of the 13th National People’s Congress held on June 28-30 2019 deliberated the draft of the Data Security law for the first time. On July 3, the full text of the draft was released to solicit public comments. On August 16 that year, the public consultation on the draft of China’s first data security law ended. Also the Data Security law is expected to be implemented by the end of 2020.

A brief history of data security law in Europe

The EU’s General Data Protection Regulation (GDPR) which came into effect on May 25, 2018, is the most significant change in the field of data privacy protection globally in the past 20 years. The act applies to any party who is an EU citizen or legal person who collects the data, provides the data (the user from whom the data is collected), and processes the data (such as a third party data processing

agency). The implementation of GDPR is a huge challenge to data utilization and online business operation in the current age of data. It has led to major Chinese enterprises such as Tencent, Xiaomi, and other leading domestic technology companies to announce their withdrawal from the European market.

Enterprises are supervised in customer information protection by GDPR mainly as follows:

1. Failure by the relevant organizations to fulfill their obligations will expose them to the risk of serious administrative fines from active regulators in EU countries (such as the “Autoriteit Persoonsgegevens” in the Netherlands). Fines can be as high as 20 million euros or about 4 percent of a company’s global turnover, whichever is higher.

2. Operators of websites must explain to their customer in advance that it will automatically record the customer’s search and shopping records and obtain the user’s consent; otherwise, it will be punished as “not telling the user to record the behavior”.

3. Companies can no longer use vague, hard-to-understand language or lengthy privacy policies to obtain permission to use data from users.

4. The “right to be forgotten” is enshrined in text, with the individual user having the right to ask responsible parties to remove their records about their data.



When GDPR first came into effect in 2018, the penalties imposed by government regulators were modest. By 2019, GDPR fines were rising, more organizations were receiving fines and regulators were stepping up their efforts. According to the statistics, GDPR fines totaled a record 417.5 million euros in 2019, almost 1,000 times the amount imposed in 2018. This year alone, 750 companies received GDPR fines, with an average fine of 500,000 euros, equivalent to 3.89 million yuan.



It can be seen that the fines on GDPR have become stricter as regulators in various countries are paying more attention. In terms of the reasons for the fines, more than one third of the fines are due to improper legal basis for data processing, while another third of the fines are due to insufficient technical and management measures to ensure information security, such as data leakage incidents.

The top ten fine incidents in GDPR are as follows:

It can be seen that the fines on GDPR become stricter as regulators in various countries paid more attention. The law defines the right of individuals to own data in the digital world, protects the privacy of netizens, and reduces the security risks of data and the problems related to personal privacy.

Prospects for the Personal Information Protection law in China

In terms of personal information protection legislation in China, most legislators express the need for a balance between netizens’ protection and promotion and economic development. As China has a large number of internet users and a booming e-commerce economy, merely copying the GDPR may not be feasible. China’s political sentiment is that the goal is to develop the most appropriate, the most complete and the most suitable rule of law for the future network situation of its country. Legislators call upon online companies to “strengthen self-discipline in the basic spirit of protecting personal privacy, to abide by basic moral norms and network order, and to enhance the social responsibility of network enterprise citizens”.

While China’s Cybersecurity Law summarizes fundamental principles of personal information, the Personal Information Specification provides detailed guidance for compliance in information processing. China’s new specification will most likely function as a guideline for legislators making related laws. Experts expect that implementation of the framework will probably contain most of the personal data protection elements featured in the GDPR, though it might show more tolerance.

Like the GDPR, the Specification includes guidance on user consent, data protection, data access, the obligation of disclosure, and the evaluation of data security, but overall it is more permissive. For

instance, the GDPR has provided six lawful bases that allow data controllers to process personal data, such as user consent, legal obligation, and vital interests, but the specification only lists four circumstances where data controllers are not allowed to process personal data.

It remains to be seen how strict China’s data protection law will prove to be in practice. Dr2’s experts will continue to monitor legislative and political developments. If you would like to be kept informed on the latest news surrounding data protection in China and the consequences it can have for your business, please don’t hesitate to contact us at


[1] personal information protection law / 8343360





[6] from=wap