A Chinese Data Privacy Law with Strong Influences from the EU

A Chinese Data Privacy Law with Strong Influences from the EU-China Releases the Draft on Its First Uniform Personal Information Protection Law

Authored by Yingying Zhu

The world has witnessed a torrent of lawmaking, regulatory design and enforcement activities regarding data privacy following the enactment of the General Data Protection Regulation (“GDPR”) [1] of the European Union in May 2018. At present, 132 out of 194 countries had put in place legislation to secure the protection of data and privacy. [2]


The inadequacy of personal information protection in China has raised widespread public concerns in this big data land with 904 million netizens,[3] vulnerable to data breaches and cyber frauds. In 2016, a professor at the prestigious Tsinghua University wired more than CNY17 million to a fraud, after she received a scam call from the fraud who knew every detail about the deal of a recent sale of her real property.[4] Incidents like this have led to nationwide discussions and provoked reflection among thinkers, legal experts and law makers. 


At present, data protection laws, regulations and specifications in China were scattered in sectional laws, regulations and non-binding guidelines, such as the Criminal Law and its Amendment VII, the Consumer Protection Law, the Cybersecurity Law, the Personal Information Security Specification, the Civil Code, etc.


On October 13, 2020, after years of brewing, China releases the long-awaited and much-welcomed draft on its first dedicated personal information protection law. The draft has been submitted to the standing committee of the China's top legislature-the National People’s Congress (“NPC”) for the first review and then posted for public comments on NPC’s official website. The comment period lasts until November 19, 2020.


Being the first comprehensive law that emulates the GDPR, the draft Personal Information Protection Law (“draft PIPL”) has shown strong GDPR influences as well as its unique Chinese characteristics.

Definition of “Personal Information” and “Sensitive Personal Information”

The types of information considered personal under the draft PIPL include various information recorded electronically or in other forms that is relating to an identified or identifiable natural person (“data subject”), excluding the anonymized information. The processing of personal information includes activities such as the collection, storage, use, handling, transmission, provision, and disclosure of personal information.

Here, “personal information” under the draft PIPL is similar in terms of definition to “personal data” used in the GDPR as well as in its predecessor, the EU Data Protection Directive,[5] because it includes data that relate both to an “identified” or “identifiable” individual. “Identifiable” means that an individual might not currently be identified but could be identified by combining various pieces of data.[6] For example, the name of a person (in particular, a none-celebrity), is often not identified to an individual, but sometimes can easily be linked to an individual with bits of other information, such as an address, a telephone number or a place of work.


On a risk-based approach, the draft PIPL defines sensitive personal information (“SPI”) as personal information that once leaked or illegally used may lead to discriminatory treatment or could seriously endanger the safety of persons or property, including information such as one’s race, ethnicity, religious beliefs, personal biological characteristics, medical health, financial accounts, personal whereabouts and so forth.[7] Only personal information processors with a specific purpose and sufficient necessity may process SPI. The draft also requires that the individuals' “independent consent” shall be obtained where processing SPI is to be based on individuals' consent and individuals shall also be informed of the necessity of processing SPI and the impact on them.


The draft PIPL, for the first time in China’s privacy protection legislation, specifically defines SPI. As improper disclosures of SPI can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that SPI could be specifically defined and appropriately protected.


One problem with the draft PIPL’s definition of SPI, however, is that it seems to ignore a certain type of SPI -a person’s private or secret life that in many defamation cases has been the subject of public online shaming. If an individual’s personal private life (usually unpleasant, eccentric or immoral) was posted on some popular online platforms due to mishandling of that individual’s personal information, and the news goes viral, the victim in many cases would suffer spiritually from attacks of cyber-mobs and internet violence. The suffering can be nothing financial but only emotional. Here, the risk-based definition of SPI in the draft PIPL only covers risks in the form of “discriminatory treatment” or “endangering safety of persons or property”, but leaving out the harm caused to personal reputation and psychological health, which, in many cases, could be the only resulted harm in violation of SPI. The draft PIPL obviously did not give enough consideration to such type of possible harm in its current definition of SPI.


Under the GDPR, processing of personal data of a sensitive nature shall be prohibited, unless some stricter preconditions could be met. Such data are classified under the label of SPI[8] and sensitive data are clearly listed by its definition.


Though differ in defining, the draft PIPL converges with the GDPR in that both recognize SPI is belonging to a specific category of information that must be treated with extra safeguarding.

Rights of Individuals

Under the draft PIPL, individuals enjoy the right to know and make decisions about the processing of their personal information, and have the right to limit or refuse the processing of their personal information by others, except otherwise provided by laws and administrative regulations

Specifically, individuals enjoy the following rights:

1)    Right to access:[9] the data subject may consult or reproduce his personal information from the information processor;

2)    Right to rectification: upon discovery of any error in the information, the data subject has the right to raise an objection and to request to have a timely correction;

3)    Right to be forgotten: if the handling of personal information is in violation of law, or any prior agreement, or the purposes of processing have been realized, or an individual has withdrawn the consent, the data subject has the right to request a timely erasure. If, however, the retention period prescribed by law has not been completed, or deletion of personal information is technically difficult to achieve, the personal information processor shall stop the processing;

4)    Right to be informed: individuals have the right to be informed about rules concerning the processing of their personal information;

5)    Right to refuse automated decision-making: where an individual believes that automated decision-making has a significant impact on one’s rights and interests, one has the right to request an explanation from the personal information processor and has the right to refuse automated individual decision-making.

Under the draft PIPL, individuals have a broader scope of rights than previous laws in the same sector and it brings China’s protection on privacy even closer to the GDPR standards.[10] It is however interesting to note the “right to data portability”[11] under the GDPR has not been transplanted to its Chinese counterpart. As the right to data portability does not apply to genuinely anonymous data but only to pseudonymous data that can clearly be linked back to a data subject, maybe the notions of cyber- sovereignty and network security with a distinguishable Chinese feature could account for the missing of such right in the Chinese context..

Principles and Conditions for Data Processing

Under the draft PIPL, the general principles for data collection are: data shall be collected lawfully and justifiably, openly and transparently, accurately and kept up-to-date and data collection shall have clear and reasonable purposes and be limited to the minimum scope to achieve such purposes of processing. The data processing activities shall meet the following conditions:

(1) With the consent of the individual;


(2) It is necessary for entering into or performing a contract to which the individual is a party;


(3) It is necessary for performing of legally-binding duties or obligations;


(4) It is necessary to respond to public health incidents or to protect natural persons' security in their lives, health, and property under an emergency;


(5) It is within a reasonable range in order to carry out acts such as news reporting and public opinion overseeing in the public interest; or


Other circumstances warranted by laws or administrative regulations.


The GDPR provides six legal bases for processing personal data, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests pursued by the controller or by a third party.[12] The draft PIPL sets out the above five specific legal bases for processing personal data, which are comparable to the first five legal bases of the GDPR while chipping away the last one concerning “legitimate interests pursued by the controller or by a third party”, on the possible account that it would have the potential of giving too much discretion to the information processor and therefore dilute the value of all the other legal bases.


Under the draft PIPL, consent, albeit the most well-known one, is just one of the legal bases a business can rely on to justify the proceeding of individuals’ personal data. Furthermore, for consent to be valid, it must be freely-given, unambiguous and explicit, informed and withdrawable. Consent is not freely-given if individuals have no other meaningful options but to give out their consent. This means businesses shall not create an opt-in-or-leave-it situation when seeking people’s consent. Individuals need to maintain the ability to decline and shall be free from discrimination when they opt out. The draft PIPL also specifies that if there are changes to the purposes or methods for processing information, or to the type of personal information to be processed, the individual's consent shall be re-obtained.


Extraterritorial Applicability


The GDPR has an extraterritorial scope, because it may apply to businesses established outside the European Union when they offer goods or services to data subjects in the European Union or monitor their behavior when it takes place in the European Union.[13]


Modeling on the GDPR’s approach towards extraterritorial application, Article 3 of the draft PIPL expands the law’s territorial scope to data processing activities outside China. Any data processing activities that process personal data within P.R. China, if meeting any of the following conditions, will fall under the territorial scope of the Chinese data protection law:


(1) for the purpose of providing products or services to natural persons within the territory;


(2) to analyze and evaluate the conduct of natural persons in the territory; or


(3) other circumstances provided for by laws and administrative regulations.


If this clause remains intact in the final legal text, it means that the Chinese privacy rules now can also apply to data processing activities outside China. The consequence of this expansion is that non-Chinese data controllers and processors must comply with the Chinese data protection obligations when processing data on individuals in China for the above-listed purposes.

Obligations of Personal Information Processor

Under the draft PIPL, the personal information processor, the one who collects, stores, uses, handles, transmits, provides, and discloses personal information, shall have the following obligations:

(1) take necessary measures to ensure the legal compliance of personal information processing activities and prevent unauthorized access, disclosure or theft, tampering, and deletion of personal information;

(2) while processing personal information at certain volume, shall designate a person in charge to be responsible for overseeing personal information processing activities and any protection measures taken;

(3) if processing Chinese individuals’ personal information outside China as provided in Article 3 of the Law shall establish a point of contact within China;

(4) shall conduct periodic audits and risk assessments in advance for certain categories of personal information processing activities;

(5) where there is incident of personal information leakage, shall immediately take remedial measures and notify the supervisory authorities.

Once a data breach occurs, the GDPR requires data controllers to notify supervisory authorities of a security breach within 72 hours after it has been aware of it.[14] Furthermore, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.[15]

In comparison, the draft PIPL is not specific about the timeframe for notification to the supervisory authorities and where personal information processors take measures that can effectively avoid the harm caused by the information leakage, the personal information processors are allowed to not notify the individuals.

Liabilities and Penalties

Violations of the draft PIPL may be subject to a fine of up to CNY1 million (about EUR 0.128 million); the directly responsible management and other directly responsible person may be subject to a fine of between CNY10,000 (about EUR1,283) to CNY100,000 (about EUR12,831). Serious violations of the draft PIPL can be fined up to CNY 50 million (about EUR 6.4 million) or up to 5% of the preceding year's turnover. Where there is an illegal act of data processing activities, it is to be recorded in the business’ credit files with a public announcement posted.

In comparison, under GDPR, the less severe infringements could result in a fine of up to EUR10 million, or 2% of the business’ global annual revenue in the preceding financial year, whichever is higher. For more severe infringements, GDPR sets a maximum fine of EUR 20 million or 4% of annual turnover, whichever is higher.[16]

In an age of constant, complex and sometimes intrusive technological innovation, the high penalties on noncompliance aim to have a deterrent effect on rule-breakers who are mishandling people’s data or using people’s data without adequate measures in place to safeguard them.


The draft PIPL, being the first dedicated law to data privacy protection in China, thus forming a unified force of enforcement, marks a milestone in the country data privacy legislation. The law shows a broader scope of application than the previous sectional laws and regulations and levels up the country’s protection on data privacy closer to the GDPR standards, a.k.a., the global standards, given the large number of countries around the world that have adopted the GDPR model. While highly converging with the EU rules, the draft PIPL demonstrates a unique Chinese characteristics thus showing a strong Chinese voice with a subtle EU accent.

The laws and regulations on data privacy are constantly evolving in China with changes still in the pipeline. We are here to help if you have any problems, issues, concerns regarding data privacy protection inside or outside China.


[1] The General Data Protection Regulation (EU) 2016/679.

[2] See


[4] See

[5] The Data Protection Directive, officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[6] Paul M. Schwartz & Daniel J. Solove, Reconciling Personal Information in the U.S. and EU, 102 Cal. L. Rev. 886 (2014).

[7] While an official translation is not yet available, the author has referenced the source at for the translation of the texts of the draft PIPL.

[8] Definition of “sensitive personal information” under the GDPR: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

[9] The subtitles are used in this article for convenience only; they are not part of the draft PIPL.

[10] Rights for individuals under the GDPR, see

[11] The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. See

[12] GDPR, Article 6(1).

[13] GDPR, Article 3(2).

[14] GDPR, Article 33(1).

[15] GDPR, Article 34(1).

[16] See

  • 相关资讯 More
  • 点击次数: 13
    2023 - 03 - 24
    作者:金涟伊信息时代的来临带来了更多机会与市场,其中意见领袖、平台主播等自媒体是这一浪潮中最突出的弄潮儿。但不论是在什么领域,对其品牌的培养都是自媒体运营的重点。运营自媒体账户培育品牌有以下注意事项。 一、 品牌名称选取 对于自媒体相关主体,不论在哪个平台建立账号,一个好的昵称是成功的一半。该昵称也会在未来成为意见领袖、up主或主播的重要品牌,成为吸引用户的最突出的标志之一。因此对昵称的选择是非常重要的。昵称的风格可以千变万化,可以简约,可以标识重点,可以抽象或单纯富有趣味,但不论是何风格都需遵守当地法律法规以及平台规定。 以某平台为例,在平台用户服务协议明确约定,用户所设置的账号不得违反国家法律法规及平台的相关规则,用户账号名称、头像和简介等注册信息及其他个人信息中不得出现违法和不良信息,未经他人许可不得用他人名义(包括但不限于冒用他人姓名、名称、字号、头像等或采取其他足以让人引起混淆的方式)开设账号,不得恶意注册平台账号(包括但不限于频繁注册、批量注册账号等行为)。同时,用户在账号注册及使用过程中需遵守相关法律法规,不得实施任何侵害国家利益、损害其他公民合法权益,有害社会道德风尚的行为。平台有权对用户提交的注册信息进行审核,这也是平台的义务。 概括而言,注册账户名称应关注: 1、 符合法律法规及平台的规定以及公序良俗2、具有可识别性——昵称及特色3、不侵犯他人在先权利 二、 重视品牌维护 自媒体运营的领域除了其频道主要内容涉及的方向外,也应当注意广告、娱乐教育服务方面的品牌维护。自媒体账户通常盈利方式包括:1、平台分成或签约;2、广告;3、衍生产品。对以上不同盈利方式应当各有注意要点。 对于通过平台分成或签约形式盈利的自媒体,应当注意签约合同中对知识产权的约定,...
  • 点击次数: 11
    2023 - 03 - 10
    作者:刘艳玲当专利申请人向多个国家/地区提交专利申请时,如果希望专利申请加快审查进程,我们知道专利审查高速路(PPH)是一个可以利用的方式。PPH是专利审查机构直接开展的审查结果共享的业务合作,旨在帮助申请人的他国同族专利申请早日获得授权。当申请人在一国审查局提交的专利申请中有一项或多项权利要求被确定为可授权时,可以以此为基础向他国审查局就同族专利申请提出加快审查请求。除了可以加快审查以外,答复审查意见通知书的次数也可能会减少,并且申请被授予专利权的可能性也能增加。同族专利申请的审查结果除了上述应用以外,还有其他的利用方式。在此根据实践经验进行相应介绍。 美国根据美国专利相关法规,专利申请的申请人及密切相关人员在该美国专利申请的过程中有义务将对该申请的专利性重要的现有技术文件(包括专利文献和非专利文献)提交给美国专利商标局以供审查员在审查时考虑。这个程序也称IDS(Information Disclosure Statement,信息公开声明提交)。申请人如果没履行IDS提交义务会导致授权专利无法执行(unenforceable)。美国专利实施细则37CFR1.97-1.98以及专利审查指南MPEP609中给出了IDS文件的具体内容提交要求和时限要求,读者可进一步检索查看。这其中包括申请人及相关人员需要向美国专利商标局提交外国同族专利申请的审查意见/审查结果中引用的对比文件,而且需要在收到审查意见/审查结果后3个月内提交且该期限不可延长。对于以PCT方式进美国的国家申请,审查员审查时会考虑美国专利商标局IFW系统中的所有美国专利文献;如果美国专利商标局下发的PCT/DO/EO/903表中指出了国际检索报告和相关文件的副本已经在国家阶段文件包中,审查员审查时会考虑这些对比文件。由于存在法律适用的不同情形,处理申请时请就提交细节向代理专利申请的合作专利律师/代理师咨询。印度 根...
  • 点击次数: 9
    2023 - 02 - 24
    作者:常春引言:  最高人民法院近日公开的(2021)最高法知民终1363号案件的判决书给出了关于侵犯技术秘密的侵权获利计算的新方式,即可以将侵权人在特定项目上的全部获利作为侵权获利只要侵权人有明显过错且该侵权行为直接决定商业机会的得失。这一计算方式是对技术秘密侵权案件中侵权获利计算方法的一种细化,也为其他知识产权侵权的计算方法提供了参照和启示。 案情概述:  A公司与Y公司同时参加某项目招投标,Y公司以相对较低价格中标。A公司发现中标的Y公司实际为其前核心员工组建且均与A公司签署有保密协议,保密协议约定对他们知悉的A公司技术秘密保密。A公司起诉Y公司商业秘密侵权。法院在审理认为Y公司核心员工李某的电脑中保存的该项目的标书、中期报告等文件中包含A公司的技术秘密,而且因为Y公司使该等技术秘密的行为使得其以低价中标,进而使得A公司错失了在该项目中的交易机会。因此,法院基于Y公司在该项目中的营业利润判定给与A公司赔偿。 铭盾分析:反不正当竞争法规定了侵犯技术秘密的赔偿述额需要按实际损失、侵权获利、法定赔偿的顺序确定。其中,侵权获利的计算方法可以参照确定侵犯专利权的损害赔偿额的方法进行。而专利侵权的侵权获利的计算方法则包括侵权人因侵权所获得的利益可以根据该侵权产品(服务)在市场上销售的总数乘以每件侵权产品(服务)的合理利润所得之积计算。侵权人因侵权所获得的利益一般按照侵权人的营业利润计算,对于完全以侵权为业的侵权人,可以按照销售利润计算,但其中应当合理扣除因其他权利所产生的利益,即应当考虑专利在利润中的贡献率。按照上述的计算方法,对于并非以侵权为业的侵权人技术秘密侵权行为的获利可以按以下方式计算:侵权获利=侵权产品(服务)量X侵权产品(服务)营业利润X技术秘密对利润的贡献率;其中,营业利润=销售利润-管理费用-财务费用。但在本案中,法院认为招投标项目有其特殊性,...
  • 点击次数: 12
    2023 - 02 - 17
    作者:金涟伊现如今,品牌对于企业发展的重要性已经无可非议,大型企业甚至成立专门的知识产权公司以统一管理、运营、保护其知识产权。而对于中小企业,品牌保护对自身发展有着更重要的意义。能否另辟新径,避开企业规模的劣势,令其品牌直面消费者,使自身获得相应市场地位,成为中小企业树立优质品牌的工作重点。然而,中小企业品牌在面对猖獗的恶意抢注行为时显得更为脆弱,由于自身规模及可调用资源的限制,通常难以与怀有恶意的商标抢注人,甚至同行业竞争者相抗争。本文将简要介绍目前常见的打击恶意商标申请的办法,为中小企业打击恶意商标申请提供思路参考。 一、 何为恶意商标注册申请及法律相关规定 实践中常见的恶意商标注册申请主要可分为两类:以囤积倒卖商标为目的的恶意商标注册申请;侵犯他人在先权利的恶意商标注册申请。 (一)以囤积倒卖商标为目的的恶意商标注册申请 以囤积倒卖商标为目的的恶意商标注册申请,是指申请人在多个类别大量申请商标,明显超出实际生产经营活动所需。商标法第四条规定,“自然人、法人或者其他组织在生产经营活动中,对其商品或者服务需要取得商标专用权的,应当向商标局申请商标注册。不以使用为目的的恶意商标注册申请,应当予以驳回。”该条规定了向国家知识产权局商标局申请注册的商标应当是生产经营活动所需,不以使用为目的的商标注册申请是恶意商标注册申请,国家知识产权局将予以驳回。 国家知识产权局对不以使用为目的、囤积商标的恶意注册申请的打击力度较重,一旦发现此种申请,将对该申请人所申请的全部商标均予以驳回。此种驳回目前公示在国家知识产权局商标局官网的商标注册审查决定文书栏目中。 尽管国家知识产权局会依职权主动对此种恶意注册商标行为采取行动,但在审查中仍可能存在漏网之鱼。由于此种恶意注册申请会侵占大量商标资源,可能导致企业在申请自创商标时遭遇...
× 扫一扫,关注微信公众号
Copyright© 2008 - 2020北京市铭盾律师事务所京ICP备09063742号-1犀牛云提供企业云服务