A Chinese Data Privacy Law with Strong Influences from the EU

A Chinese Data Privacy Law with Strong Influences from the EU-China Releases the Draft on Its First Uniform Personal Information Protection Law

Authored by Yingying Zhu

The world has witnessed a torrent of lawmaking, regulatory design and enforcement activities regarding data privacy following the enactment of the General Data Protection Regulation (“GDPR”) [1] of the European Union in May 2018. At present, 132 out of 194 countries had put in place legislation to secure the protection of data and privacy. [2]


The inadequacy of personal information protection in China has raised widespread public concerns in this big data land with 904 million netizens,[3] vulnerable to data breaches and cyber frauds. In 2016, a professor at the prestigious Tsinghua University wired more than CNY17 million to a fraud, after she received a scam call from the fraud who knew every detail about the deal of a recent sale of her real property.[4] Incidents like this have led to nationwide discussions and provoked reflection among thinkers, legal experts and law makers. 


At present, data protection laws, regulations and specifications in China were scattered in sectional laws, regulations and non-binding guidelines, such as the Criminal Law and its Amendment VII, the Consumer Protection Law, the Cybersecurity Law, the Personal Information Security Specification, the Civil Code, etc.


On October 13, 2020, after years of brewing, China releases the long-awaited and much-welcomed draft on its first dedicated personal information protection law. The draft has been submitted to the standing committee of the China's top legislature-the National People’s Congress (“NPC”) for the first review and then posted for public comments on NPC’s official website. The comment period lasts until November 19, 2020.


Being the first comprehensive law that emulates the GDPR, the draft Personal Information Protection Law (“draft PIPL”) has shown strong GDPR influences as well as its unique Chinese characteristics.

Definition of “Personal Information” and “Sensitive Personal Information”

The types of information considered personal under the draft PIPL include various information recorded electronically or in other forms that is relating to an identified or identifiable natural person (“data subject”), excluding the anonymized information. The processing of personal information includes activities such as the collection, storage, use, handling, transmission, provision, and disclosure of personal information.

Here, “personal information” under the draft PIPL is similar in terms of definition to “personal data” used in the GDPR as well as in its predecessor, the EU Data Protection Directive,[5] because it includes data that relate both to an “identified” or “identifiable” individual. “Identifiable” means that an individual might not currently be identified but could be identified by combining various pieces of data.[6] For example, the name of a person (in particular, a none-celebrity), is often not identified to an individual, but sometimes can easily be linked to an individual with bits of other information, such as an address, a telephone number or a place of work.


On a risk-based approach, the draft PIPL defines sensitive personal information (“SPI”) as personal information that once leaked or illegally used may lead to discriminatory treatment or could seriously endanger the safety of persons or property, including information such as one’s race, ethnicity, religious beliefs, personal biological characteristics, medical health, financial accounts, personal whereabouts and so forth.[7] Only personal information processors with a specific purpose and sufficient necessity may process SPI. The draft also requires that the individuals' “independent consent” shall be obtained where processing SPI is to be based on individuals' consent and individuals shall also be informed of the necessity of processing SPI and the impact on them.


The draft PIPL, for the first time in China’s privacy protection legislation, specifically defines SPI. As improper disclosures of SPI can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that SPI could be specifically defined and appropriately protected.


One problem with the draft PIPL’s definition of SPI, however, is that it seems to ignore a certain type of SPI -a person’s private or secret life that in many defamation cases has been the subject of public online shaming. If an individual’s personal private life (usually unpleasant, eccentric or immoral) was posted on some popular online platforms due to mishandling of that individual’s personal information, and the news goes viral, the victim in many cases would suffer spiritually from attacks of cyber-mobs and internet violence. The suffering can be nothing financial but only emotional. Here, the risk-based definition of SPI in the draft PIPL only covers risks in the form of “discriminatory treatment” or “endangering safety of persons or property”, but leaving out the harm caused to personal reputation and psychological health, which, in many cases, could be the only resulted harm in violation of SPI. The draft PIPL obviously did not give enough consideration to such type of possible harm in its current definition of SPI.


Under the GDPR, processing of personal data of a sensitive nature shall be prohibited, unless some stricter preconditions could be met. Such data are classified under the label of SPI[8] and sensitive data are clearly listed by its definition.


Though differ in defining, the draft PIPL converges with the GDPR in that both recognize SPI is belonging to a specific category of information that must be treated with extra safeguarding.

Rights of Individuals

Under the draft PIPL, individuals enjoy the right to know and make decisions about the processing of their personal information, and have the right to limit or refuse the processing of their personal information by others, except otherwise provided by laws and administrative regulations

Specifically, individuals enjoy the following rights:

1)    Right to access:[9] the data subject may consult or reproduce his personal information from the information processor;

2)    Right to rectification: upon discovery of any error in the information, the data subject has the right to raise an objection and to request to have a timely correction;

3)    Right to be forgotten: if the handling of personal information is in violation of law, or any prior agreement, or the purposes of processing have been realized, or an individual has withdrawn the consent, the data subject has the right to request a timely erasure. If, however, the retention period prescribed by law has not been completed, or deletion of personal information is technically difficult to achieve, the personal information processor shall stop the processing;

4)    Right to be informed: individuals have the right to be informed about rules concerning the processing of their personal information;

5)    Right to refuse automated decision-making: where an individual believes that automated decision-making has a significant impact on one’s rights and interests, one has the right to request an explanation from the personal information processor and has the right to refuse automated individual decision-making.

Under the draft PIPL, individuals have a broader scope of rights than previous laws in the same sector and it brings China’s protection on privacy even closer to the GDPR standards.[10] It is however interesting to note the “right to data portability”[11] under the GDPR has not been transplanted to its Chinese counterpart. As the right to data portability does not apply to genuinely anonymous data but only to pseudonymous data that can clearly be linked back to a data subject, maybe the notions of cyber- sovereignty and network security with a distinguishable Chinese feature could account for the missing of such right in the Chinese context..

Principles and Conditions for Data Processing

Under the draft PIPL, the general principles for data collection are: data shall be collected lawfully and justifiably, openly and transparently, accurately and kept up-to-date and data collection shall have clear and reasonable purposes and be limited to the minimum scope to achieve such purposes of processing. The data processing activities shall meet the following conditions:

(1) With the consent of the individual;


(2) It is necessary for entering into or performing a contract to which the individual is a party;


(3) It is necessary for performing of legally-binding duties or obligations;


(4) It is necessary to respond to public health incidents or to protect natural persons' security in their lives, health, and property under an emergency;


(5) It is within a reasonable range in order to carry out acts such as news reporting and public opinion overseeing in the public interest; or


Other circumstances warranted by laws or administrative regulations.


The GDPR provides six legal bases for processing personal data, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests pursued by the controller or by a third party.[12] The draft PIPL sets out the above five specific legal bases for processing personal data, which are comparable to the first five legal bases of the GDPR while chipping away the last one concerning “legitimate interests pursued by the controller or by a third party”, on the possible account that it would have the potential of giving too much discretion to the information processor and therefore dilute the value of all the other legal bases.


Under the draft PIPL, consent, albeit the most well-known one, is just one of the legal bases a business can rely on to justify the proceeding of individuals’ personal data. Furthermore, for consent to be valid, it must be freely-given, unambiguous and explicit, informed and withdrawable. Consent is not freely-given if individuals have no other meaningful options but to give out their consent. This means businesses shall not create an opt-in-or-leave-it situation when seeking people’s consent. Individuals need to maintain the ability to decline and shall be free from discrimination when they opt out. The draft PIPL also specifies that if there are changes to the purposes or methods for processing information, or to the type of personal information to be processed, the individual's consent shall be re-obtained.


Extraterritorial Applicability


The GDPR has an extraterritorial scope, because it may apply to businesses established outside the European Union when they offer goods or services to data subjects in the European Union or monitor their behavior when it takes place in the European Union.[13]


Modeling on the GDPR’s approach towards extraterritorial application, Article 3 of the draft PIPL expands the law’s territorial scope to data processing activities outside China. Any data processing activities that process personal data within P.R. China, if meeting any of the following conditions, will fall under the territorial scope of the Chinese data protection law:


(1) for the purpose of providing products or services to natural persons within the territory;


(2) to analyze and evaluate the conduct of natural persons in the territory; or


(3) other circumstances provided for by laws and administrative regulations.


If this clause remains intact in the final legal text, it means that the Chinese privacy rules now can also apply to data processing activities outside China. The consequence of this expansion is that non-Chinese data controllers and processors must comply with the Chinese data protection obligations when processing data on individuals in China for the above-listed purposes.

Obligations of Personal Information Processor

Under the draft PIPL, the personal information processor, the one who collects, stores, uses, handles, transmits, provides, and discloses personal information, shall have the following obligations:

(1) take necessary measures to ensure the legal compliance of personal information processing activities and prevent unauthorized access, disclosure or theft, tampering, and deletion of personal information;

(2) while processing personal information at certain volume, shall designate a person in charge to be responsible for overseeing personal information processing activities and any protection measures taken;

(3) if processing Chinese individuals’ personal information outside China as provided in Article 3 of the Law shall establish a point of contact within China;

(4) shall conduct periodic audits and risk assessments in advance for certain categories of personal information processing activities;

(5) where there is incident of personal information leakage, shall immediately take remedial measures and notify the supervisory authorities.

Once a data breach occurs, the GDPR requires data controllers to notify supervisory authorities of a security breach within 72 hours after it has been aware of it.[14] Furthermore, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.[15]

In comparison, the draft PIPL is not specific about the timeframe for notification to the supervisory authorities and where personal information processors take measures that can effectively avoid the harm caused by the information leakage, the personal information processors are allowed to not notify the individuals.

Liabilities and Penalties

Violations of the draft PIPL may be subject to a fine of up to CNY1 million (about EUR 0.128 million); the directly responsible management and other directly responsible person may be subject to a fine of between CNY10,000 (about EUR1,283) to CNY100,000 (about EUR12,831). Serious violations of the draft PIPL can be fined up to CNY 50 million (about EUR 6.4 million) or up to 5% of the preceding year's turnover. Where there is an illegal act of data processing activities, it is to be recorded in the business’ credit files with a public announcement posted.

In comparison, under GDPR, the less severe infringements could result in a fine of up to EUR10 million, or 2% of the business’ global annual revenue in the preceding financial year, whichever is higher. For more severe infringements, GDPR sets a maximum fine of EUR 20 million or 4% of annual turnover, whichever is higher.[16]

In an age of constant, complex and sometimes intrusive technological innovation, the high penalties on noncompliance aim to have a deterrent effect on rule-breakers who are mishandling people’s data or using people’s data without adequate measures in place to safeguard them.


The draft PIPL, being the first dedicated law to data privacy protection in China, thus forming a unified force of enforcement, marks a milestone in the country data privacy legislation. The law shows a broader scope of application than the previous sectional laws and regulations and levels up the country’s protection on data privacy closer to the GDPR standards, a.k.a., the global standards, given the large number of countries around the world that have adopted the GDPR model. While highly converging with the EU rules, the draft PIPL demonstrates a unique Chinese characteristics thus showing a strong Chinese voice with a subtle EU accent.

The laws and regulations on data privacy are constantly evolving in China with changes still in the pipeline. We are here to help if you have any problems, issues, concerns regarding data privacy protection inside or outside China.


[1] The General Data Protection Regulation (EU) 2016/679.

[2] See


[4] See

[5] The Data Protection Directive, officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[6] Paul M. Schwartz & Daniel J. Solove, Reconciling Personal Information in the U.S. and EU, 102 Cal. L. Rev. 886 (2014).

[7] While an official translation is not yet available, the author has referenced the source at for the translation of the texts of the draft PIPL.

[8] Definition of “sensitive personal information” under the GDPR: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

[9] The subtitles are used in this article for convenience only; they are not part of the draft PIPL.

[10] Rights for individuals under the GDPR, see

[11] The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. See

[12] GDPR, Article 6(1).

[13] GDPR, Article 3(2).

[14] GDPR, Article 33(1).

[15] GDPR, Article 34(1).

[16] See

  • 相关资讯 More
  • 点击次数: 1000007
    2023 - 11 - 07
    作者:张琳在交通事故中,如受害方的车辆为经营性车辆,如出租车、长途客车、货运车等,在车辆损坏后,不仅会产生车辆修理费用,还会产生停运期间的经营损失。对于该停运损失,责任方是否应当赔偿?如应当赔偿,是否可由保险公司进行理赔?    对于上述情况,相关法律法规没有明确规定,但《最高人民法院关于审理道路交通事故损害赔偿案件适用法律若干问题的解释》第十二条作出了明确规定:“因道路交通事故造成下列财产损失,当事人请求侵权人赔偿的,人民法院应予支持:......(三)依法从事货物运输、旅客运输等经营性活动的车辆,因无法从事相应经营活动所产生的合理停运损失.....”虽然上述司法解释对此作出了明确规定,但在司法实践中仍存在理解和执行上的不统一。笔者拟结合几个案例针对相关具体问题进行探讨和分析并提出自己的意见和建议。 一、案例简介案例一:郭某与赵某、某财保公司机动车交通事故责任纠纷案件(参见北京市东城区人民法院(2023)京0101民初32号一审民事判决书)郭某向法院起诉,请求赵某赔偿车辆维修期间的营运损失9000元(600元/天×15天)、交通费,某财保公司承担连带责任。法院查明,2022年某月某日,赵某驾驶的A车与郭某驾驶的B车发生交通事故,车辆损坏,无人受伤,交警部门认定赵某全责。郭某系网约车司机,某财保公司已赔付了修车费。法院经审理认定,郭某主张的停运损失属于间接损失,不属于交强险和商业险的赔偿范围,郭某要求某财险公司理赔的诉讼请求不予支持;赵某负全责,应赔偿郭某合理停运损失;停运损失的具体数额,结合车辆停运时间、郭某运营成本、运营能力、运营收入等因素确定;郭某主张的15天维修天数超出合理期限,结合郭某车辆损坏程度和维修项目,酌定为8天;综合考虑事故车辆受损、停运、运营行业收入水平等因素,酌定郭某合理停运损失为300元/天...
  • 点击次数: 1000005
    2023 - 10 - 30
    作者:刘艳玲              商业秘密有三个构成要件:一是该信息不为公众所知悉,即该信息是不能从公开渠道直接获取的;二是该信息能为权利人带来经济利益,具有实用性;三是权利人对该信息采取了保密措施。概括地说,不能从公开渠道直接获取的,能为权利人带来经济利益,具有实用性,并经权利人采取保密措施的信息,即为《反不正当竞争法》所保护的商业秘密。 技术秘密纠纷案件由于其技术复杂性、案件背景复杂性和有效证据取得性等原因在司法实践中一直属于较难的案件。权利人主张被诉侵权人侵犯自己所有的技术秘密,权利人需要提供证据证明以下几个方面的事实和理由:第一,明确其技术秘密的内容,通常需要细化固定和明确其主张的技术密点;第二、举证该技术秘密具有商业价值;第三、被诉侵权人持有的侵权信息;第四、被诉侵权人持有的侵权信息与权利人的商业秘密构成实质上相同;第五、被诉侵权人实施了《反不正当竞争法》第九条中所列的侵权行为之一。首先,技术秘密内容的查明作为商业秘密的确权基础就是司法实践中的难点,本文结合现有裁决文书对技术秘密纠纷中技术密点的分析和认定进行讨论。  【案号】(2015)闽民初字第152-3号民事裁定书和(2020)最高法知民终385号二审民事裁定书[汕头海洋投资发展有限公司与北大方正物产集团有限公司、福建方兴化工有限公司等其他侵害商业秘密纠纷] 【一审基本案情】汕头海洋投资发展有限公司(简称“汕头海洋公司”)主张其系S.O.E第二代聚苯乙烯成套工艺、装备专有技术许可的所有权人,并将该专有技术许可给了泉港海洋公司使用。后泉港海洋公司的资产经司法拍卖后归被告之一方兴公司所有。为能启动生产,方兴公司在原泉港海洋公司部分高管和技术骨干尚未解除劳动合同并负有保密和竞业限制义务的情况...
  • 点击次数: 1000005
    2023 - 10 - 16
  • 点击次数: 1000006
    2023 - 09 - 15
    作者:赵丹青在商标实务中,对于将与他人在先登记、使用并具有一定知名度的字号相同或者基本相同的文字申请注册为商标,容易导致相关公众混淆的,可以依据《商标法》第三十二条主张系争商标对他人在先字号权的损害,要求将系争商标不予核准注册或者予以无效宣告。 若是反过来,将他人在先注册商标作为企业名称中的字号使用,应当如何进行维权呢?下面,我们通过案例进行说明。 案例一 案情简介 台联良子公司于2004年注册“良子”商标,核定使用在第44类服务上,即蒸汽浴室;按摩;公共卫生浴室;美容院;修指甲;高级理发店。台联良子公司及关联公司于2005年、2006年均被授予全国“百佳诚信单位”“2005年中国十大行业隐形冠军”。2015年,良子获得创新医疗大赛180+项目,2016年获得中美健康峰会100+项目。《北京晚报》等多家媒体报道了台联良子公司的发展历程。 2020年,足间道良子公司成立,曾用名北京阿丽良子健康管理有限公司,于2020年4月变更为现名称。经营范围包括健康咨询服务、体育健康服务、生活美容服务、足浴服务等。足间道良子公司在其店铺招牌、靠垫、毛巾、前台等处均突出使用“足间道良子”标识。台联良子公司发现上述行为后,向法院提起诉讼。 案例分析 《商标法》第五十七条规定,未经商标注册人的许可,在同一种商品上使用与其注册商标近似的商标,或者在类似商品上使用与其注册商标相同或者近似的商标,容易导致混淆的,属于侵犯注册商标专用权的行为。 本案中,台联良子公司涉案商标核准注册服务包括第44类的按摩、洗浴、美容理发,结合足间道良子公司经营范围、店招、店内装潢及宣传材料,足间道良子公司提供的是与涉案商标核定服务项目类似的按摩及足浴服务,两者服务类别相同。足间道良子公司未经台联良子公司许可,在经营场所的店招突出使用了与上述注...
× 扫一扫,关注微信公众号
Copyright© 2008 - 2020北京市铭盾律师事务所京ICP备09063742号-1犀牛云提供企业云服务