Over the past decade, China has frequently faced international scrutiny and criticism regarding access to and use of personal data, involving both state and private sectors—from intelligent CCTV systems to large digital platforms holding data on hundreds of millions of users.
However, in recent years, this image has been shifting as China has begun systematically and stringently establishing personal data laws, reflecting the government's efforts to raise privacy standards and bridge trust gaps domestically and internationally.
Recently, the Cyberspace Administration of China (CAC) unveiled draft regulations on "the supervision of personal data collection and use by internet platforms," inviting public comments. This marks a significant step toward detailed, practical enforcement of data laws.
A key turning point was the enforcement of the Personal Information Protection Law (PIPL) on 1 November 2021, the first comprehensive law protecting personal data, aimed at preventing misuse and granting new rights to Chinese data subjects. It is comparable to the European Union's GDPR, often described as "China’s GDPR." PIPL establishes core principles such as:
The law carries strict penalties, including fines up to 50 million yuan or 5% of the previous fiscal year’s revenue. In some cases, companies may be ordered to suspend operations until full compliance is proven. Individuals responsible for data protection may also face personal fines up to 1 million yuan.
Just two months earlier, China implemented the Data Security Law (DSL), which requires business data to be classified by importance and imposes restrictions on cross-border data transfers. Both laws directly affect how companies collect, store, use, and transfer data.
In practice, China’s tech sector has been criticized for requesting excessive permissions, including forcing users to consent via pop-ups and linking service access to data collection consent. The CAC’s new draft regulations aim to close these gaps by holding app providers accountable for security and compliance, extending to app design and function-level consent, such as:
China was among the first countries to regulate algorithm use aimed at boosting sales and user engagement. In September 2021, the CAC announced a three-year plan to oversee predictive algorithms used by online content providers,
banning algorithms that encourage addictive online behavior, a sensitive social issue in China. Platforms must disclose algorithmic recommendation usage and allow users to disable such systems. These rules rely on PIPL authority and impact both Chinese and foreign businesses operating in China.
All these measures come amid mounting pressures from data breaches and commercial data misuse concerns, especially from foreign companies operating in China. Last year, Chinese authorities administratively sanctioned LVMH’s Dior brand in Shanghai for personal data protection violations, underscoring these laws’ serious enforcement.
Broadly, China seeks to shift its role from being perceived as "the state controls data" to a country that strictly governs data use under its legal framework. Although differing from Western liberal concepts, this reflects the strategic importance of personal data in China’s policy. Should these drafts be officially enforced, it would signal China entering its most rigorous and concrete era of Data Governance yet.
Follow the Facebook page: Thairath Money at this link -