Data underpins the modern global economy. Governments across the globe are trying to craft regulatory frameworks that strike a good balance between harnessing the economic utility of data and promoting other policy priorities. Regulating cross-border data flows involving multiple jurisdictions presents a particularly challenging task for countries. ACI delves into the development of cross-border data flow regulations in China, the world’s second-largest digital economy, to understand its data flow policy landscape and gauge potential impacts.

China’s new regulatory framework has three pillars: the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL). Notably, the PIPL plays a central role in regulating data export in China. Figure 1 summarizes recent developments of these three laws. Under the PIPL, firms must meet various requirements if they want to transfer data outside of China. For example, a company that handles “sensitive” personal information of more than 10,000 people is required to pass a security assessment by the Cyberspace Administration of China (CAC). This compulsory assessment also applies to several other stakeholders dealing with the important data of China. However, the entire procedure of passing the assessment can take up to months, which will unavoidably increase the operating costs for businesses.

To better understand the potential impacts of China’s PIPL, the paper compares the PIPL and the ‘gold standard’ data protection law—the EU’s General Data Protection Regulation (GDPR). The comparison highlights that PIPL is generally similar to GDPR, but the difference lies in policy priorities. Specifically, China emphasizes national security concerns, while the EU stresses citizens’ data privacy. Due to different policy priorities, China and the EU chose different approaches to manage cross-border data transfer. The EU’s GDPR is less restrictive on outbound data transfer, as long as the data handlers can guarantee an adequate level of data protection. China, on the other hand, is more stringent and mandates data localization for some firms.

Delving into the implications of PIPL’s enforcement, the paper finds that PIPL will increase operating costs for firms and enhance market concentration in China. Moreover, the PIPL can lead to differential treatments for Chinese and foreign firms, which will negatively affect the competitiveness and innovation of both Chinese and foreign firms. In conclusion, China’s current data regulatory framework will likely negatively affect businesses in China. However, since Beijing is still completing its data governance framework with more specific regulations, how it will evolve and be implemented remains to be seen.

Looking ahead, the authors underline that the developments in China’s legal framework must be seen in the global context. Currently, there are three mainstream policy models for data protection: the ‘conditional model’ enforced by the EU, the ‘open model’ implemented by the US, and the ‘control model’ enforced by China. The harmonization of different frameworks is not within reach in the near term, as shown by the case of the EU and China. Therefore, the world will observe a period of uncertainty as countries are still exploring channels for collaboration and the optimal policy mix.

By XU, Ni Scarlet

Researchers: XIE, Taojun, LIU, Jingting, SENGSTSCHMID, Ulrike, GE, Yixuan