Next Article in Journal
Capitalizing Trademarks as Security: The Canadian Trademark Finance Perspective
Previous Article in Journal
Commercial Use of Satellite Remote Sensing Data and Civil Liability
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Laws
Volume 13
Issue 6
10.3390/laws13060078
laws-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Practice and Prospect of Regulating Personal Data Protection in China

by
Liping Yang
1,
Yiling Lin
2 and
Bing Chen
2,*
1
School of Law, Fuzhou University, Fuzhou 350025, China
2
School of Law, Nankai University, Tianjin 300350, China
*
Author to whom correspondence should be addressed.
Laws 2024, 13(6), 78; https://doi.org/10.3390/laws13060078
Submission received: 8 September 2024 / Revised: 7 December 2024 / Accepted: 12 December 2024 / Published: 13 December 2024
Review Reports Versions Notes

Abstract

:
Privacy protection is a fundamental guarantee for secure data flows and the basic requirement for data security. A reasonable privacy protection system acts as a catalyst for unlocking the financial value of data. The current legislative framework for personal data protection in China, adhering to the principle of proportionality, establishes critical measures such as informed consent for data collection and processing, data classification and grading management, and remedies for data leakage and other risks. In addition, in judicial practice, typical disputes regarding personal information protection and privacy rights have been promoted to clarify the scope for collecting users’ personal information and biometric data. Although further improvements are needed in legislative, judicial, and technical approaches, China’s commitment and practice in personal data protection are noteworthy. The existing legislation, law enforcement, and technical practices play an increasingly vital role in realizing the financial value of data and are essential for international cooperation on privacy protection. Furthermore, it is crucial to actively explore cooperation mechanisms for cross-border data flows under the principle of data sovereignty, participate in developing international rules for cross-border data flows, and formulate different management norms for cross-border data flows across different industries.

1. Introduction

As a new factor of production, data has profoundly transformed the way of production, life, and social governance, becoming a critical element in enhancing the core competitiveness of enterprises and unlocking the potential of the market economy. In China, where the digital economy is rapidly expanding, data has emerged as a critical driver in shaping new quality productivity1. In December 2023, China’s Central Economic Work Conference emphasized the importance of strengthening the regulation of cross-border data flows to boost the country’s high-quality economic development. Subsequently, in January 2024, 17 Chinese departments jointly issued the “Data Element X” plan2, which advocates for the promotion of data application scenarios, the improvement of resource allocation efficiency, and the cultivation of new growth drivers to achieve multiplier effects on economic development3. Currently, China has implemented numerous policies to advance the development and utilization of data elements. The overall market size of data transactions reached RMB 87.68 billion in 20224, approached RMB 120 billion in 2023, and is projected to surpass RMB 150 billion by 20245. These figures demonstrate vigorous progress in data flows within China.
Privacy protection, as a fundamental safeguard for data flows, embodies the essential requirements for data security and facilitates the efficient flow of data. Insufficient emphasis on personal data protection can lead to risks such as data falsification, leakage, or abuse, which could infringe upon individual privacy (Farayola et al. 2024). In recent years, China has enacted several laws to protect personal information, including the Data Security Law, Cybersecurity Law, and the Personal Information Protection Law, all of which require that data collection and processing adhere to the principle of informed consent. In addition, the integration of privacy protection provisions into the Anti-Monopoly Law and the development of privacy remedies have sparked significant discussion in China. However, personal information leakage remains a prevalent issue in practice. This is largely attributed to gaps in privacy protection legislation, an incomplete legislative framework, and the underutilization of mechanisms such as civil public interest litigation. These shortcomings lead to the low willingness of data enterprises and individuals to circulate and ultimately hinder the realization of the value of data.
This paper examines the fundamental role of privacy protection in enabling secure data flows and analyzes the current legislative framework and judicial practices in China. By examination and analysis, this paper concludes that the key to fully realizing the value of data lies in the development of more comprehensive legal systems for privacy protection, the enhancement of judicial systems for anti-monopoly civil procuratorial public interest litigation, the advancement of technical measures for data flows, and the exploration of the international rule for cross-border data flows.

2. Privacy Protection as the Fundamental Guarantee of Data Flows

The privacy protection system is the core system to promote the security of data flows. Beyond enabling secure exchanges, a comprehensive privacy protection system is essential for unlocking the value of data.

2.1. Promoting Secure Data Flows

The “Data Element X” Plan, jointly issued by 17 departments, states that “we will implement the data security laws and regulations, improve data classification and grading protection systems … strengthen the personal information protection and improve the capability of security”6. The statement demonstrates the necessity of data security and personal information and privacy protection to release the value of data. All participants in data trading are required to act as personal information handlers and fulfill their legal obligations to protect personal information7.
In practice, de-identification and anonymization are effective ways to protect privacy. De-identification reduces the risk of identification, while anonymization removes the possibility of identifying individuals entirely. Since it is almost impossible to distinguish specific natural persons and reverse the process, the security of personal information is maximized, and personal information is prevented from being leaked.
In the healthcare industry, the government grants the property rights of public medical data (i.e., personal medical data collected by the government departments) to market participants under the authorized operation mechanism. The market participants then develop medical data products for circulation and trading after anonymizing the public medical data (Feng 2023). For instance, the Xiamen Municipal Health Commission authorized the Xiamen Health and Medical Big Data Co., Ltd. to develop healthcare data. As a result, real-world research data on endocrine and metabolic diseases has been traded on the Fujian Big Data Exchange in March, 20248. In this transaction, Xiamen Health and Medical Big Data Co., Ltd. is the supplier, Beijing Intelligent Decision-Making Medical Technology Co., Ltd. is the demander, and Fujian Big Data Exchange guarantees the transaction as a platform. All data products traded on Fujian Big Data Exchange comply with the legal and regulatory requirements, including anonymization and de-identification, which ensures privacy protection and security during the whole process of data collection, convergence, cleaning, analysis, sales, purchase, and application.
The Business Procedures on Data-Cleaning, De-identification and Anonymization (for Trial Implementation) states that “regulating data cleaning, de-identification, and anonymization helps to enhance the data availability, trustworthiness, circulation and traceability. This regulation is integral to establishing a compliant and efficient data flows system that combines exchange-trading and over-the-counter transactions”9. It can be said that de-identification and anonymization are the precondition for data products to be listed, and the prerequisite for registration and trading of data assets.
First of all, data cleaning ensures data usability. Data cleaning is the process of using a certain method to correct the identified data problems and identify the standardization, completeness, consistency, accuracy, and accessibility of the data. It improves the quality of data and provides a basis for subsequent data development and utilization. The second reason is that de-identification is the key to data desensitization. Data de-identification involves processing data to remove or obscure identifiers associated with a specific individual, ensuring they cannot be linked without supplementary information. Data de-identification emphasizes the “unidentifiability” of identifiers, that is, the relevant information content of data is desensitized by techniques such as removal, substitution, and fuzzy replacement.
Both data cleaning and data de-identification aim to anonymize data. Anonymization is the reinforced version of de-identification, emphasizing the criteria of “irrecoverability” instead of “unidentifiability” as the further processing of data de-identification. Due to the difficulty of identifying a specific natural person or a processed identifier from anonymized data, even with additional information, anonymized data is no longer treated as personal information and can be traded as a data product. Currently, data anonymization is a key object in compliance review in China’s provincial data trading practice. Data products without going through anonymization cannot pass a compliance review, nor can they be traded on data exchanges.

2.2. Enhancement of Commercial Value of Data

The most important economic characteristics of data is that the production costs are high, but the costs of reproducing it are nearly zero (Patterson 2022). Commercial value refers to the actual or potential economic benefits brought by the current or future use of data to rights holders. The most essential aspect of this commercial value lies in the competitive advantage that rights holders maintain through their holding of data. The commercial value of data is an inevitable connotation of data flows, and data without commercial value has no need to be circulated. In practice, it is stipulated that the intellectual property registration for data should apply to data or data sets with commercial value. Although local normative documents use different expressions, such as commercial value10 or practical11 value, these concepts are closely related to one another, with practicality serving as the basis of value. Without practicality, there is no value, and value is the result of practicality (Kong 2019). Paragraph 4 of Article 9 of the new Anti-Unfair Competition Law uses the expression “with commercial value” to replace the previous expression of “capable of bringing economic benefits to the right holder and is practical”, indicating that practicality has the same connotation with commercial value12.
In addition, the value of data in different scenarios is different, and the value of personal data or a group of personal data in different scenarios also varies. Privacy protection, achieved through de-identification and anonymization, can unlock the commercial value of data by enabling its use across different scenarios. For example, applying unified healthcare data to three different scenarios—i.e., the precise delivery of health and medical advertisements, the development of health insurance products, and health and medical services—generates different values (Yin et al. 2021). However, the failure to protect privacy may reduce the commercial value of data, lead to data infringement, make the data transaction parties liable for damages, and further reduce the commercial value of data products.

3. China’s Regulatory Framework for Privacy Protection of Data Flows

China attaches great importance to the protection of data privacy. In this regard, a series of laws and regulations have been introduced, and significant judicial cases have been published to guide enforcement in practice.

3.1. Basic Legislative Framework

3.1.1. Purpose of Handling the Personal Information of Natural Persons Data Collection and Processing: The Principle of Proportionality

Article 6 of the Protection of Personal Information Law specifies that the collection of personal information must be limited to the minimum necessary scope required to achieve the purpose of processing, and excessive data collection is prohibited. Additionally, both Article 1035 of the Civil Code and Article 32 of the Data Security Law state that data collection must comply with the principles of lawfulness and justification, and data should only be collected and used within necessary limits.
It can be seen that China’s legislation explicitly requires that data collection and processing adhere to the minimum necessary principle. This means that data controllers and processors must collect personal data solely for a clear and reasonable purpose, and such data must be directly relevant to the processing objectives (Chen and Liu 2024). The principle of minimum scope requires data handlers to inform the person whose data is collected of the purpose of data collection and to ensure that the data is not used beyond the agreed-upon purposes (Liang 2018). The reason for this limit is that illegal processing often involves the excessive collection of personal information, which increases the risk of illegal trading or data leakage. Therefore, it is necessary to limit the scope of collecting personal information into the minimum scope for realizing the purpose of processing.
The purpose of data collection and processing should be justified, lawful, and reasonable. Both the principle of minimum scope and the principle of minimum necessity belong to the principle of proportionality. The principle of proportionality implies a cost-benefit approach, meaning that the scope of data collection and processing should be limited to what is necessary to achieve the stated purpose. At the same time, the means of collection and processing should minimize the damage to individuals’ rights, thereby ensuring a balanced outcome that aligns with the requirements of proportionality.

3.1.2. Requirements for Data Collection and Processing: “Informed Consent”

The “informed consent” rule is a fundamental requirement for data collection and processing in China and is also a core principle in the field of data protection. At the stage of data collection, the data handlers must promptly and accurately disclose the scope, methods, and purposes of data processing, in line with the principle of informed consent. Article 1035 of the Civil Code states that personal information processing must be lawful, justified, and limited to what is necessary. Paragraph 1 of Article 14 of the Personal Information Protection Law further emphasizes that the processing of personal data requires the individual’s voluntary and explicit consent, granted with full knowledge. These provisions establish that consent provides the legal basis for processing. Article 1036 of the Civil Code provides that the information processor is not liable for civil damages if the processing falls within the scope of consent granted by the individual or their guardian. Such consent eliminates the illegality of information processing and is an exemption cause of personal information processing. Data use beyond the consent boundary is invalid and shall be informed again to obtain consent.
Utilization beyond the boundary of consent is invalid, and consent should be re-informed and obtained for any use beyond the agreed boundaries. However, there are exceptions to the “informed consent” rule, whereby the government may collect and process personal data beyond the scope of consent when it serves the public interest. The “public interest” can be regarded as an exemption from the requirement of informed consent. In such cases, the individual’s interest is subordinated to the public interest, with the individual’s rights appropriately limited to achieve societal benefits.

3.1.3. Measures for Data Collection and Processing: Rules for the Data Classification and Grading System

Data classification and grading serve as the foundation for secure data flows and governance (Hong 2021). Article 21 of the Data Security Law mandates the establishment of a data classification and grading13 system. Additionally, Article 51 of the Personal Information Protection Law requires personal information processors to implement classification management for personal data.14 Articles 5, 9, and 26 of the Administrative Regulations on Network Data Security (Draft for Comment) outline detailed management measures for data classification and grading15.
In general, China’s regulations distinguish between “personal information” and “important data,” adopting a dual-track regulation mode for the protection of both. They categorize data into different security levels based on its sensitivity and the potential harm to national security, social order, public interest, and the legitimate rights of citizens, corporations, and other organizations in the event of data leakage or distortion. This classification system is coordinated at the central level and implemented according to industry-specific standards, aiming to ensure privacy protection.

3.1.4. Remedies for Data Flows: Notification—Protection

Article 57 of the Personal Information Protection Law provides that, where personal information has been or may be falsified, leaked, or lost, the personal information processor shall take remedial measures and notify the departments and persons with protection duties. The notification should include the types of information leaked, the causes and the possible harm of the leak, the remedial measures taken by the processor, the measures that individuals can take to mitigate the harm, and the contact information of the personal information processor. According to the above provision, “notifying” departments and individuals with protection duties is the obligation for the information processor, when data security risks arise. Paragraph 2 of Article 1038 of the Civil Code outlines an information processor’s obligation to mitigate risks in case of data exposure. If data is at risk of leakage, the processor must promptly notify both the data security supervisor and the data holder, while taking preventive measures to avoid further damage (Xie 2020). However, while the framework includes a “notification-protection” approach, there are no specific provisions for remedial actions.
In fact, administrative authorities have also taken significant steps in protecting privacy. Since 2019, the Ministry of Industry and Information Technology has been listing certain apps that infringe on user rights, detailing the type of violation in the notices. For serious cases, the apps are removed from platforms. These actions play a crucial role in safeguarding personal privacy and make the application of the principles of minimum necessity and informed consent clearer.

3.2. Typical Judicial Practice

3.2.1. Extent to the Collection of User Personal Information

In a personal information civil public interest litigation case brought by the People’s Procuratorate of Yuhang District, Hangzhou City, against a network technology company (hereinafter referred to as the “network technology company’s personal information civil public interest litigation case”), the application involved is a video mobile app for music teaching, developed and operated by the defendant. The app primarily offers live-streaming courses for popular musical instrument instruction. During the installation and use process, the application exhibited the following illegalities and irregularities concerning user personal information: (1) the application failed to display a privacy policy during downloading, installation, or use, and did not prompt users to read the privacy policy or other rules regarding personal information collection, either through pop-up windows or other obvious means. (2) The application refused to provide certain business functions on the grounds that users disagreed with the collection of unnecessary personal information or the activation of unnecessary permissions. (3) The application did not inform users of the purposes, methods, and scope of information collection when requesting access to sensitive personal information, such as users’ whereabouts and tracking data.
The trial court, Hangzhou Fuyang People’s Court, ruled that: (1) The company violated the principle of “informed consent” by failing to display the privacy policy, prompt users to read it in an obvious way, and inform users of the purposes, methods, and scope of collection when collecting personal information. (2) The application violated the principle of minimum scope by failing to inform users of the purposes, methods, and scope of information collection when accessing sensitive personal information, such as users’ whereabouts and tracking data, and by refusing to provide business functions when users disagreed with the collection of unnecessary personal information or granting unnecessary permissions16. This case highlights the feasibility and necessity of procuratorates filing civil public interest lawsuits to protect personal information in the context of consumer rights, particularly when the infringement harms public interests. Furthermore, the case reviewed the mobile application’s illegal actions, including the failure to release a required privacy policy, the failure to meet privacy policy preparation standards, compulsory authorization, excessive access, and the collection of personal information beyond an appropriate scope. It also clarified the boundaries and scope of these behaviors.

3.2.2. Boundaries of the Biometric Characteristic Information Collection

Biometric characteristic information is considered sensitive personal data due to its uniqueness and irreversibility. If data handlers collect biometric information beyond the appropriate scope, it can cause irreversible harm to the individual whose data is being processed. Therefore, biometric characteristic information should be afforded higher-level protection and collected within a more precise boundary. In the case brought by Mr. Guo against a safari park—China’s first facial recognition case—the park required Mr. Guo to provide his facial recognition data on the grounds that “the original fingerprint-based method was no longer suitable for park entry,” and those who had not registered in the facial recognition system would be denied access. Mr. Guo believed that facial recognition data was highly sensitive personal information, and he refused to provide it, requesting a refund from the park.
The Intermediate People’s Court of Hangzhou (the appellate court) ruled that the safari park had expanded the scope of data processing beyond the originally agreed-upon collection, which was based on photographs, and ordered the park to delete Mr. Guo’s facial recognition information. The trial court similarly ruled that the safari park should delete Mr. Guo’s facial recognition data, as the park had breached the agreed-upon scope of data collection and processing17. The appellate court emphasized that “biometric characteristic information, as a type of sensitive personal information, reflects the physiological and behavioral traits of individuals with strong personal attributes. If leaked or used unlawfully, it could lead to discrimination or accidental harm to personal or property safety. Therefore, more caution and stricter protective measures are necessary when collecting and using biometric data.” It also ruled that the safari park must delete Mr. Guo’s fingerprint data18.
This case involves a service contract dispute over an operator’s collection and use of a consumer’s biometric information for identity verification. It represents a preliminary discussion on the legitimate use of biometric data in consumer contexts, addresses the legal principles surrounding the deletion of personal information under the current legal framework, and responds to the pressing need for reasonable protection of personal information in the digital economy.

3.2.3. Summary and Analysis: Fewer Civil Public Interest Litigation Cases on Privacy Protection

In the network technology company’s personal information civil public interest litigation case, the civil public interest litigation instituted by the procuratorate serves as a significant mechanism for safeguarding the legitimate rights and interests of personal information. In the case of Mr. Guo v. Safari Park, Mr. Guo pursued private relief for the legitimate rights and interests of personal information through civil private interest litigation. Both cases highlight disputes concerning the definition of the minimal scope of data collection and processing. These cases demonstrate that the principle of “minimum scope” is challenging for data handlers and processors to fully understand and apply in practice. The primary distinction between the two cases lies in the methods employed to protect the legitimate rights and interests of personal information: the former utilizes public relief through civil public interest litigation, while the latter opts for private relief via civil private interest litigation.
The table (see Table 1) below summarizes the number of cases on personal information protection and privacy rights handled by Chinese courts from pkulaw.com19, providing a general overview of the specific methods used for privacy protection in data flows. It should be noted that the Supreme People’s Court classifies “personal information protection” and “privacy rights” as one type of cause of action, as outlined in the Regulations on Causes of Action in Civil Cases (2020)20. The case retrieval was conducted using pkulaw.com’s judicial case database through the following steps: first, a preliminary search was carried out using “privacy rights” as the key term under “cause of action”; then, the scope was limited to “disputes over personal rights”; finally, “personal information protection” was selected with a starting year of “the past four years.” This approach helps to better focus on cases addressing both privacy rights and personal information protection.
A survey of the cases involving “privacy rights” as the cause of action in China over the past four years shows the following findings.
(1) There are few cases in which disputes over privacy protection of data flows are submitted through civil public interest litigation. From January 2021 to June 2024, there were 277 cases related to “personal information protection or privacy rights.” Among these, 264 cases (95.31%) were filed through civil private interest litigation, while only 13 cases (4.69%) were submitted through civil public interest litigation. The vast majority of cases concerning personal information protection and privacy rights were pursued through civil private interest litigation. In such cases, individual citizens face limitations in terms of legal capacity, while personal information holders typically have stronger litigation status and more financial resources, which may make it difficult for ordinary citizens to obtain reasonable relief through private interest litigation. However, in practice, very few cases are filed through civil public interest litigation to protect personal privacy, indicating that civil public interest litigation has not been fully utilized in safeguarding privacy within the context of data flows.
(2) A high proportion of cases are closed by withdrawing claims. Of the 277 cases, 134 (48.4%) were closed due to claim withdrawal, while 143 (51.6%) were closed by ruling. Over half of the cases were closed through claim withdrawals, which reflects the challenges individuals face in presenting sufficient evidence in civil private interest litigation. This trend underscores the significant work needed to improve judicial protection of data privacy. In China’s civil litigation system, plaintiffs are burdened with the responsibility of providing evidence to support their allegations. When plaintiffs are unable to gather sufficient evidence, they often choose to withdraw their cases. This means that many individuals are unable to protect their rights and interests through civil litigation. A key solution to this issue is a more reasonable allocation of the burden of proof.
According to Provisions on the Procuratorial Proposal Work of People’s Procuratorates making procuratorial proposals is a crucial tool for procuratorates to fulfill their legal oversight duties. Procuratorial recommendations are issued by the procuratorial authorities to entities that have violated citizens’ information rights. In practice, a large number of cases are resolved through this approach. Not only does it help protect the right to personal information, but it also provides a flexible law enforcement mechanism that can compel entities—such as technology companies—to stop infringing on citizens’ privacy rights.

4. The Prospect and Expectation of Privacy Protection in Data Flows in China

Although the issue of privacy protection in the flow of data in China has been gradually addressed through legislative improvements and enhanced supervision, there remains room for further progress in strengthening the protection of personal information.

4.1. Legislation Perspective: Increasing Institutional Supply

4.1.1. Clarifying the Standards for Data Anonymization and Complying with the Principle of Proportionality

Data anonymization is a critical component in the process of data flow, yet there is no unified standard for anonymization. Even if all parties involved take prudent measures to fulfill their data protection obligations during data flow, security risks may still expose data to vulnerabilities. Therefore, it is essential to gain a deeper understanding of the term “anonymization” as outlined in the Personal Information Protection Law, which refers to the process of cleaning data sets to remove information that can be linked to specific individuals. This process affirms the positive aspects of data usage and circulation and clarifies that anonymized data may be circulated without the need for individual consent, as long as it complies with the provisions of the law. The Implementing Guides for Data Anonymization Processing have been introduced in Beijing21, but these guidelines are applicable only at the local level, not nationwide. In the future, the state may consider introducing a unified national standard for data anonymization, establishing consistent guidelines for data de-identification, adopting an irrecoverable desensitization standard for anonymization, and balancing the need for personal data protection with the full realization of data’s value under these anonymization standards.
While fully anonymizing data is technically challenging, it is both feasible and reasonable to anonymize data according to the principle of proportionality (Ehimuan et al. 2024). The principle of proportionality evaluates the relationship between ends and means, meaning that the collection, processing, and use of data must be limited to the minimum necessary scope for the intended purpose. Any data that falls outside of this scope should be fully anonymized. This principle should also adhere to the minimum necessity requirement, selecting the least invasive method of anonymization that minimizes the impact on the individual and achieves “Pareto optimality.” For example, in the case of medical data, patient privacy protection should focus on safeguarding sensitive personal information, which refers to data that can uniquely identify a patient when combined with other information. Given that the scope of sensitive personal information defines the boundary of a patient’s privacy protection, medical data should only be circulated after the sensitive information has been properly anonymized.

4.1.2. Strengthening Enterprises’ Disclosure Obligations and Optimizing the “Informed-Consent” Rule

The informed-consent rule is a fundamental principle for data collection and usage in the digital economy, serving as the cornerstone of personal information protection. At the data collection stage, adherence to the informed-consent rule requires data handlers to promptly and accurately disclose the scope, methods, and purposes of data processing. However, in practice, the application of the informed-consent rule often becomes a formality, highlighting the need for clearer clarification of enterprises’ disclosure obligations under this rule. For instance, in the realm of medical data, particularly biogenetic data, which is often collected without a clearly defined intended use in medical research and may be used repeatedly in various studies, there is a challenge for medical data handlers. They may find it difficult to determine the extent of consent previously granted, complicating the application of the traditional informed-consent rule.
The “generalized informed-consent” rule offers a more effective approach to facilitating data flow than the traditional model of “informed consent.” Under the generalized informed-consent framework, data handlers are required to inform individuals that their data will be used for future scientific research activities, without the need to obtain consent again each time. In other words, one consent from the individual can cover all future ethical, moral, and legal scientific research activities. This generalized approach helps data handlers and users save on notification costs and facilitates the progress of scientific research activities (Yadav et al. 2023). However, given the potential privacy concerns related to the “generalized informed-consent” rule, the author proposes that the Data Security Law include provisions requiring “stronger disclosure obligations for data handlers and processors, and an enhancement of data holders’ and users’ responsibilities in clarifying the scope and methods of data usage.” This change would shift the generalized informed-consent rule from a one-time consent model to a long-term consent model. Under this approach, in the event of data exposure or leakage risks during use, individuals would retain the right to withdraw their consent, reauthorize consent, and limit the scope of data usage. This would ensure that individuals’ legitimate rights are maximally protected. Furthermore, it would prevent data users from exploiting generalized consent to obscure the scope of data use and improperly circulate data, which could infringe upon individuals’ privacy or the public interests.

4.1.3. Refining Data Classification and Grading Standards and Developing More Types of Protection Measures

Reasonable data classification and grading standards are fundamental guarantees for secure and efficient data flows (Chen 2023). The primary task in data classification is to distinguish between important data, core data, and general data, ensuring that higher levels of protection are applied to important and core data. The Data Security Law, the Personal Information Protection Law, and other relevant regulations provide general provisions on data classification and grading. Meanwhile, the “Data Security Technology—Rules for Data Classification and Grading,” jointly issued by the State Administration for Market Regulation and the Standardization Administration of China on 15 March 2024 defines the framework and methods for data classification, specifying the procedures for classification and grading22.
In practice, various industries also implement their own data classification and grading standards, such as the “Information Security Technology—Guide for Health Data Security,” the “Guide for the Development of Industrial Data Security Standards System (2023)”, and the “Provisions on the Administration of Data Security (for Trial Implementation).” Data classification and grading are designed to apply appropriate protection measures to different categories of data. Therefore, it is necessary to refine these standards in light of specific scenarios and industries, emphasizing the identification of key data, core data, and general data that contain personal information, and improving the protection of both data security and data privacy (Chen and Guo 2022).
Based on the concept of data classification and grading, general data containing personal information can be protected by categorizing it into sensitive personal information and non-sensitive information. This approach emphasizes the exercise of personal data rights and interests, as well as the protection of personal privacy. Personal data processors are expected to apply different processing standards and protection methods for sensitive and non-sensitive information, fulfilling their responsibilities to protect data privacy to the maximum extent and improving the efficiency and security of data flows.

4.1.4. Connecting Multiple Regulators and Building a Collaborative Mechanism

Generally, information processors should implement remedies such as notice-deletion and vulnerability repair. Data platforms are responsible for ensuring information security, enhancing the accountability system, and linking the risk of data leakage to legal risks. These platforms should also encourage personnel and data processors to intensify their efforts to protect data privacy. Additionally, local governments are encouraged to establish a collaborative supervision mechanism for privacy protection to further enhance data privacy safeguards. This collaborative mechanism could involve administrative departments such as competition enforcement authorities, consumer protection authorities, technical prevention agencies, county or district governments, and industry sectors with supervisory and management responsibilities. The county or district governments should play a leading role in this collaborative mechanism, with other sectors collaborating to ensure that data handlers and processors comply with the relevant standards.

4.2. Judicial Perspective: Introducing Anti-Monopoly Civil Public Interest Litigation to Protect Data Privacy

4.2.1. Data Privacy as a Non-Price Competition Factor

The fundamental goal of anti-monopoly laws is to protect competition, and as such, anti-monopoly remedies are designed based on the harm caused to competition. Therefore, including data privacy within the scope of anti-monopoly protection must align with the primary goal of safeguarding competition, while also specifying the harm to data privacy and its connection to competition. However, it remains difficult to evaluate the impact of operators’ conduct on market competition from the perspective of data privacy.
Although controversial, data privacy has emerged as a crucial non-price competitive factor in the digital economy. Traditional competition violations typically result in tangible economic damages, such as consumers paying excessively high prices, which are easier to assess and quantify. In contrast, in terms of user satisfaction, the speed of updates and iterations, ease of use, efforts in privacy protection, advertising volume, and other quality metrics, anti-monopoly law enforcement agencies are increasingly expected to focus on the level of privacy protection (Yin 2020). As privacy data has become a key competitive resource for digital platform companies, users now make decisions about whether to accept the services or products offered by these platforms based on the extent of privacy protection. In other words, privacy protection has become a key indicator for measuring the quality of products and services offered by digital platforms, reflecting their competitive advantage in attracting consumers.

4.2.2. The Public Dimension of Violations of Data Privacy

With the continuous development of the modern market economy and the emergence of new types of disputes, civil public interest litigation is playing an increasingly important role in privacy protection in data flow. The determination of an act as harmful to the public interest should be based on the potential risks or actual damages that the act imposes on non-specific consumers. Improper user profiling in the digital economy infringes upon the legitimate rights and interests of non-specific online consumers. In this context, improper collection of user profiles by platforms is a typical behavior that may harm the legitimate rights of non-specific individuals. User profiling involves creating a model that reflects users’ personal characteristics by collecting, aggregating, and analyzing personal information to predict or infer the characteristics of a specific individual23. User profiling, which enables the provision of tailored services based on individual characteristics, has become a powerful tool for digital economy enterprises to push business information. However, this process can easily infringe on the privacy rights of non-specific consumers. The fundamental reason is the imbalance of information between data handlers and users. Specifically, data handlers can track and record the virtual addresses and time stamps of user profiles using algorithms, while consumers are often unaware of these actions. Therefore, given the extensive sources of user profiling data and the large number of consumers involved, improper collection and processing of data may violate the privacy of non-specific consumers and, in turn, damage the public interest.
In March 2023, the Supreme People’s Procuratorate published the Typical Cases on Procuratorial Public Interest Litigation for Personal Information Protection revealing a series of representative cases24. In both the legal framework for personal information protection and in judicial practices surrounding public interest litigation, the public interest nature of personal information protection was legally confirmed.

4.2.3. Implementation Path of Anti-Monopoly Public Interest Litigation for Data Privacy

The harm to competition addressed by the Anti-Monopoly Law is closely tied to the protection of public interests in civil public interest litigation. The amended Anti-Monopoly Law of China explicitly introduces the system of civil public interest litigation in anti-monopoly cases, stipulating that “where undertakings engage in monopolistic practices and harm the public interest, the people’s procuratorates at or above the level of city divided into districts may institute civil public interest litigation to the people’s courts in accordance with the law”25. In addition, the Notice on Implementing the Anti-Monopoly Law of the People’s Republic of China and Actively and Steadily Carrying Out Public Interest Litigation Procuratorial Work in the Anti-Monopoly Field, issued by the Supreme People’s Procuratorate, stresses the importance of fully understanding the significance of these new provisions on procuratorial public interest litigation. The notice urges targeted efforts in anti-monopoly public interest litigation, particularly in cases of serious infringements on consumer rights and interests26.
In this context, the scope of damage to competition under the Anti-Monopoly Law is expected to be appropriately adjusted and expanded, especially in relation to the digital economy and specific cases. The assessment of price competition factors could give greater consideration to the analysis of harms related to privacy protection and consumer choice. Beyond the traditional focus on economic efficiency in anti-monopoly competition damage theory, the scope of civil procuratorial public interest litigation under the Anti-Monopoly Law should be broadened. This expanded scope would encompass monopolistic behaviors, including platform monopolies, that harm broader public interests such as the right to fair transactions, consumer choice, personal information rights, and public health. Such an approach aligns with the role of prosecutors as representatives of the public interests (Wu 2024).
Article 60 of the Anti-Monopoly Law states that the people’s procuratorates at or above the municipal level in the districts where they are located may initiate anti-monopoly civil public interest litigation. While this provision limits the prosecutorial authority to municipal-level procuratorates and above—helping to prevent litigation abuse—it also limits the scope of those able to initiate civil public interest litigation in anti-monopoly cases. In the area of consumer protection, the Interpretation by the Supreme People’s Court of Several Issues Concerning the Application of Law to the Trial of Cases of Civil Public Interest Litigation in Consumption allows consumer associations to file civil public interest litigation against business operators who infringe upon the rights and interests of numerous non-specific consumers or engage in actions that damage the public interest27. The involvement of consumer associations in public interest litigation serves to protect consumers’ legitimate rights and interests. The positive social outcomes they have achieved offer valuable insight for the future development of anti-monopoly civil public interest litigation concerning data privacy. Going forward, consumer associations could be included within the scope of those able to initiate litigation, working alongside procuratorial authorities to safeguard consumers’ data privacy.

4.3. Technology Perspective: Establishing Data Flow Tracking Systems

“Data tracking” refers to the process of monitoring and recording the flow and usage of data across different entities, systems, or borders. Tracking data flows is crucial for ensuring the security of data subjects, ensuring that data flow remains within a reasonable scope, and protecting the legitimate rights and interests of data stakeholders. Establishing a robust data tracking mechanism is essential to ensure secure data flow. The author suggests introducing provisions for the data flow tracking system, designating various tracking subjects under the overall coordination of competent authorities, defining the scope of data tracking, and outlining how derivative data should be handled in the Guide for the Security of the Cross-domain Control of data flows.

4.3.1. Clarifying Multi-Party Tracking Subject

The requirements for classification and grading management of data security protection should be enhanced at the national level, alongside the establishment of a data leakage notification system and the formulation of supporting regulations or guidelines for data leakage management. Provincial data administrations can serve as the entities responsible for tracking data flow, sharing data through provincial government information-sharing platforms, public data networks, and other data platforms. Furthermore, as data flow involves aspects of anti-monopoly supervision, consumer protection, and the safeguarding of data rights and interests, the subjects involved in data tracking should also include cyberspace administrations, market regulation bodies, and other relevant agencies. The provincial data bureau should play a central role in coordinating the overall planning and execution of data flow tracking, potentially establishing a system of joint working meetings on data flow, convened and presided over by the provincial data bureaus (Wang 2021).

4.3.2. Authorizing Trackable Scope

In the process of tracking data flows, tracking entities shall comply with Article 27 of the Cyber Security Law without engaging in any activities endangering cybersecurity, such as stealing network data, and shall ensure that the tracking technologies they apply do not steal network data outside the agreed scope of tracking28. If, during tracking, machines inadvertently capture network data outside the agreed scope, the tracking entities must immediately notify the relevant transaction subjects and authorities. Provincial data bureaus should implement relevant technical measures for data security protection in accordance with classification and grading requirements, to prevent data loss, falsification, or leakage. Additionally, the relevant databases should be updated promptly, and both a subject database and a label database of data information should be established.

4.3.3. Stipulating the Ownership of Derivative Data

Derivative data, generated through the informatization process, possesses product value and intellectual achievements. To some extent, derivative data mitigates the risks associated with the intersection of personal and public interests, while meeting the demand of data buyers in purchasing data (Tian 2022). In order to better protect derivative data and prevent its misuse, the ownership and usage rights of derivative data should be clearly specified in relevant transaction documents. The derivative data generated through data flow tracking should be considered independent of the data subjects, with the rights to the derivative data belonging to the parties involved in the data transaction. Entities involved in data tracking should not use the tracked derivative data without prior permission.

4.4. International Perspective: Exploring a Cooperation Mechanism for Cross-Border Data Flows

4.4.1. Establishing a Safety Valve Mechanism for Cross-Border Data Flows Under the Principle of Data Sovereignty

The concept of “data sovereignty” has gained significant recognition at the national level in China in recent years. In August 2015, the State Council issued the Outline for Promoting the Development of Big Data, which emphasized the importance of “data security.” While the Data Security Law does not explicitly mention “data sovereignty”, Article 1 underscores the protection of national sovereignty, implicitly affirming China’s claim to sovereignty over data. Upholding the principle of data sovereignty is crucial for promoting data flow, thereby enhancing both the commercial and public value of data. In the context of cross-border data flows, it is essential to recognize that the state retains sovereignty over its data, controlling the movement of data both inward and outward. China’s National Security Law stipulates that cross-border data transfers must not undermine national security and establishes the principle of “informed consent” for such transmissions. Additionally, the Guide for Data Export Security Assessment (Draft for Comments) outlines national standards for assessing the security of data exports. As data flow continues to drive the growth of data-related industries, China must strengthen the security management of cross-border data transfers, assert its sovereignty over data, optimize the allocation of data resources, and strike a balance between facilitating cross-border data flows and ensuring localized data storage.
The establishment of a safety valve mechanism for cross-border data flows, based on the principle of data sovereignty, aligns with China’s broader foreign policy position. Such a mechanism would facilitate the orderly circulation of data while preventing sensitive data—such as ethnic and genetic information—from being transmitted abroad. Before engaging in cross-border data flows, data users should conduct both self-examination and self-assessment. First, it is recommended that a classification and grading management scheme for cross-border data be formulated. This scheme should clearly define which types of data can be circulated across borders and which are prohibited, establish white and negative lists for cross-border data flow, and identify behaviors that could impede the free flow of data, such as information leakage and unfair competition in data management (Ma and Su 2023).
Secondly, before cross-border data flow occurs, the data should undergo both self-audit and external audit assessments. On one hand, data users should perform self-assessments to ensure that the data have been anonymized and de-identified to prevent infringements on individual privacy. They should also verify that the data do not contain sensitive information, such as ethnogenetic data, and confirm that the data will not pose national security risks when transmitted abroad. On the other hand, supervisory authorities should conduct external audits of the data to ensure compliance. This audit should focus on whether the data have been properly de-identified, whether they contain sensitive genetic information, and whether they may pose a national security threat. Only after confirming that the data meet these criteria should they be allowed for cross-border circulation.
Thirdly, blockchain technology can be utilized to create dedicated storage spaces for data designated for cross-border circulation. This ensures that the original data cannot be tampered with during the circulation process, thereby safeguarding the security and credibility of data as it moves across borders.
Finally, it is worth exploring the establishment of a two-way cross-border data flow mechanism to facilitate the exchange of high-quality foreign data. For example, in the pharmaceutical industry, China’s research and development efforts are largely focused on generic drugs, relying on the test data of foreign patented drugs. A two-way cross-border circulation mechanism would create a channel for the inflow of foreign patented drug test data into China, incentivizing foreign pharmaceutical companies to share such data, and thus advancing the development of generic drugs in China. This would, in turn, enhance the innovative capacity of China’s drug industry.
In 2021, the European Data Protection Board (EDPB) issued Recommendations 01/2020 on supplementary measures to ensure compliance with EU-level protection of personal data, particularly in the context of cross-border data flow. This included the principle of “substantially equivalent protection.” China can draw on the European experience and adopt the principle of substantially equivalent protection for cross-border data flows, introducing supplementary measures if the recipient country fails to meet these protection standards.

4.4.2. Participating in Developing International Rules for Cross-Border Data Flows

In recent years, as a major creator and consumer of data, China has actively engaged in international cooperation on data-related issues, contributing to the development of global digital economy rules and injecting new momentum into the prosperity of the digital economy worldwide. In September 2020, China proposed the Global Data Security Initiative, urging all countries to maintain an open, fair, and non-discriminatory business environment that fosters mutual benefits and common development. In July 2024, China and Germany signed the Memorandum of Understanding on Sino-German Cooperation on Cross-border Data Transfer29. These efforts highlight China’s recognition of the importance of cross-border data cooperation and its commitment to promoting the safe and orderly transfer of data across the world.
In addition to data trading centers, cross-border data transfer can also be facilitated through digital trade ports. In March 2024, the Cyberspace Administration of China issued the Provisions on Promoting and Regulating Cross-border Data Transfer, granting pilot free trade zones the authority to implement policies that facilitate cross-border data transfer30. Currently, China has initiated the construction of data trade ports, establishing digital trade ports within the Hainan Pilot Free Trade Zone31, the Beijing Pilot Free Trade Zone32, and the Shanghai Pilot Free Trade Zone33. The advanced development of digital trade ports is crucial for expanding the nation’s opening up and fully unlocking the potential of data elements to develop new quality productivity.
At present, the primary focus of promoting cross-border data flows is the formulation of administrative regulations governing data transfers. This includes enhancing the data security obligations of data holders and establishing industry-specific rules for cross-border data transfer that balance data flow with data security. For example, medical data, which may include sensitive genetic information or other ethnically significant data, currently lacks international regulations governing its compliance in cross-border transfers. Furthermore, issues surrounding the authenticity and completeness of data—such as drug trial data—may lead to information asymmetry between domestic and international entities. Therefore, it is crucial to reach a common understanding while accommodating differences in regulatory frameworks, and to collaboratively develop comprehensive and interconnected administrative regulations for the cross-border transfer of medical data, ensuring clear compliance standards. In the future, China should focus on the high-quality implementation of the Regional Comprehensive Economic Partnership (RCEP), while proactively engaging with the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) and the Digital Economy Partnership Agreement (DEPA), as well as other international trade agreements with high standards. By doing so, China can further deepen international cooperation in the cross-border flow of data and contribute to the establishment of global rules for cross-border data flow and trade, ultimately promoting the healthy development of the global digital economy.

5. Summary

Data flow is a defining feature of the digital age, and as data handling activities become increasingly frequent, the importance of privacy protection will only grow. By analyzing the legislative framework and judicial practices regarding privacy protection in data flows in China, it becomes clear that the key to balancing data flow with privacy protection is to grant individuals more rights to safeguard their privacy. In the future, China should consider enhancing the relevant legal systems, including clarifying standards for data anonymization, optimizing the informed-consent framework by strengthening the disclosure obligations of enterprises, refining data classification and grading standards, and establishing a multi-party coordinated regulatory mechanism. From a judicial perspective, due to the public nature of data privacy infringements, introducing anti-monopoly civil public interest litigation could provide an effective tool for protecting privacy in the context of data flows.
Technically, a data flows tracking system should be established to clarify the subjects and scope of data tracking and define the ownership of derivative data. Internationally, it is essential to explore mechanisms for cross-border data transfer cooperation, uphold the principle of data sovereignty, and participate in formulating international rules for cross-border data transfer. These measures are intended to achieve the dual objectives of promoting data flows while protecting data privacy and security.

Author Contributions

Conceptualization, methodology, writing—original draft preparation, B.C. and L.Y.; project administration, B.C; data curation, Y.L.; writing—review and editing, B.C., L.Y. and Y.L. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by the major project in Judicial Research of Supreme People’s Court of P.R.C. (grant number ZGFYZDKT202317-03).

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

No new data were created.

Conflicts of Interest

The authors declare no conflict of interest.
1
Data was first included as a new factor of production in the Fourth Plenary Session of the 19th CPC Central Committee in 2019.
2
S Lin, Global Times China to introduce ‘Data Element X’ plan to unlock data’s multiplier effects in diverse scenarios: official, 25 November 2023. Available online: https://www.globaltimes.cn/page/202311/1302484.shtml (accessed on 20 June 2024).
3
Chinese government’s website: https://www.gov.cn/lianbo/bumen/202401/content_6924380.htm (accessed on 20 June 2024).
4
GMW.cn: Data transactions reached RMB 87.7 billion; National Data Bureau has new deployment plans. Available online: https://baijiahao.baidu.com/s?id=1783670322688616692&wfr=spider&for=pc (accessed on 20 June 2024).
5
Qianzhan Industry Research Institute: Foresight 2024: The market size, competition landscape and prospects of China’s data exchange industry predicted to exceed RMB 440 billion in the future.
6
See footnote 3 above.
7
Section 6.1 of National Standard of the People’s Republic of China–Information Security Technology–Security Requirements for Data Transaction Services.
8
Fujian Provincial People’s Government: How to realize the value of big data? First transaction of a healthcare data product completed on Fujian’s exchange. Available online: https://www.fj.gov.cn/zwgk/ztzl/sxzygwzxsgzx/sdjj/szjj/202403/t20240317_6415453.htm (accessed on 20 June 2024).
9
Industry and Planning Institute of China Academy of Information and Communication technology, Beijing International Big Data Exchange: Business Procedures on Data Cleaning, De-identification and Anonymization (for Trial Implementation). Available online: http://www.caict.ac.cn/kxyj/qwfb/ztbg/202311/P020231117626922388674.pdf (accessed on 20 June 2024).
10
Beijing Municipal Intellectual Office: Administrative Measures for the Registration of Data Intellectual Property Rights in Beijing (for Trial Implementation). Available on: https://zscqj.beijing.gov.cn/zscqj/zwgk/tzgg/326121372/index.html (accessed on 20 June 2024).
11
Market Supervision Administration of Zhejiang Province (Intellectual Property Office): Measures for the Registration of Data Intellectual Property Rights in Zhejiang Province (for Trial Implementation). Available on: http://zjamr.zj.gov.cn/art/2023/5/31/art_1229565162_2478832.html (accessed on 20 June 2024).
12
Paragraph 4 of Article 9 of the Anti-Unfair Competition Law (2019): For the purpose of this Law, “trade secret” means technical, operational or other commercial information unknown to the public and is of commercial value for which the right holder has taken corresponding confidentiality measures.
13
Article 21 of the Data Security Law of the People’s Republic of China.
14
Article 51 of the Personal Information Protection Law of the People’s Republic of China.
15
Articles 5, 9, and 26 of the Administrative Regulations on Network Data Security (Draft for Comments).
16
(2020) Zhe 0192 Min Chu No. 4252, Hangzhou Internet Court.
17
(2019) Zhe 0111 Min Chu No. 6971.
18
(2020) Zhe 01 Min Zhong No. 10940, Hangzhou Intermediate People’s Court.
19
pkulaw.com is an intelligent one-stop search platform for legal information jointly launched by Chinalawinfo Co., Ltd. and Peking University Center for Legal Information. Now, pkulaw.com has a wide range of users in China, including law firms, enterprises, courts, government agencies, financial and securities institutions, colleges and universities.
20
Notice of the Supreme People’s Court on the Decision to Amend the Provisions on the Causes of Civil Cases. Fa [2020] No. 346. Available on: https://www.chinacourt.org/law/detail/2020/12/id/150217.shtml (accessed on 20 June 2024).
21
Beijing Municipal People’s Government Website: https://www.beijing.gov.cn/ywdt/gzdt/202403/t20240312_3586932.html (accessed on 20 June 2024).
22
Data security technology—Rules for data classification and grading. Available on: https://www.tc260.org.cn/upload/2024-03-21/1711023239820042113.pdf (accessed on 20 June 2024).
23
Information Security Technology—Personal Information Security Specification (GB/T 35273-2017 2017).
24
Online Publishing Office of the Supreme People’s Procuratorate: Supreme Procuratorate Releases Typical Cases of Procuratorial Public Interest Litigation in Personal Information Protection to Protect Personal Biometric characteristics informationBiometric characteristics information. Available on: https://www.spp.gov.cn/spp/xwfbh/wsfbt/202303/t20230330_609756.shtml#1 (accessed on 20 June 2024).
25
Article 60 of the Anti-Monopoly Law of the People’s Republic of China.
26
Supreme People’s Procuratorate: Notice on Implementing the Anti-Monopoly Law of the People’s Republic of China and Actively and Steadily Carrying Out Prosecution of Public Interest Litigation in the Field of Anti-Monopoly. Available on: https://www.spp.gov.cn/spp/xwfbh/wsfbh/202208/t20220801_569635.shtml (accessed on 20 June 2024).
27
Article 1 of the Interpretation of the Supreme People’s Court on Several Issues Concerning the Application of Law in the Hearing of Consumer-Related Civil Public Interest Litigation.
28
Article 27 of the Network Security Law of the People’s Republic of China.
29
Chinese government’s website: Promoting Bilateral and Multilateral Consultations and Participating in International Rulemaking China Actively Promotes International Cooperation on Cross-Border Data Transfer. Available on: https://www.gov.cn/yaowen/liebiao/202407/content_6962453.htm (accessed on 22 June 2024).
30
Chinese government’s website: Provisions on Promoting and Regulating Cross-border Data Transfer [Order No. 16 of the Cyberspace Administration of China. Available on: https://www.gov.cn/gongbao/2024/issue_11366/202405/content_6954192.html (accessed on 22 June 2024).
31
Chinese government’s website: The State Council of the CPC Central Committee Issues Overall Program for the Construction of Hainan Free Trade Port. Available on: https://www.gov.cn/zhengce/2020-06/01/content_5516608.htm (accessed on 22 June 2024).
32
Chinese government’s website: Boosting High-Quality Development of Digital Economy, Beijing Takes the Lead in Realizing Secure and Easier Cross-Border Data Transfer. Available on: https://www.gov.cn/lianbo/difang/202401/content_6925023.htm (accessed on 22 June 2024).
33
National Development and Reform Commission of the People’s Republic of China: Lingang New Area: Building an International Data Port to Create a Hub Platform for Global Data Convergence and Transfer. Available on: https://www.ndrc.gov.cn/xwdt/ztzl/cjsjyth1/xwzx/202112/t20211226_1309885.html (accessed on 22 June 2024).

References

  1. Chen, Bing. 2023. Building a Scientific Data Element Trading System. People’s Forum: Academic Frontier 6: 66–78. [Google Scholar]
  2. Chen, Bing, and Guangkun Guo. 2022. The Positioning and Rules of Data Classification and Grading—An Expansion Centered on the Data Security Law. Studies on Socialism with Chinese Characteristics 3: 50–60. [Google Scholar]
  3. Chen, Bing, and Yongji Liu. 2024. Promotion and Advancement of Data Security Governance in China. Electronics 13: 1905. [Google Scholar] [CrossRef]
  4. Ehimuan, Benedicta, Ogugua Chimezie, Onyinyechi Vivian Akagha, Oluwatosin Reis, and Bisola Beatrice Oguejiofor. 2024. Global data privacy laws: A critical review of technology’s impact on user rights. World Journal of Advanced Research and Reviews 21: 1058–70. [Google Scholar] [CrossRef]
  5. Farayola, Oluwatoyin Ajoke, Oluwabukunmi Latifat Olorunfemi, and Philip Olaseni Shoetan. 2024. Farayola, Oluwatoyin Ajoke, Oluwabukunmi Latifat Olorunfemi, and Philip Olaseni Shoetan. 2024. Data privacy and security in it: A review of techniques and challenges. Computer Science & IT Research Journal 5: 606–15. [Google Scholar]
  6. Feng, Yang. 2023. Administrative Licensing Nature and Institutional Development Direction of Authorized Operation of Public Data. E-Government 6: 77–87. [Google Scholar]
  7. GB/T 35273-2017. 2017, Information Security Technology—Personal Information Security Specification. Beijing: National Technical Committee 260 on Cybersecurity of Standardization Administration of China.
  8. Hong, Yanqing. 2021. Data Classification and Grading Protection in the Vision of National Security. China Law Review 5: 71–78. [Google Scholar]
  9. Kong, Xiangjun. 2019. New Principles of the Anti-Unfair Competition Law (Sub-Theory). Beijing: Law Press, p. 377. [Google Scholar]
  10. Liang, Zeyu. 2018. Interpretation and Application of the Purpose Limitation Principle in Personal Information Protection. Journal of Comparative Law 5: 16–30. [Google Scholar]
  11. Ma, Zhongfa, and Jingyi Su. 2023. On Challenges and Solutions of Jointly Building a China-ASEAN Cross-Border Data Flow Governance Cooperation Mechanism under the RCEP Framework. Social Sciences in Guangxi 8: 77–84. [Google Scholar]
  12. Patterson, Mark R. 2022. Antitrust Law in the New Economy Google, Yelp, Libor, and the Control of Information. Translated by Lei Lan. Beijing: Law Press, p. 55. [Google Scholar]
  13. Tian, Dazhi. 2022. Jurisprudential Evidence of Derivative Data Rights in Digital Society. Xuexi and Shijian 8: 44–50. [Google Scholar]
  14. Wang, Xixin. 2021. The Obligation of State Protection of Personal Information and its Development. China Law Science 1: 145–66. [Google Scholar]
  15. Wu, Peicheng. 2024. The Interpretive Theory of Anti-Monopoly Civil Prosecution Public Interest Litigation System. Modern Law Science 2: 74–87. [Google Scholar]
  16. Xie, Zhengshan. 2020. Research on the Damage of Data Leakage. Tsinghua University Law Journal 4: 140–58. [Google Scholar]
  17. Yadav, Neel, Saumya Pandey, Amit Gupta, Pankhuri Dudani, Somesh Gupta, and Krithika Rangarajan. 2023. Data privacy in healthcare: In the era of Artificial Intelligence. Indian Dermatology Online Journal 14: 788–92. [Google Scholar] [CrossRef]
  18. Yin, Chuanru, Tao Jin, Peng Zhang, Jianmin Wang, and Jiayi Chen. 2021. Assessment and Pricing of Data Asset Value: Research Review and Outlook. Big Data Research 7: 14–27. [Google Scholar]
  19. Yin, Jiguo. 2020. Legal Regulations of Abuse of Market Dominance by Big Data Operators. Studies in Law and Business 4: 73–87. [Google Scholar]
Table 1. Number of Cases with the Cause of Action of “Personal Information Protection and Privacy Rights” Handled by Chinese Courts from January 2021 to June 2024 (Unit: piece) *.
Table 1. Number of Cases with the Cause of Action of “Personal Information Protection and Privacy Rights” Handled by Chinese Courts from January 2021 to June 2024 (Unit: piece) *.
Year2024202320222021Total
Types of Judicial DocumentsJudgments2225357134277
Letter of Ruling5366240143
Mode of LitigationCivil Private Interest Litigation75810297264277
Civil Public Interest Litigation0013013
* Data source: pkulaw.com (accessed on 20 June 2024).
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Yang, L.; Lin, Y.; Chen, B. Practice and Prospect of Regulating Personal Data Protection in China. Laws 2024, 13, 78. https://doi.org/10.3390/laws13060078

AMA Style

Yang L, Lin Y, Chen B. Practice and Prospect of Regulating Personal Data Protection in China. Laws. 2024; 13(6):78. https://doi.org/10.3390/laws13060078

Chicago/Turabian Style

Yang, Liping, Yiling Lin, and Bing Chen. 2024. "Practice and Prospect of Regulating Personal Data Protection in China" Laws 13, no. 6: 78. https://doi.org/10.3390/laws13060078

APA Style

Yang, L., Lin, Y., & Chen, B. (2024). Practice and Prospect of Regulating Personal Data Protection in China. Laws, 13(6), 78. https://doi.org/10.3390/laws13060078

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop