Abstract

    This Article makes an in-depth comparative and empirical study on China’s personal data protection legal system and its public enforcement at the state and local levels. The 2016 Cybersecurity Law and the 2021 Personal Information Protection Law (PIPL) regulate important personal data protection issues such as public interests’ protection and very large online platforms’ (VLOPs) gatekeeper mechanism. China’s regulatory focus has shifted from network infrastructure construction to cybersecurity and personal data protection. Unlike the U.S. and the EU, China has delegated law enforcement to the Cyberspace Administration of China (CAC) and the Ministry of Industry and Information Technology (MIIT) under a unique twin peaks model at the state level. The CAC and local agencies focus on regulating data processors based on catch-all provisions, while the MIIT focuses on regulating app developers’ activities, such as the collection and use of personal data. At the local level, China decentralized regulatory powers to local governmental agencies. In the public enforcement of data protection laws, the EU, the U.S. and China have divergent institutional structures and administrative penalties. These divergences are caused by China’s political and economic context, especially the national strategy to facilitate the development of VLOPs for global competition. China’s public interests are embodied in the ideological censorship and national security review of users’ information by data processors. It is concerning that the Chinese government might enlarge their control over the dissemination of information. China should learn from the EU’s experience in tackling specific problems of automated decision-making. To supervise the gatekeepers, Chinese law needs to strike a balance between encouraging the development of VLOPs and protecting personal data.