I. Introduction: Regulatory Convergence and Divergent Enforcement in Personal Data Protection
In recent years, the EU General Data Protection Regulation (GDPR) has exerted a profound influence on the development of personal data protection legislation worldwide, gradually emerging as a key reference point for regulatory design across multiple jurisdictions. Building on this framework, the European Union adopted the Regulation on Harmonised Rules on Fair Access to and Use of Data (the “Data Act”) on 22 December 2023. The Data Act entered into force on 11 January 2024 and became fully applicable as of 12 September 2025. Within the EU data governance architecture, while the GDPR focuses on the protection and lawful processing of personal data, the Data Act aims to facilitate the circulation and sharing of data—both personal and non-personal—among businesses, users, and public authorities.
Chinese current data protection framework, primarily composed of the Personal Information Protection Law (PIPL) and the provisions on personal information protection under the personality rights parts of the Civil Code, exhibits notable structural similarities to the EU data governance regime in terms of fundamental principles, individual rights, and compliance mechanisms. This convergence has prompted ongoing discussions as to whether Chinese personal information protection regime merely “copies” EU data protection rules.
From the perspective of comparative law and regulatory practice, however, such similarities are better understood as institutional borrowing and regulatory convergence rather than a straightforward normative transplant. Although Chinese data protection legislation has clearly drawn upon the EU’s mature regulatory experience in legislative technique and structural design, its underlying regulatory logic, enforcement model, and policy objectives remain deeply shaped by Chinese administrative governance system and broader national data governance framework. Understanding how Chinese regulators have borrowed from, adapted, and diverged from EU data protection rules is therefore essential for accurately assessing Chinese data compliance requirements and associated corporate compliance risks.
II. What Chinese Regulators Have Borrowed: Structural Alignment of Regulatory Frameworks
From a textual and structural perspective, Chinese data governance framework demonstrates a high degree of alignment with that of the European Union.
First, with respect to fundamental processing principles, the two regimes are largely consistent. The PIPL expressly establishes the principles of lawfulness, legitimacy, and necessity, while emphasizing purpose limitation, data minimization, and transparency—principles that closely mirror the core processing requirements under the GDPR. Second, in terms of individual rights, the PIPL sets out a rights framework that is highly comparable to that of the GDPR, including the rights to access, copy, rectify, and delete personal information, as well as the rights to restrict or refuse processing and to withdraw consent. This rights-based design enhances the formal compatibility of corporate compliance frameworks across jurisdictions. Third, regarding compliance mechanisms and organizational obligations, the PIPL clearly incorporates mature GDPR concepts, such as the designation of a personal information protection officer, data breach notification requirements, and internal compliance management and accountability mechanisms.
From this perspective, it is objectively accurate to characterize the PIPL as reflecting a form of “regulatory borrowing” from the GDPR. More precisely, Chinese regulators have chosen a regulatory starting point that is structurally aligned with the EU’s data protection framework.
III. Fundamental Differences Beneath Similar Rules: Divergent Regulatory Logics
Despite surface-level similarities, Chinese data governance regime differs materially from that of the EU in regulatory logic and enforcement pathways—differences that are often underestimated in corporate compliance practice.
First, the two regimes reflect distinct normative orientations. The GDPR is fundamentally a rights-based instrument, centered on the protection of individual autonomy and supported by robust judicial remedies. While the PIPL likewise emphasizes the protection of personal rights and interests, it places greater emphasis on balancing personal data protection with considerations of national security and public interests. Data order and risk governance are primarily achieved through administrative regulation, closely integrated with broader objectives of national data security and social governance. Second, enforcement models diverge significantly. The EU data protection framework relies on relatively independent data protection authorities, complemented by judicial oversight. In contrast, enforcement of personal information protection in China is predominantly administrative in nature, characterized by sectoral supervision and inter-agency coordination. Enforcement priorities tend to focus on platform governance, prevention of data misuse, and systemic risk rectification.
IV. Why Borrow from the EU Data Governance Model: Regulatory Rationality Rather Than Passive Imitation
Chinese decision to reference the EU data governance framework—particularly the GDPR—does not reflect regulatory dependence, but rather a rational and strategic institutional choice. On the one hand, the GDPR has become the most influential global template for data protection regulation. Drawing upon its mature structure reduces legislative costs and provides a degree of familiarity for multinational enterprises operating across jurisdictions. On the other hand, such “copying” enables Chinese regulators to rapidly construct a comprehensive regulatory toolkit and strengthen enforcement authority. In this sense, borrowing from the GDPR reflects considerations of regulatory efficiency and institutional legitimacy, rather than a simple replication of foreign rules.
V. Implications for Enterprises: Similar Rules Do Not Imply Identical Compliance Pathways
For enterprises, the similarities between Chinese data governance framework and that of the EU present both opportunities and risks. Companies with existing GDPR compliance structures may benefit from a degree of institutional continuity. However, reliance on GDPR experience alone when assessing China-specific compliance obligations may lead to an underestimation of the practical impact of administrative enforcement and cross-border data transfer controls.
Accordingly, corporate personal data compliance strategies in China should be grounded in an understanding of Chinese regulatory priorities and enforcement expectations, rather than in textual similarities between legal regimes. Similar rules do not necessarily produce similar compliance outcomes.
