The Cross-Border Data Forum is pleased to announce that the 2022 CBDF Student Paper Competition was won by Jackson Colling, a third-year law student at American University Washington College of Law (WCL). Mr. Colling receives a prize of $5,000 for the best paper on government access to data that involves cross-border issues.
Jackson Colling’s paper is entitled “China’s Personal Information Protection Law: A Threat to Cross-Border Data Flows and the Citizens it is Supposed to Protect,” and the paper is published below.
At WCL, Jackson Colling is a Student Fellow for the Tech, Law and Security Program (TLS) and is the Executive Editor for the National Security Law Brief (NSLB). He graduated with honors from Rollins College where he majored in international relations and minored in political science and history. In May 2022, he commissioned with the U.S. Navy and will serve as a Judge Advocate in the U.S. Navy JAG Corps upon graduating law school.
The competition was administered by Dale Skivington, who was President of CBDF until she stepped down at the end of 2022, and Sandra Hughes, the Treasurer of CBDF. Papers were solicited from an international set of law and other graduate schools. Dale Skivington states: “I was impressed by the sophistication of the winning paper, which shows that laws passed in the name of protection of personal privacy may have unintended, negative consequences.” Sandra Hughes notes: “CBDF sponsored this competition to promote greater attention to critical issues about government access to personal data. We hope that additional students, academics, and others will focus continued attention on these issues, and welcome their submissions to publish with the CBDF.”
The Cross-Border Data Forum congratulates Jackson Colling for his academic contribution.
* * *
China’s Personal Information Protection Law: A Threat to Cross-Border Data Flows and the Citizens it is Supposed to Protect
American University Washington College of Law, 2023
China’s Personal Information Protection Law (hereinafter referred to as “the PIPL”) aims to strengthen the Chinese Communist Party’s (CCP) grip on China’s population under the guise of national security and privacy protection through data localization requirements, thus adversely impacting cross-border data flows and Chinese citizens.
The PIPL is the third and final legislative installment of China’s sweeping effort to tighten control of cyberspace within China. In concert with the Cybersecurity Law (hereinafter referred to as “the CSL”) and Data Security Law (hereinafter referred to as “the DSL”), China has created a legal framework that restricts the flow of data to entities outside of mainland China while providing maximum access to Chinese state actors. The PIPL builds upon these laws by enacting costly and narrow data transfer mechanisms and strict data localization requirements. This will create barriers and costs for organizations engaging in cross-border data transfers and greatly reduce data flows. Forcing data localization in mainland China will also assist state actors in the mass surveillance of its population, reducing Chinese citizens’ already-minimal privacy and increasing the CCP’s repression.
This paper will further explore these impacts through analyzing the PIPL’s provisions within the context of the CCP’s authoritarian governance.
The idea that “data is the new oil” has garnered mixed reactions over its merits. Wherever one stands on the belief spectrum, it’s hard to deny data’s importance in today’s global society. Data spurs growth and innovation, transforming economies. It also provides companies and governments with insights into the most personal aspects of peoples’ lives. To that end, states and regional blocs are now adopting legal frameworks and agreements to regulate data privacy and, in turn, cross-border data flows.
These frameworks are generally cast as attempts to protect the rights and interests of the individuals within the scope of the respective law. Some of these frameworks, such as the European Union’s GDPR and Japan’s Act on Protection of Personal Information, arguably carry greater legitimacy in their stated aims given their democratic governance systems and genuine values of human rights. Other frameworks claiming similar aims lack such legitimacy due to the framework’s text and consequences and the enacting entity’s domestic and geopolitical context. One such entity is China.
Within the last five years, China has enacted three major cybersecurity laws–the CSL, DSL, and PIPL–that form a cyber governance framework that will have profound impacts on cross-border data flows and the privacy of Chinese citizens. The most recent of these laws, the PIPL, is the driving force behind the framework, entrenching cyberspace sovereignty and influencing global commerce by restricting cross-border data flows and enhancing domestic surveillance on its population through strict data localization requirements and the threat of severe penalties.
While the PIPL and its impacts will be the primary focus of this paper, it is imperative that any discussion of the PIPL be done within China’s geopolitical context, authoritarian governance, and the PIPL’s companion laws–the CSL and DSL. Below, I will provide an overview of China’s legal framework, touching on its cultural view on privacy, relevant articles of the CSL and the DSL, and an overview of the PIPL. I will then address the implications of the PIPL on cross-border data flows and the privacy of Chinese citizens, concluding that the PIPL, through data localization, significant barriers and costs, and the threat of severe penalties, will adversely impact cross-border data flows and the privacy of Chinese citizens.
China’s Legal Framework
China’s cybersecurity framework is centered around national security and state sovereignty. This framework is primarily composed of three laws: the CSL, DSL, and PIPL. These laws were drafted and implemented largely under the guise of securing individuals’ personal information, falling in line with global data protection frameworks, and preserving national security. While the laws have been enacted, many ambiguities remain. Much depends on how these laws will be implemented and that is mostly yet to be seen. The following will provide context for China’s cybersecurity framework by briefly explaining its cultural view on privacy, then briefly discussing the CSL, DSL, and PIPL.
China’s View on Privacy
Chinese concepts of privacy are fundamentally different than western concepts of privacy. Li-Ming Wang, a data privacy advisor to the CCP, discussed privacy at a 2017 privacy conference, mentioning “in Confucius theory, people emphasized their interpersonal relationships…and we often covered up secrets of relatives and friends not to protect privacy but to protect the family reputation.” He explained how the concept of privacy, in the western sense, has always been viewed as negative in China, as if it insinuates that one has something to hide. Western notions of privacy allow for autonomy and individuality, notions that Chinese society largely rejects due to ingrained cultural teachings that the government serves as a moral influence on individuals and the separation between government and the individual should be nearly nonexistent.
This view is foreign to westerners. Americans enshrined privacy, specifically against the government, in the Fourth Amendment of the U.S. Constitution and view the home as one’s castle where nobody, especially not the government, should intrude. Meanwhile, Europeans’ view of privacy focuses on dignity, respect, and public image through “the right to control the sorts of information disclosed about oneself.”
These distinct views of privacy are fundamental in understanding each states’ privacy framework. It helps explain the European Union’s GDPR, the lack of U.S. regulation, and will inform our understanding of China’s strict privacy framework.
Cybersecurity Law (CSL)
The CSL took effect in 2017 and forms the base of China’s cybersecurity framework. The CSL is marked by ambiguity, however, it is abundantly clear in one aspect–it is about national security and cyberspace sovereignty. Article one highlights these themes stating that it was “formulated in order to: ensure cybersecurity; safeguard cyberspace sovereignty and national security, and social and public interests” among aims. While the terms of this article lack real specifics, the law’s enforcement mechanisms and requirements illuminate how the CCP seeks to promote national security and cyberspace sovereignty.
The CSL contains measures that provide the CCP with near unfettered access to all networks in mainland China. It applies to “network operators” and businesses in critical sectors, which essentially covers all businesses operating in China. Article 50 provides the legal basis for accessing such networks, providing that state entities shall “perform network information security supervision and management responsibilities in accordance with law.” Further, article nine requires network operators and businesses “accept supervision from the government and public” while article 69 provides fines for “refusal or obstruction of the competent departments in their lawful supervision and inspection” and refusal “to provide technical support and assistance to public security organs and state security organs” among others.
The CSL also requires certain data to be localized. Article 37 requires “critical information infrastructure operators [CIIOs] that gather or produce personal information or important data during operations within the mainland territory of the People’s Republic of China [to] store [that information or data] within mainland China.” If transferring data abroad is absolutely necessary for an entity, it must undergo a security assessment conducted by State cybersecurity and informatization departments.
This law provides the legal basis for the CCP to actively monitor essentially all businesses, foreign and domestic, by requiring companies to keep their data in mainland China and submit to constant surveillance by invoking national security and safeguarding cyberspace sovereignty.
Data Security Law (DSL)
The DSL came into effect in September 2021 and built upon the CSL. It primarily focuses on data handling activities but does so with a strong emphasis on safeguarding national sovereignty, security, and developmental interests by expanding on data localization and transfer rules. Specifically, article 36 prohibits the transfer of any data stored in mainland China to foreign justice or law enforcement without express permission from PRC authorities; article 21, defines classification of “core national data” and leaves the classification of “important data” up to regional authorities; and article two expands the DSL’s application extraterritorially to data handling activities that “harm the national security, the public interest, or the lawful rights and interests of citizens or organizations” in China.
The main takeaway of the DSL is that it places greater restrictions on data “deemed to impair China’s national security and public interest.” National security and public interest, much like in the CSL, are left undefined, leaving organizations to interpret how those terms apply to their data handling activities. If organizations run afoul of this law, they face the potential for severe fines, suspension of business operations, and potential criminal liability.
Personal Information Protection Law (PIPL)
The PIPL came into effect two months after the DSL in November 2021. The PIPL’s primary focus is protecting the handling of peoples’ personal information who are within mainland China. The PIPL’s scope encompasses all persons and organizations, including state organizations, within mainland China and handlers operating outside of mainland China that are handling the data of persons within mainland China. PIPL mimics the GDPR in some provisions, however, it differs from it, and other privacy frameworks around the globe, in that it “has a distinct ‘national security’ flavor, particularly around its provisions on localization and cross-border transfers” which will distinguish its application from other privacy frameworks.
Data localization and cross-border transfers are specifically addressed in articles 38-43. Article 40 requires CIIOs and personal information handlers that handle a certain threshold of personal information to “store information collected and produced within the borders of the People’s Republic of China domestically.” It further requires a security assessment be conducted on CIIOs and the above personal information handlers when they need to provide personal information abroad. Those handlers are to be distinguished from personal information handlers that do not reach the personal information threshold set by the CAC and are not required to store all data locally. That requirement builds upon article 37 of the CSL discussed previously. Article 40 doesn’t specify what the security assessment entails, however, article eight of the draft version of the Outbound Data Transfer Security Assessment Measures states that the assessment “focuses on assessing the risks that outbound transfer activities may bring to national security, the public interest, and the lawful rights and interests of individuals and organizations.” The security assessment is performed by the State cybersecurity and informatization department, providing unlimited discretion to state authorities to interpret what constitutes national security and public interest. This is notably different from the GDPR which requires an independent supervisory authority, removing that responsibility from the central government.
In addition to a security assessment, personal information handlers may pursue three other paths when seeking to provide personal information outside of mainland China. Those options are to (1) “under[go] personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department”, (2) “[conclude] a contract with the foreign receiving side in accordance with a standard contract formulated by the State cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides”, or (3) any other laws, conditions, or regulations provided by the State cybersecurity informatization department. If a personal information handler succeeds in one of these procedures, it must then notify the subject of the personal information about the circumstances surrounding the transfer, obtain the subject’s consent, conduct a personal information impact assessment in accordance with article 56, and ensure the foreign receiving party has protection standards commensurate with PIPL.
Articles 41, 42, and 43 focus heavily on national security by targeting foreigners and other states. Article 41 strictly prohibits handlers from providing data that is stored in mainland China to foreign judicial or law enforcement authorities “without the approval of the competent authorities” of the PRC. Article 42 targets foreign handlers by permitting the State cybersecurity and informatization department to limit or even blacklist foreign handlers if they engage in acts violating the “personal information rights and interests” of Chinese citizens or if they harm China’s national security or public interest. Article 43 calls for reciprocal measures to be taken against any country or region that adopts “discriminatory prohibitions, limitations, or other similar measures” against the PRC in the personal information realm.
The PIPL adds to the CSL and DSL by expanding the type of data that is protected but does so in a way that furthers the interests of the CCP more so than the privacy protections of Chinese citizens and the free flow of data. The ultimate effect of this law is to localize data within China, making it exceedingly difficult and costly to comply with the cross-border data transfer conditions outlined in article 38, and to corral Chinese citizens’ data in one central location.
Implications of PIPL
China’s cybersecurity framework is a complex web of regulation, helping China earn the title of the most data-restrictive state in the world. One factor for China’s data restrictiveness, as outlined in the overview of the CSL and PIPL, is its strict data localization requirements. The PIPL builds on the CSL’s localization requirements by covering a broad set of data–personal information. Personal information includes “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons…” Where an organization, regardless of location, handles personal information for the purposes of providing products or services to people inside China, analyzes or assesses activities of people inside China, or any other reason provided by Chinese law, that organization will be subject to the PIPL. If an organization wishes to transfer the data outside of China, it must go through the arduous process outlined in article 38, in addition to notification of the subject and a security impact assessment.
The consequences of the PIPL’s data localization requirements will be costly for both organizations and Chinese citizens. For organizations relying on cross-border data flows, those costs will be monetary due to compliance measures and downstream effects, and threats of civil and criminal penalties given vague references to national security and public interest. For Chinese citizens, those costs will take the form of enhanced surveillance, increased repression, and the degradation of already-limited free speech and expression. When viewed in the context of China’s authoritarian governance, it is clear that the PIPL, and the larger cybersecurity framework, is not purely about protecting the personal information and data of Chinese citizens.
Cross-Border Data Flows
The PIPL’s “localization obligations in China are cumbersome and constitute a barrier to the free flow of data across borders.” Although there are pathways for organizations to continue to transfer data abroad, the costs may prove so significant as to render the flow of data to a trickle. To comply with the PIPL, organizations with operations in China must choose to either invest in data storage in mainland China, or invest in compliance measures to ensure that cross-border data transfers do not violate the PIPL. Some may choose neither and go the way of Yahoo or LinkedIn, leaving China altogether due to compliance costs. However, as of now, most organizations are staying put and those organizations must make the choice. In either circumstance, the cost of operating in China will likely increase significantly and greatly hinder the free flow of data.
If an organization chooses transfer mechanisms over storing data locally within China, it must consider a range of measures to comply and avoid penalties. Organizations should review all data processing activities to determine if PIPL applies, find lawful bases for each data processing activity, establish a response mechanism for data subjects’ requests, and establish an adequate mechanism that satisfies one of the four transfer conditions to legally transfer data abroad. Polsinelli LLP notes that “the compliance costs for overseas organizations to operate under the new framework established by the PIPL will likely increase.” Additional recommendations include determining and employing a consent mechanism, updating vendor management policies, and building a new internal program to manage cross border data transfers. Jay Kline, a principal at PwC, adds that PIPL’s “implementation is likely to increase the break-even amount for when it makes sense for multinationals to invest in regional operations, compliance staff and infrastructure.”
In addition to enacting and enforcing compliance measures, there is still the risk of substantial fines. Penalties for violations can be as severe as 50 million Yuan or 5% of annual revenue for “grave” acts. While these fines are not novel–they are similar to those in GDPR–the increased likelihood that they will be strictly enforced or used as a political tool make them more costly. Given the ambiguous nature of terms such as ‘national security’, ‘public interest’, and ‘grave’, and the CCP’s history of punishing organizations it perceives are acting contrary to its rule, the PIPL will likely be used as a tool to force organizations to fall in line with the CCP’s agenda.
If an organization calculates that data transfer costs are unsustainable, it may opt to store its data in China, effectively cutting off data transfers abroad. Organizations must then either invest in data servers in China–like Apple has done–subjecting them to sanctioned government surveillance per the CSL, or they would have to “hire a local service provider, such as Huawei, Tencent, or Alibaba.” The associated costs and administrative burdens of installing and managing a new data storage facility or hiring a local service provider may render infeasible the provision of many global services. This puts foreign firms at a disadvantage, particularly smaller, less resourced firms, and constitutes a form of data protectionism which opens the Chinese market for domestic firms to grow. Organizations with the resources to sustain operations in China then find themselves subject to increased potential for intellectual property (IP) theft, for which China has become notorious. Chinese entities are already adept at stealing intellectual property abroad, so “centralizing vast quantities of information in a limited number of data centers within a jurisdiction creates an enticing target” for Chinese IP thieves, potentially adding to the monetary costs of data storage.
Given the numerous barriers to transferring data and the potential for high compliance costs and penalties, many firms may ultimately find that operating in China is no longer cost-effective. Firms must spend more on IT services, pay for more data storage, pay for duplicative services in more than one jurisdiction, and spend more on compliance activities. Firms need data to flow freely to foster innovation and growth and to remain competitive. The PIPL’s barriers and harsh penalties, and China’s authoritarian government all culminate to restrict the free flow of data across borders.
Chinese Citizens’ Privacy
Firms localizing data in China consequentially contribute to the CCP’s control over its population. Not only does data localization contribute to decreased cross-border data flows, but it is also an effective tool for authoritarian regimes surveilling their populations. “Often, these data localization mandates are put forth under the guise of ‘protecting’ individuals’ privacy or security, but the result is often the exact opposite.” This is precisely what has occurred in China. The PIPL was enacted with the stated goal of “protect[ing] personal information rights and interests,” however, China’s governance system and history of surveilling its own population provides a different narrative. 
Although the PIPL is aimed at protecting individuals’ personal information, that protection is mainly geared toward consumers and won’t prevent the state from accessing those individuals’ information. Such information can be used by state actors to “identify and threaten individuals, thereby impacting privacy, data protection, and freedom of expression.” Data localization has been used to target minorities, journalists, and political opponents using the claim of protecting personal information. This seems highly likely in China’s case as the agencies tasked with data security are involved in surveillance and social and political control, thus facilitating one of the CCP’s main political interests–“maintaining power through access and control over data.”
The CCP has extensive experience using technology to control its population and the PIPL is simply another tool for it to employ to that end. State actors may access data concerning individuals’ biometrics, religious preferences, sexual orientation, political views, and much more. Prior to PIPL, personal information was already being used to persecute Uighur Muslims, political activists and opponents, and journalists. A specific example is an app that allows police to track and search individuals to reveal personal information such as blood type, educational level, occupation, vehicle information, electricity usage, and more. The PIPL has now broadened the potential set of personal information accessible to the CCP and granted it access to nearly every form of data, enabling state entities to more easily surveil potential threats and stamp out opposition.
In conjunction with China’s authoritarian governance, pervasive surveilling of its population, and adoption of cyber laws that force data localization and permit state actors to access that data at-will, the PIPL should be seen not as an effort to protect Chinese citizens’ personal information, but as an effort to tighten the CCP’s grip on its population.
Data may or may not be the new oil, but much like oil, it can be used as a tool to influence others, and the Personal Information Protection Law does just that. For organizations, the PIPL erects numerous barriers that make transferring data across borders much more difficult, forcing organizations to choose between incurring high costs of data transfer mechanisms, incurring high costs of storing data within China, or pulling out of China altogether. Organizations that choose to comply with transfer mechanisms face the further looming cost of being the victim of politically motivated penalties disguised as violations of national security or the public interest. Organizations that choose to localize data face constant and at-will surveillance by state entities under legal authority.
For Chinese citizens, the PIPL provides the CCP with the personal data of every individual whose data is stored within China–likely the vast majority. This will allow state entities to surveil the population constantly and more easily, identify potential threats to the regime, and persecute individuals and groups, solidifying its control over the population.
Over the past decade, states and regional blocs around the world have adopted data privacy laws and frameworks, and China is no exception. What separates China’s laws and framework from the rest is the implicit motive behind the execution. Democratic states enacting such laws and frameworks, invoking principles of consumer protectionism and individuals’ privacy rights, are generally seen as genuine attempts to fulfill the aims they claim to pursue. While China adopted the PIPL by invoking some of the same principles that democratic states and blocs invoked, the implicit motive becomes clear when one looks at the likely results of the law and China’s history of oppression and repression. The PIPL is not a law that will provide protection for Chinese citizens; it is a law that will restrict cross border data flows and further enable the state to surveil and control its population.
 See The World’s Most Valuable Resource is no Longer Oil, but Data, The Economist (May 6, 2017), https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data; Michael Kershner, Data Isn’t The New Oil – Time Is, Forbes (Jul. 15, 2021, 8:20 AM), https://www.forbes.com/sites/theyec/2021/07/15/data-isnt-the-new-oil–time-is/?sh=6ef29c3835bb; Francis Adrian Viernes, Stop Saying ‘Data is the New Oil’, Medium (Sept. 14, 2021), https://medium.com/geekculture/stop-saying-data-is-the-new-oil-a2422727218c.
 See Data-Driven Innovation: Big Data for Growth and Well-Being, OECD 20-21 (2015), https://read.oecd-ilibrary.org/science-and-technology/data-driven-innovation_9789264229358-en#page23.
 It is important to note that there are numerous supporting documents that seek to clarify and supplement these laws. While important, they will not be discussed at length in this paper but may be mentioned and analyzed as necessary.
 Jack Wagner, China’s Cybersecurity Law: What You Need to Know, The Diplomat (Jun. 1, 2017) https://thediplomat.com/2017/06/chinas-cybersecurity-law-what-you-need-to-know/.
 Sam Pfeifle, China’s Evolving Views on Privacy, International Association of Privacy Professionals (Sept. 28, 2017), https://iapp.org/news/a/chinas-evolving-views-on-privacy/.
 Christina B. Whitman, Privacy in Confucian and Taoist Thought 92-93 (D. Munro. Ann Arbor: Univ. of Michigan, Center for Chinese Studies ed., 1985).
 U.S. Const. amend. IV; James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty, 113 Yale L.J 1151, 1161 (2004).
 Id. at 1161.
 Cybersecurity Law of the People’s Republic of China (promulgated by the Standing Comm. Nat’l People’s Cong., Nov. 6, 2016, effected Jun. 1, 2017), art. 1 2017 P.R.C. Laws [hereinafter “CSL”].
 Wagner, supra note 4 (defining network operators as network owners, managers, and providers; a network is defined as any system comprised of computers and related equipment that gathers, stores, transmits, exchanges, or processes information).
 CSL, supra note 10, at art. 50.
 Id. at arts. 9, 69.
 Id. at art. 37.
 Data Security Law of the People’s Republic of China (promulgated by the Standing Comm. Nat’l People’s Cong., Jun. 10, 2021, effected Sept. 1, 2021), art. 1 2021 P.R.C. Laws [hereinafter “DSL”]; Why China’s New Data Security Law Is a Warning for the Future of Data Governance, Foreign Policy (Jan. 28, 2022) https://foreignpolicy.com/2022/01/28/china-data-governance-security-law-privacy/#:~:text=The%20Personal%20Information%20Protection%20Law&text=The%20law%20governs%20data%20collection,and%20obtain%20consent%20from%20individuals.
 DSL, supra note 16, at arts. 2, 21, 36.
 Ryan D. Junck et. al., China’s New Data Security and Personal Information Protection Laws: What They Mean for Multinational Companies, Skadden, Arps, Slate, Meagher & Flom LLP (Nov. 3, 2021), https://www.skadden.com/Insights/Publications/2021/11/Chinas-New-Data-Security-and-Personal-Information-Protection-Laws#:~:text=The%20Data%20Security%20Law,-The%20Data%20Security&text=The%20law%20is%20generally%20seen,where%20the%20data%20is%20stored.
 DSL, supra note 16, at art. 45.
 Personal Information Protection Law of the People’s Republic of China (promulgated by the Standing Comm. Nat’l People’s Cong., Aug. 20, 2021, effected Nov. 1, 2021), art. 4, 2021 P.R.C. Laws [hereinafter “PIPL”] (defining “handling” as “collection, storage, use, processing, transmission, provision, disclosure, deletion, etc”).
 Id. at art. 4 (defining “personal information” as “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling”).
 Id. at arts. 1, 3.
 Id. at art. 3.
 See Yehan Huang & Nigli Shi, Top Scholar Zhou Hanhua Illuminates 15 Years of History Behind China’s Personal Information Protection Law, DIGICHINA (Jun. 8, 2021) https://digichina.stanford.edu/work/top-scholar-zhou-hanhua-illuminates-15-years-of-history-behind-chinas-personal-information-protection-law/; Gabriela Zanfir-Fortuna et al., China’s New Comprehensive Data Protection Law: Context, Stated Objectives, Key Provisions, Future of Privacy Forum (Aug. 21, 2021), https://fpf.org/blog/chinas-new-comprehensive-data-protection-law-context-stated-objectives-key-provisions/.
 PIPL, supra note 20, at art. 40.
 PIPL, supra note 20, at art. 40.
 CSL, supra note 10, at art. 37.
 Translation: Outbound Data Transfer Security Assessment Measures (Draft for Comment) – Oct. 2021, DIGICHINA (Oct. 29, 2021), https://digichina.stanford.edu/work/translation-outbound-data-transfer-security-assessment-measures-draft-for-comment-oct-2021/.
 Id. at art. 40.
 See generally Council Regulation 2016/679, arts. 51-59, 2016 O.J (L 119/1) (EU).
 PIPL, supra note 20, at art. 38.
 Id. at art. 39, 56.
 Id. at art. 41.
 Id. at art. 42.
 Id. at art. 43.
 Nigel Cory & Luke Dascoli, How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them, Info. Tech. & Innovation Found. 16 (Jul. 2021), https://itif.org/sites/default/files/2021-data-localization.pdf.
 PIPL, supra note 20, at art. 4
 Id. at art. 3.
 Id. at arts. 38, 39, 56.
 Hunter Dorwart, Demystifying Data Localization in China: A Practical Guide, Future of Privacy Forum 2 (Feb. 2022), https://fpf.org/wp-content/uploads/2022/02/Demystifying-Data-Localization-Report.pdf.
 See Natasha Lomas, Twitter is Reviewing Whether to Store Some User Data in Russia, Tech Crunch (Apr. 19, 2017, 2:16 PM), https://techcrunch.com/2017/04/19/twitter-is-reviewing-whether-to-store-some-user-data-in-russia/ (highlighting decisions that Twitter faced in Russia that are similar to those companies now face in China).
 Amy Gunia, Yahoo and LinkedIn are Ditching China. Here’s Why Most U.S. Businesses are Staying Put, Time (Nov. 5, 2021, 3:12 PM), https://time.com/6113375/yahoo-linkedin-companies-leaving-china/; Reshma Kapadia, U.S. Companies Face New Risks in a Changing China. What That Means for the Stocks, Barron’s (Nov. 15, 2021) https://www.barrons.com/articles/us-china-business-risks-stocks-51636707602.
 Gunia, supra note 43; Kapadia, supra note 43.
 Elizabeth Harding & L. Hannah Ji-Otto, Five Immediate Steps to Take in Preparation for China’s New Comprehensive Privacy Law, The National Law Review (Nov. 2, 2021), https://www.natlawreview.com/article/five-immediate-steps-to-take-preparation-china-s-new-comprehensive-privacy-law.
 Soumik Ghosh, How China’s Information Protection Law Affects Businesses, Bank Info Security (Sep. 9, 2021), https://www.bankinfosecurity.asia/how-chinas-information-protection-law-affects-businesses-a-17498.
 PIPL, supra note 20, at art. 66.
 Compare PIPL, supra note 20, at art. 66 with Council Regulation 2016/679, supra note 31, at art. 83.
 For examples of the CCP harshly cracking down on companies See generally Nike, H&M Face China Fury Over Xinjiang Cotton Concerns, BBC (Mar. 25, 2021), https://www.bbc.com/news/world-asia-china-56519411; Tim McDonald, Can Western Brands Recover from Consumer Backlash in China?, BBC (Apr. 25, 2021), https://www.bbc.com/news/business-56598884; NBA Returns to Chinese Television Following Hong Kong Blacklist, Al Jazeera (Mar. 30, 2022) https://www.aljazeera.com/news/2022/3/30/nba-returns-to-chinese-television-following-hong-kong-blacklist.
 Jack Nicas et. al., Censorship, Surveillance and Profits: A Hard Bargain for Apple in China, New York Times (May 17, 2021), https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html; Apple Criticized for Storing Data inside China, BBC (May 20, 2021), https://www.bbc.com/news/technology-57186275; Wagner, supra note 4.
 Erica Fraser, Data Localisation and the Balkanization of the Internet, 13 SCRIPTed 359, 362 (2016).
 See Nigel Cory, Cross-border Data Flows: Where are the Barriers, and What do They Cost?, Info. Tech. & Innovation Found. 2 (May 2017), https://www2.itif.org/2017-cross-border-data-flows.pdf?_ga=2.79687709.823271257.1651430238-1883173358.1649006792.
 See generally Daniel Rechtschaffen, How China’s Legal System Enables Intellectual Property Theft, The Diplomat (Nov. 11, 2020), https://thediplomat.com/2020/11/how-chinas-legal-system-enables-intellectual-property-theft/.
 Fraser, supra note 53, at 363; China Stills Steals Commercial Secrets for its Own Firms’ Profits, The Economist (Nov. 13, 2021), https://www.economist.com/china/2021/11/11/china-still-steals-commercial-secrets-for-its-own-firms-profit.
 Cory, supra note 54, at 6-7.
 Id. at 6.
 Lindsey R. Sheppard et. al., The Real National Security Concerns Over Data Localization, Center for Strategic & International Studies 3 (Jul. 2021), https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210723_Sheppard_DataLocalization.pdf?en2io56tR_AVK4Ts6yzoHoafKr354j5t.
 Id. at 6.
 PIPL, supra note 20, at art. 1.
 Matt Burgess, Ignore China’s New Data Privacy Law at Your Peril, Wired (Nov. 5, 2021, 7:00 AM), https://www.wired.com/story/china-personal-data-law-pipl/.
 Cory & Dascoli, supra note 37, at 7.
 Sheppard et. al., supra note 59, at 5.
 Cory & Dascoli, supra note 37, at 6.
 Adrian Shahbaz, The Rise of Digital Authoritarianism, Freedom House (2018), https://freedomhouse.org/report/freedom-net/2018/rise-digital-authoritarianism.
 Human Rights Watch, China’s Mass Surveillance Phone App, YouTube (May 1, 2019), https://www.hrw.org/tag/mass-surveillance-china.
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.