Same text, different meaning: China’s risk-based approach to data protection

Abstract This article analyzes the divergence between China’s Personal Information Protection Law (PIPL) and the EU’s General Data Protection Regulation (GDPR), despite their textual similarities. It argues that China’s approach to data protection is shaped by distinct domestic understandings of “risk,” rooted in past legislation, judicial practices, and social concerns. Using focal point theory, the authors identify three key dimensions of risk in China: large-scale participation, economic loss, and threats from third parties. These focal points explain why China’s risk-based approach prioritizes different enforcement goals than the GDPR. The article also shows how these differences manifest in several areas, including the definition of personal information, the regulation of automated decision-making, and the design of enforcement authorities. Ultimately, the article challenges the assumption that legal diffusion through the “Brussels Effect” leads to uniform global standards. Instead, it highlights how domestic cultural and institutional factors reshape transplanted laws, creating seemingly performative enforcement that reflects localized regulatory logics.