The advent of the digital age has made it easier for everyone to interact online, and it seems that everyone’s life is embedded in the digital grid. Whether it is interacting on social media, making comments online, or using various electronic digital devices, everyone’s data is flowing rapidly, being constantly collected, stored, analyzed, and trained, which brings serious risks of data privacy leakage, that is, data leakage incidents are becoming more and more common and have more and more far-reaching and irreversible effects (Suzor, 2019).
“ It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public.”
— Clay Shirky, Internet scholar and professor at N.Y.U
What’s the Law on Data Privacy? China vs Australia
China’s Personal Information Protection Law (PIPL), which was passed in August 2021 and implemented officially in November 2021 to protect personal data from being abused, strengthen security protection, and promote the reasonable use of data (Tan & Zhang, 2021). As China’s first law related to data security protection in the digital age, PIPL has far-reaching influence and strengthens users’ trust in the collection and use of data. PIPL emphasizes the individual’s control over the use of data and clarifies the basic principles for companies to handle personal information.
For example, the informed consent principle emphasizes that companies must obtain explicit consent before collecting and utilizing personal data, and the minimum necessity principle emphasizes that companies must have reasonable purposes and have the least impact on the individual rights and interests of the parties when processing personal data (Calzada, 2022). Companies must comply with stricter rules when processing sensitive personal data, such as obtaining the consent of guardians when collecting information from minors under the age of 14. In response to data leaks, PIPL stipulates the administrative, civil and even criminal responsibilities that companies need to bear. At present, when China handles data leaks, it will combine the laws of the “Cybersecurity Law”, “Data Security Law” and PIPL to impose clearer restrictions (Calzada, 2022).
The Australia’s Privacy Act was passed in 1988 and it has clarified 13 Australian Privacy Principles (APPs), covering personal information protection, data security management etc., and are binding on Australian government agencies, all private organizations and not-for-profit organizations with an annual turnover of more than AUD 3 million, private health service providers, and some small businesses (Nicol et al., 2014). As an information commissioner, the Australian Information Commissioner (OAIC) is of great significance for enforcing privacy constraints, responding to complaints and ensuring data compliance. For non-compliance with the law, a civil penalty of up to 2.22 million Australian dollars may be imposed (Clarke, 2009).
Australia’s Privacy Act was further amended in 2022 to increase penalties for serious interference with privacy and strengthen the information department’s investigation and enforcement powers. It is of great significance to protect personal privacy and to conduct stricter supervision of companies in terms of data use. Specifically, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 introduces more targeted measures to enhance the OAIC’s ability to protect and regulate the data privacy of Australians in line with community expectations (Witzleb, 2023).
Didi’s 2018 Data Breach in China
As one of China’s most influential online taxi-hailing platforms, Didi was found to have 16 illegal facts regarding data privacy risks in the 2022 China Cybersecurity Review, such as Didi illegally collecting screenshots, clipboard information, facial recognition information, occupational information, precise location data, driver education information, passenger travel intention information, etc. from users’ mobile phone albums, and Didi also has serious threats to national information security activities and maliciously evades supervision (Hua & Wang, 2023). In this case, Didi was identified as the illegal subject, and its chairman and president needed bear supervisory responsibility.
China has imposed special administrative penalties on Didi because its violations are serious, and it has not fulfilled its personal information protection obligations in accordance with legal requirements and regulatory requirements. In terms of timeline, Didi’s illegal behavior began in June 2015 and lasted for about 7 years, which not only seriously violated PIPL, but also violated the Cybersecurity Law and Data Security Law (Conde et al., 2025). From the data range, Didi illegally processed 64.709 billion pieces of personal information, and many of them contained sensitive information, such as facial recognition information. In the end, the Cyberspace Administration of China fined Didi RMB 8.026 billion (Conde et al., 2025).
In fact, before China officially punished Didi, there were rumors on the Internet that Didi packaged and sold the collected user information to the United States, which caused heated discussions among Chinese netizens. However, Didi only responded to this incident by saying “it did not sell the data to the United States”, but did not clearly respond to the facts of data and information collection and abuse (Torrisi, 2023). This caused Didi’s reputation in China to plummet, and even caused Didi’s stock price to fall sharply.
China’s administrative punishment of Didi combines multiple laws, and the use of PIPL as a basis for judgment also symbolizes important progress in China’s data protection field, but some legal loopholes are still exposed in the Didi incident. On the one hand, although Article 57 of PIPL clearly stipulates that in the event of or possible personal information leakage, the personal information processor should immediately take remedial measures and notify the departments and individuals who perform personal information protection duties, the definition of “immediately” is relatively vague, and there is no time limit requirement, which led to Didi’s delay in responding or even avoiding a positive response to the data leakage in this case (Xiong et al., 2023).
This shows that in the formal implementation process of PIPL, there are ambiguities and more reliance on the industry consciousness of enterprises rather than clear legal provisions. In contrast, the EU’s GDPR clearly requires “fulfilling the obligation to report to the regulatory authorities within 72 hours from the time of discovering the data leakage incident”, which is clearer and more operational (Schmitz-Berndt & Schiffner, 2021).
On the other hand, the problem of insufficient legally binding force still exists. Although China imposed a fine of 8.026 billion on Didi, it is not much compared to Didi’s annual revenue of 141.736 billion yuan in 2020 (EqualOcean, 2021). In addition, Didi was fined hundreds of millions of yuan because of its large number of users and the large amount of user information collected. For other smaller companies, the punishment mechanism set by PIPL may not be a deterrent enough. The obligations of personal information processors stipulated in Article 58 may cause some companies to tend to adopt post-event remediation rather than pre-event prevention to meet regulatory requirements.
Optus Data Breach in Australia
Let us take a look at the Optus Data Breach in Australia. In 2022, Optus, Australia’s third largest telecommunications operator, suffered a data breach, with about 9.8 million people’s information stolen, and nearly one-third of them had their driver’s license numbers and passport information stolen, which caused a large number of victims in this case to rush to change their driver’s licenses to protect their personal information (Pha, 2022). Optus said that the data breach was a hacker attack, but internal sources said that the data breach was caused by an API configuration error.
According to the Privacy Act 1988 and the Notifiable Data Breaches (NDB), companies need to take reasonable measures to protect personal information, and when information is leaked, companies need to promptly notify affected individuals and the Office of the Australian Information Commissioner (OAIC) (Herbert-Lowe, 2022). From the timeline, Optus did inform the public of the data breach and notified the regulator the day after the data breach was discovered, in compliance with NDB rules, but Optus was accused of “not taking sufficient necessary measures to avoid data breaches”, which is suspected of violating the “reasonable steps” clause in the privacy law.
Based on the response after the data breach, Optus conducted an active external review and commissioned Deloitte to conduct an independent external review. Optus also offered its most affected customers a 12-month subscription to Equifax Protect, a credit monitoring service (Madnick, 2022). Optus CEO Kelly Bayer Rosmarin publicly apologized and made it clear that $140 million was reserved for compensation costs related to the intrusion, including replacement of hacked IDs and passports, Equifax Protect subscriptions and Deloitte reviews.
Minister of Home Affairs and Cyber Security Clare O’Neill said Optus was responsible for the attack and expressed dissatisfaction with Australian laws, believing that Australia’s laws governing the security of critical infrastructure were more biased towards post-event review and protection, and only allowed the government to intervene when a data breach occurs, without being prepared to prevent it in advance.
Although the Privacy Act 1988 and the NDB provide clear guidance on the behavior of companies after a data breach, there are still some shortcomings. For example, the fine of A$2.22 million in the Privacy Act 1988 is considered too low and is unlikely to be a deterrent to large companies, especially those of the size of Optus. In addition, the role of the Office of the Australian Information Commissioner (OAIC) has not been fully utilized. It was only clearly notified after the data breach and was not fully utilized in the investigation of the case. Therefore, after the data breach in September 2022, the Privacy Legislation Amendment (Enforcement and Other Measures) Act, which came into effect on December 13, 2022, improved the shortcomings and provided clearer guidance for dealing with possible data breach cases in the future (Australian Government, 2022).
“The end of section 13G of the 2022 Privacy Act Amendment significantly increased the original civil penalty of AUD 2.22 million, and clearly stipulated that the fine for legal persons is the greater of the following three amounts: AUD 50,000,000, 3 times the value of the benefit obtained from the violation, or 30% of the company’s turnover when the value of the benefit is uncertain.”
— Australian Government, 2022
Comparative Analysis of Data Protection Laws in China and Australia
From the personal data protection laws of China and Australia, it can be seen that both countries focus on protecting the integrity, storage, transmission and use of personal data, and have made relatively reliable regulations. The two laws also make relatively detailed provisions for the responsibilities and obligations of data processors such as enterprises, requiring information processors to promptly notify relevant departments or affected individuals after data leaks.
China is constantly improving legal provisions in the field of personal information protection through legislation. For example, PIPL was introduced on the basis of the Cybersecurity Law and the Data Security Law, and multiple laws will be integrated when holding companies accountable; Australia has improved the law through amendments. The 2022 law not only increases the amount of penalties but also expands the authority of the OAIC.
From the perspective of differences, the law enforcement orientations of China and Australia are different. China’s law enforcement orientation focuses on national protection, requiring companies to notify “relevant departments and individuals” after data leaks, with priority given to relevant departments (Calzada, 2022). When investigating data leaks, the Cyberspace Administration of China (CAC), public security organs, etc., will conduct joint and strict investigations and supervision and will clearly sort out the scope and scale of data leaks. If the data leak may involve national security, the Chinese government will impose more severe penalties. Although the proportion of the penalty amount is not large compared to Didi’s profits, the fine of 8.026 billion yuan also fully demonstrates the Chinese government’s severe attitude towards large companies illegally handling information data.
Australia’s law enforcement orientation focuses on consumer protection, emphasizing information transparency and corporate self-regulation (Australian Government, 2022). Moreover, the newly introduced 2022 amendments only further expand the OAIC’s authority to investigate data leaks, and do not clearly authorize other government agencies.
At the same time, Article 57 of China’s PIPL vaguely stipulates that information processors need to clearly notify relevant institutions and departments after a data breach occurs, but there is no time limit. The “immediately” provision is not clear enough, which also led to Didi’s delayed response, thereby damaging public trust (Calzada, 2022).
Australia’s NDB clearly stipulates that Organisations which exceed the turnover threshold must report to the designated Commonwealth body within 72 hours if a cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have, a direct or indirect impact on a reporting business entity. This is why Optus can report to the OAIC quickly after a data breach, thereby reducing the problems and risks that may be further caused by delayed reporting (Australian Government, 2022).
Conclusion
Therefore, through the data leakage incident of Didi in China and the data leakage incident of Optus in Australia, we can observe the differences between the legal systems of China and Australia. Although both countries have issued corresponding laws and regulations for data security protection, strengthening the governance of enterprises in the digital age and stipulating the response of enterprises in dealing with data leakage and the legal responsibilities they need to bear, the laws of both countries are still imperfect.
Based on this, learning from each other’s strengths and constantly improving their own legal systems, China and Australia can effectively improve data security, prevent increasingly complex data leakage risks, and provide a better example for global data security governance (Flew, 2021).
References
7 News Australia. (2024). Optus CEO apologises, attempts to explain outage. YouTube. https://youtu.be/iMXDuykcAyo?si=F2yTxB3T3dqg0Yai
9 News Australia. (2023). Minister lashes cyber crime laws as ‘bloody useless’ amid Optus hack . YouTube. https://youtu.be/JWwPtF5hy8A?si=X7S2n7PNG7Uhjx3W
Albanese says MediSecure hack “very significant” and warns it “won’t be the last.” SBS News. (n.d.). https://www.sbs.com.au/news/article/albanese-says-medisecure-hack-very-significant-and-warns-it-wont-be-the-last/apqpt2iqr
Australian Government. (2022). Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. https://www.legislation.gov.au/C2022A00083/latest/text
Calzada, I. (2022). Citizens’ data privacy in China: The state of the art of the Personal Information Protection Law (PIPL). Smart Cities, 5(3), 1129-1150. https://www.mdpi.com/2624-6511/5/3/57
Clarke, R. (2009). Privacy impact assessment: Its origins and development. Computer law & security review, 25(2), 123-135. https://www.sciencedirect.com/science/article/pii/S0267364909000302
CNBC Television. (2022). Didi’s data collection is a national security issue for China, says author Ann Lee. YouTube. https://youtu.be/YkkgdAZ9wyA?si=vJTC1etKIeSgFF9q
Conde, I., Li, Y., & Vyas, R. P. (2025). Global Companies and China’s Data Privacy Laws: Analysing DIDI’S Case and Regulatory Compliance Implications. Chinese Journal of Transnational Law, 2753412X241288770. https://journals.sagepub.com/doi/abs/10.1177/2753412X241288770
EqualOcean. (2021). Didi to raise USD. https://www.google.com.hk/url?sa=t&source=web&rct=j&opi=89978449&url=https://equalocean.com/news/2021062516400&ved=2ahUKEwi8jonQ4qeMAxVnweYEHUMYDf0QFnoECBoQAQ&usg=AOvVaw2yPz9BAHri-2hpxTFMSD1l
Fadilpašić, S. (2025, April 1). Top API testing firm APISEC exposed customer data during security lapse. TechRadar. https://www.techradar.com/pro/security/top-api-testing-firm-apisec-exposed-customer-data-during-security-lapse
Flew, T. (2021). Regulating platforms. John Wiley & Sons. https://sc.panda985.com/extdomains/books.google.com/books?hl=zh-CN&lr=&id=fI1SEAAAQBAJ&oi=fnd&pg=PA1986&dq=Flew,+Terry+(2021)%C2%A0Regulating+Platforms.+&ots=9IVLKCmlwg&sig=ZpPDPPnjVR6KHh9YGjSqamiZyw8
Herbert-Lowe, S. (2022, November). Payment redirection fraud–who does (and who should) bear the loss in fraudulent banking transactions, and is Australia’s electronic banking system fit for purpose?. In 2022 IEEE International Symposium on Technology and Society (ISTAS) (Vol. 1, pp. 1-7). IEEE. https://ieeexplore.ieee.org/abstract/document/10227138/
Hua, J., & Wang, P. (2023). Cultural differences in privacy protection: A case study of DiDi privacy violations. Issues in Information Systems. https://par.nsf.gov/biblio/10480379
Madnick, S. (2022). The rising threat to consumer data in the cloud. https://cyberlaw.stanford.edu/content/files/newsroom/pdfs/the-rising-threat-to-consumer-data-in-the-cloud.pdf
Nicol, D., Hagger, M., Ries, N., & Liddicoat, J. (2014). Time to get serious about privacy policies: the special case of genetic privacy. Federal Law Review, 42(1), 1-32. https://www.cambridge.org/core/journals/federal-law-review/article/time-to-get-serious-about-privacy-policies-the-special-case-of-genetic-privacy/5622C5ABD9CECA36AED9D7625AC1D2F3
Oaic. (2024, December 10). The Privacy Act. OAIC. https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act
Optus, S. (n.d.). Equifax protect eligibility. https://www.optus.com.au/support/cyberresponse/equifax-protect-eligibility
Personal information protection law of the People’s Republic of China. PIPL. (2022, May 10). https://personalinformationprotectionlaw.com/
Pha, A. (2022). Optus: Data is gold. Guardian (Sydney), (2027), 1-3. https://search.informit.org/doi/abs/10.3316/informit.694929628482145
Schmitz-Berndt, S., & Schiffner, S. (2021). Don’t tell them now (or at all)–responsible disclosure of security incidents under NIS Directive and GDPR. International Review of Law, Computers & Technology, 35(2), 101-115. https://www.tandfonline.com/doi/abs/10.1080/13600869.2021.1885103
Suzor, Nicolas P. 2019. ‘Who Makes the Rules?’. In Lawless: the secret rules that govern our lives. Cambridge, UK: Cambridge University Press, 10-24.
Tan, Z., & Zhang, C. (2021). China’s PIPL and DSL: Is China following the EU’s approach to data protection?. Journal of Data Protection & Privacy, 5(1), 7-25. https://www.ingentaconnect.com/content/hsp/jdpp/2021/00000005/00000001/art00002
Torrisi, R. (2023). China’s New Personal Information Protection Law (PIPL): Implications for Companies and Human Resources Management. https://unitesi.unive.it/handle/20.500.14247/17888
Witzleb, N. (2023). Responding to global trends?: privacy law reform in Australia. Data Disclosure: Global Developments and Perspectives, 147-168. https://www.degruyter.com/document/doi/10.1515/9783111010601-009/pdf?licenseType=open-access
Xiong, B., Ge, J., & Chen, L. (2023). Unpacking data: China’s ‘bundle of rights’ approach to the commercialization of data. International Data Privacy Law, 13(2), 93-106. https://academic.oup.com/idpl/article-abstract/13/2/93/7044277
Zachariah, T. (2025, March 1). China’s Personal Information Protection Law (PIPL). WebToffee. https://www.webtoffee.com/china-personal-information-protection-law-pipl/
Be the first to comment