New Data Protection Standard in China: Lessons for the LGPD Enforcement Gap in Brazil

Image generated with AI

The imminent entry into force, on November 1, 2025, of the new GB/T 45574-2025 standard for the processing of Sensitive Personal Information in China reinforces how the rise of the data economy has elevated personal information protection to the status of a global regulatory pillar, leading countries like China and Brazil to establish comprehensive legal frameworks. In Brazil, the General Data Protection Law (Lei Geral de Proteção de Dados Pessoais - LGPD), Law No. 13,709/2018, was enacted to protect the fundamental rights of freedom, privacy, and the free development of personality, applying to data processing across all media, including digital. In China, the Personal Information Protection Law (PIPL) sets the same objective.

However, the compliance approaches of these two jurisdictions diverge deeply in their enforcement mechanisms, exposing contrasting regulatory models. China, through the TC260 technical standard (Cybersecurity Standardization Committee), imposes objective technical and oversight rigor, treating data protection as an imperative of Digital Sovereignty. This regulatory rigor is paralleled by a cultural posture of self-protection and personal secrecy on the part of individuals, evidenced by the hesitation to share basic information and the use of pseudonyms online. In contrast, Brazil, while anchored in the Fundamental Right to privacy, faces a persistent challenge of cultural and institutional maturity in its application. This article aims to analyze the effectiveness of the Chinese implementation and the Brazilian enforcement gap, evidenced by the low rate of judicial convictions for data protection violations.

1. THE CHINESE MODEL: TECHNICAL IMPOSITION AND THE CULTURE OF SECRECY

The Chinese strategy for data protection is not limited to the text of the PIPL but lies in its rigorous cybernetic operationalization and detailed process governance. The law establishes a broad scope of application, covering data processing within China and, extraterritorially, when it aims to provide products/services or analyze the behavior of natural persons in the country (Article 3).

1.1 The Compliance Accelerator: TC260’s Digital Security Technical Specifications

The technical materialization of the PIPL's rigor occurs through detailed standards developed by the TC260 Technical Committee. The central framework includes the GB/T 35273—2020 standard and the new GB/T 45574-2025 standard (Technical Security Requirements for the Processing of Sensitive Personal Information), which takes effect on November 1, 2025. Although GB/T 45574-2025 is a recommended national standard and not legally mandatory, it provides a detailed operational guide for handling SPI in line with the PIPL. The standard is crucial because it translates broad legal principles into practical cybersecurity requirements, helping organizations understand and implement the expected levels of protection.

In terms of enforcement, regulatory authorities like the Cyberspace Administration of China (CAC) conduct random inspections of companies' personal information practices. Companies that align their policies and safeguards with the detailed specifications in the TC260 standards are better positioned to demonstrate good-faith compliance with the PIPL and related regulations, which, in practice, gives de facto force to the technical documents.

1.1.1 Security Protection and Governance Requirements

Even before processing, companies must identify, classify, and maintain a dedicated directory for Sensitive Personal Information (SPI), applying specific management procedures. SPI in China covers data that, if leaked or improperly used, could "infringe a person's dignity or endanger their personal or property safety," including biometric, religious, financial data, and information of minors under 14.

The new guidelines detail what constitutes SPI across various categories and establish specific compliance requirements throughout the data lifecycle. This requires companies to:

Implement mandatory security mechanisms in their systems, such as encryption, strict access control, logging, and regular audits.

• Ensure that SPI is stored securely and separately from information that could identify the individual;

• Provide mechanisms for secure deletion or anonymization of data when no longer needed;

• Establish clear authorization procedures for critical operations, such as sharing, exporting, or publicly disclosing SPI;

• In addition to technical security requirements, the standard reinforces governance by requiring companies that process sensitive data of more than 100,000 individuals to appoint a data protection officer with professional knowledge who is a member of the processor's management, and who must also undergo a security background check.

This Top-Down technical imposition acts as a compliance accelerator and ensures the primacy of state control and Digital Sovereignty.

1.2 The Defensive Culture of Individual Privacy

Chinese regulatory rigor is paralleled by a cultural posture of self-protection. From a cultural perspective, data protection manifests in a deep sense of personal secrecy and caution. This posture is frequently observed not only in the online behavior of Chinese individuals, who prefer using pseudonyms (nicknames) on social media instead of revealing their real names, but also in their offline behavior, demonstrating hesitation in sharing basic information, such as their hometowns. This generalized concern with self-protection of identity is an adaptive response to intense state and corporate information collection, creating a defensive culture of privacy at the individual level.

2. THE BRAZILIAN SCENARIO: THE LGPD AND THE CHALLENGE OF IMPLEMENTATION CULTURE

In Brazil, the LGPD is anchored in Fundamental Rights, but its practical application is marked by a maturity gap that has hindered full enforcement.

2.1 The Challenge of Cultural Promotion and Bureaucracy

The main obstacle lies in Cultural Promotion. As warned by directors of the National Data Protection Authority (ANPD), many companies, especially SMEs, still perceive the LGPD as a bureaucratic barrier or a marginal cost, and not as a strategic governance component. This resistance to cultural transformation contrasts with the defensive caution observed in individual Chinese behavior, indicating that the sense of privacy's value is not yet fully ingrained in the Brazilian corporate environment. The ANPD has prioritized guidance to stimulate the absorption of this new privacy culture, which prolongs the phase of consolidating rigor.

2.2 The Fragility of Judicial Enforcement

The effectiveness of LGPD enforcement is still consolidating. Analyses of judicial data (as reported by JOTA) indicate that a significant portion of cases citing the LGPD have not resulted in the condemnation of companies. This scenario has two implications: first, it suggests that organizations that manage to demonstrate due diligence or the existence of compliance programs (even basic ones) have been able to mitigate their civil liability in court. Second, it reveals that Brazil is still in the institutional maturation phase for consistently inspecting and punishing. The absence of a binding and detailed "technical manual," equivalent to the TC260 cybersecurity standard, makes compliance more subjective and dependent on judicial interpretation and the proof of good faith.

3. COMPARISON OF COMPLIANCE APPROACHES AND CHALLENGES

The contrast between China and Brazil fundamentally lies in the compliance mechanism and the speed of maturity. In China, the strategy is one of Top-Down technical imposition, where compliance is a matter of objective adherence to the rigorous specifications of the TC260 standard, which works in conjunction with an individual culture of secrecy to create a highly defensive environment. The primary focus is State Control and National Security, and the practical rigor is high, facilitating accurate auditing by the CAC, even if the norms are formally non-mandatory.

In Brazil, the LGPD is governed by Cultural Transformation and gradual Judicial Enforcement, with a primary focus on Individual Fundamental Rights. Practical rigor is variable, as it largely depends on each company's maturity and the Judiciary's interpretation of the concept of "due diligence" or "good faith." While China's main challenge is to ensure that its technical cybersecurity standards are universally applied in a continental-sized country, Brazil's central challenge is to overcome the view of the LGPD as bureaucracy, consolidating ANPD enforcement to raise the level of protection across the entire economy. The absence of a binding and auditable technical standard, like TC260, keeps Brazilian compliance in a slower and more subjective stage of development.

4. CONCLUSION

The central difference in data protection lies in the nature of implementation and the speed of maturity. China utilized the objective technical prescription (cybersecurity) of TC260 as a state tool to impose a high rigor of compliance, ensuring that the PIPL is effectively applied and supervised by clear parameters, which grants the country a significant technical advance.

Brazil, in turn, although equipped with a robust and constitutionally grounded law (LGPD), faces the challenge of translating the law into practice in an environment of cultural immaturity. To close the maturity gap exposed by the Chinese advance, the LGPD must transcend mere legal debate, and the ANPD needs to intensify enforcement to transform legal concern into a rigorous and non-negotiable operational cybersecurity routine for all companies. As long as the Judiciary and the ANPD rely on "proof of due diligence" to determine liability, the level of data protection in Brazil will remain in a maturity gap when compared to the Chinese model of technical control and normative imposition, which benefits from an individual culture already prone to secrecy.

REFERENCES:

BRAZIL. Law No. 13,709, of August 14, 2018. General Data Protection Law (LGPD). Brasília, DF: Presidency of the Republic, [2018]. Available at: https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm. Accessed on: 25 Oct. 2025.

CHINA. Cyberspace Administration of China (CAC). [Title in Chinese and translation: PIPL – Personal Information Protection Law]. Published on 20 Aug. 2021. Available at: https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm. Accessed on: 25 Oct. 2025.

CHINA. National Information Security Standardization Technical Committee (TC260). Data Security Technology—Security Requirements for Processing of Sensitive Personal Information. Norm GB/T 45574-2025. China, 2025. Available at: https://www.tc260.org.cn/upload/2025-06-17/1750126302878095198.pdf. Accessed on: 25 Oct. 2025.