When the European Union's (EU) General Data Protection Regulation went into effect in 2018, it became one of the strictest privacy and security laws in the world. Although the GDPR was drafted to protect the citizens in the EU, the impact of its regulations and obligations was felt worldwide. Since the GDPR's landmark passing, governments around the world have released stricter requirements for the protection of their citizen's data, and many have either adopted or are close to adopting comparable data privacy laws. Today, there are more than 120 countries that have either enacted data protection laws or are utilizing some form of international privacy law to ensure more rigorous protections and controls over personal information.
Many of these new privacy laws follow the GDPR's gold-standard protections, including Brazil's General Personal Data Protection Law (LGPD), Thailand's Personal Data Protection Act (PDPA), Japan's Act on Protection of Personal Information (APPI), the U.S.'s California Consumer Protection Act (CCPA) and California Protection Rights Act (CPRA), and now, China's recently passed Personal Information Protection Law (PIPL).
China's PIPL, passed on August 20, 2021, and effective November 1, 2021, appears in many aspects to be inspired by the GDPR and has even been called “China's GDPR.” The PIPL is China's first comprehensive law directly designed to protect the personal information of individuals in China. The PIPL was passed less than two months after its companion law, the Data Security Law (DSL), which went into effect in September 2021, and regulates the protection and security of data relating to the national security and public interests of China.
While the PIPL has many similar aspects as the GDPR, it includes certain obligations that differ and many others that are not found in the GDPR. Below, we dive deeper into the similarities and differences between the PIPL and the GDPR.
Drawing many principles from the EU’s General Data Protection Regulation, the Personal Information Protection Law strives to establish a set of rules around the collection, processing, and protection of personal data for the first time in China. Understanding how the two laws compare can help organizations focus their compliance efforts with the PIPL and appropriately adapt current privacy programs to match the requirements of this new law.
The PIPL is comprised of eight different chapters containing a total of 74 articles, whereas the GDPR has 11 chapters and 99 articles. In spite of this difference, all of the chapters in the PIPL (aside from Chapter VIII: Supplemental Provisions) correspond with a chapter from the GDPR. For example, each law has a chapter in reference to general provisions, cross-border transfers, legal liabilities, and so on. While the specific provisions within each chapter might differ, both laws contain further information regarding the same topics.
Compared to various other privacy laws around the world, China's PIPL most closely resembles the GDPR in scope. Similar to the GDPR's scope, which applies to any company that handles the personal data of an EU resident, the PIPL applies to any entity that processes the personal information of Chinese individuals, regardless of whether that happens in China or outside the country. The scope of the PIPL is also broader than the GDPR, because certain conditions of the law allow Chinese regulators to designate other laws and regulations where the PIPL would be applicable.
Similar to the GDPR, the PIPL also extends its scope to the processing of personal information of individuals conducted outside of China. This extraterritorial effect would only apply if the purpose for the processing is to provide products or services to individuals in China, to analyze the behavior of individuals in China, or for other purposes that are yet to specified by certain laws and regulations.
The PIPL also requires entities subject to these extraterritorial effects to either establish a dedicated office or appoint a designated representative in China for personal information protection purposes. While similar to the GDPR's requirement for the appointment of an EU representative for offshore controllers, the specific role an office or representative would take under the PIPL is still unclear.
The PIPL's definition of personal information is almost identical to that of the GDPR (aside from being called personal data rather than personal information), including the exception for anonymized information. Both laws define personal information to be "any information related to an identified or identifiable natural persons," but the PIPL goes one step further by incorporating "recorded by electronic or other means" into its definition.
Unlike the GDPR, the PIPL has its own definition for sensitive personal information, which is defined as "personal information that may lead to harm to the dignity of natural persons or serious harm to the safety of persons or property if disclosed or unlawfully used." And, even though the PIPL borrows its language from the GDPR, it is broader when comparing the special categories of covered information as it also includes financial accounts and individual location tracking.
The legal basis for processing under the PIPL takes a similar approach to the GDPR. Both laws provide lawful basis for processing information in addition to consent. There is no equivalent for "legitimate interests" in the PIPL as in the GDPR, though. Instead, the PIPL only allows for certain narrowly defined circumstances outside of consent - four in total. And, just as in the GDPR, the PIPL also imposes the general principles of openness and transparency, legality, legitimacy, and necessity.
In addition, the PIPL does not provide an explicit requirement for creating or maintaining a record for data processing activities like the GDPR does. However, the PIPL does impose obligations on data controllers to regularly engage in audits of their personal information processing activities and their compliance with laws and administrative regulations.
Similar to the GDPR's definition of consent, consent under the PIPL must be informed, freely given, explicit, and may be later withdrawn. However, the PIPL differs in the fact that consent does not need to be specific. The law does identify situations in which separate consent would be required, suggesting that the laws are not too different in the end. Situations where an individual would need to provide separate consent include:
Although adopting a few different terms, individuals under the PIPL share many of the same rights as found in the GDPR. Aside from the right to request that personal information processors explain their handling rules, all other rights are relatively exact. The GDPR does provide more explicit guidance about the right to data portability, whereas the PIPL simply states that such requests should meet the conditions set up by State cyberspace administrations. However, these are currently still unclear.
In addition, the PIPL only requires that individual requests are responded to in a timely manner, unlike the GDPR that specifies that responses must occur within 30 days. Both laws do allow individuals to bring a private right of action if their requests to exercise their individual rights are rejected, though.
Similar to the GDPR, the PIPL places restrictions on cross-border data transfers. While the methods for transferring personal information across borders under the PIPL require further guidance from the Cyberspace Administration of China (CAC), it is expected that most business will need to rely on contractual means, similar to the use of standard contractual clauses in the GDPR. This option will not be available to critical information infrastructure (CII) operators or entities that process large volumes of personal information.
Both the GDPR and PIPL carry significant penalties for violations of the law dependent on a company's annual revenue. The PIPL's fines are slightly more severe than the GDPR, coming in at 5% of the company's annual revenue in the prior year compared to the GDPR's 2-4% of annual global turnover. However, the PIPL does not specify whether annual revenue refers to revenue generated in only China or worldwide.
In addition, unlike the GDPR, the PIPL provides for the personal liability of "responsible personnel," which fines individuals within a company for both less serious violations and grave violations. These individuals would also be prohibited from holding leadership positions in the company or personal information protection positions in another company for a set period of time.
CHINA PIPL
|
EU GDPR
|
Scope | |
Applies to the processing of personal information of individuals within China. | Applies to the processing of EU citizens’ and residents’ data both inside and outside the EU. |
Who is Protected? | |
Individuals | Data subjects |
Personal Information | |
Personal Information All kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons. |
Personal Data Any information relating to an identified or identifiable data subject. |
Sensitive Personal Information | |
Personal information that may lead to harm to the dignity of natural persons or serious harm to the safety of persons or property if disclosed or unlawfully used. Includes data such as race, ethnicity, religious beliefs, biometric information, medical health, financial accounts, and individual location tracking. |
Data consisting of genetic, biometric, and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions, or trade union membership. |
Privacy Rights | |
Right to information Right to access Right to rectification Right to deletion Right to object Right to data portability (must satisfy conditions set by the CAC) Right to withdraw consent Right to not be subjected to automated decision-making Right to request |
Right to be informed Right to access Right to rectification Right to erasure Right to object Right to data portability Right to withdraw consent Right to not be subjected to automated decision-making |
Private Right of Action | |
Yes | Yes |
Records of Processing Activities | |
No | Yes |
Cross-Border Data Transfers | |
To transfer personal information outside of China, informed consent of the individual must be obtained, a personal information protection impact assessment must be conducted, and one of four special conditions must be met. | Cross-border transfers of personal data to a third country must be based on an adequacy decision or another valid data transfer mechanism (e.g., Binding Corporate Rules, Standard Contractual Clauses, and the Recommendations). |
Breach Notification | |
Immediate notification (but a specific time limit for notifying the authority or affected individuals is not provided). | Requires a regulatory authority to be notified of a breach within 72 hours. |
Enforcement Authority | |
No current data protection authority, but departments like the CAC and the Ministry of Public Security (MPS) have certain enforcement powers. | The Information Commissioner's Office (ICO) |
Penalties | |
5% of annual revenue from the previous year; or CNY50 million ($7,800,000) | 2-4% of annual global turnover; or 20,000,000 euros ($25,000,000), whichever is greater |
Although the PIPL closely resembles the GDPR, its requirements are more stringent, and the law is potentially more far-reaching than the GDPR as China's population caps at 1.4 billion. While complying with the PIPL will require time, effort, and additional costs, those organizations currently in compliance with the GDPR will have a more straightforward path to ensuring the requirements of the PIPL are met. And, with the law already in effect, and many of the PIPL's regulations requiring further guidance, getting started today will help you avoid potential fines and the loss of business operations in China in the future.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.