On August 20,2021, the Standing Committee of the 13th National People’s Congress of China, passed the Personal Information Protection Law of the People’s Republic of China. China’s long-awaited Personal Information Protection Law (PIPL) came into effect on November 1, 2021, strengthening the legal framework of data protection and cybersecurity in China, which until the enactment of PIPL was shielded by the Guarding State Secrets Law (2010), the Cybersecurity Law (2017), the Encryption Law (2020), and the Data Security Law (2021).
It is the first special law on Personal Information Protection in China. It will have significant impact on the activities of organisations and individuals dealing with personal information. It focuses on “personal information processing activities”. It clarifies the scope of application, the definition of personal information and sensitive personal information as well as the legal basis of personal information processing. It also provides clarification on the basic requirements of notice and consent. It also clarifies the obligations of the personal information processor and proposes requirements for the handling of personal information by state agencies.
The law codifies the data processing and utilization practices by organizations–coupled with protecting the rights and interests of individuals—dealing with personal information of Chinese data subjects both inside and outside of China. Mirroring key provisions found under the EU’s GDPR, as well as eclipsing it at select issues, China’s PIPL puts together one of the world’s strictest data privacy laws.
The in-charge of China PIPL is the Cyberspace Administration of China (CAC), the country’s internet regulator.
This article decodes key features where China’s PIPL mirrors the GDPR, as well as where the two diverge from each other.
1. Scope of Application
The scope of application of PIPL is as follows:
- Processing of Personal Information of Chinese citizens activities within the territories of China.
- Certain processing activities conducted outside of China of domestic natural living person of personal information.
2. Processing Regimes
PIPL’s approach toward processing personal data is completely against the GDPR. According to Article 9, GDPR forbids all processing of sensitive data unless performed in strictly limited conditions. In contrast, PIPL allows the processing of sensitive information given consent for the processing is obtained from the individuals whose sensitive personal data is being processed.
Both the PIPL and the GDPR have almost the similar consent requirements:
- It must be informed;
- Freely given;
- Demonstrated by a clear action of the individual;
- May later be withdrawn (Articles 14, 15).
PIPL, in addition to the above-mentioned requirements, also require separate consent for processing activities if the processing entity:
- Shares personal information with other processing entities;
- Publicly discloses personal information;
- Transfers personal information overseas (Articles 23, 25, 29, 39).
However, PIPL and China Cybersecurity Law defines the definition of information that can be classified into the following categories:
- Personally Identifiable Information
- Sensitive Personal Information
- Critical Information Infrastructure
The PIPL recognizes and adheres to a number of basic principles of processing personal information that is highly consistent with existing international laws and best practices. PIPL follows the principle of personal information protection that includes lawfulness and fairness, transparency, purpose limitation, accuracy and integrity, minimum necessary data collection, security and accountability. It is explicitly mentioned in Article 5, 6, 7, 8 & 9.
As per Article 13, the personal information of an individual can only be processed if it is Contractual Obligation, public health, statutory, public interest, lawful disclosure, other applicable and administrative regulations.
However, it is to be noted that PIPL does not recognize the handling of personal information for the “legitimate interest” of the Personal Information Processor which is a commonly used by companies to process data under the EU GDPR in a number of contextual scenarios such as corporate transactions that include e-commerce, IT/ITES, BPO etc.
3. Territorial scope
PIPL, in addition to application to all personal information processing carried out in China, extends its extraterritorial scope to the overseas processing of personal information, provided that the processing entity carries out the following purposes:
- Provides products or services to data subjects in China;
- “Analyzes” or “assesses” the behavior of individuals in China;
- Other purposes to be specified by laws and regulations (Article 3).
Similar to the GDPR’s requirement for the appointment of an “EU representative” for offshore processors, PIPL requires offshore “personal information processing entities,” affected by the extraterritorial application of PIPL, to establish a “dedicated office” or appoint a “designated representative” in China to handle the matters related to the protection of personal information (Article 53).
4. Personal data rights
Personal data rights under PIPL remain almost the same as under the GDPR; differing only in inadequate capturing of such rights with ambiguities in the wording–including where certain restrictions or exemptions may apply. The table below shows the key personal information rights under the GDPR and the PIPL.
|Right to information||Yes||Yes|
|Right to access/copy||Yes||Yes|
|Right to correction/rectification||Yes||Yes|
|Right to erasure||Yes||Yes|
|Right to object||Yes||Yes|
|Right to data portability||Yes||Yes, conditions apply**|
|Right not to be subject to automated decision||Yes||Yes|
|Right to withdraw consent||Yes||Yes|
|Right to lodge a complaint with the regulator||Yes||Yes|
**The processing entity needs to first satisfy conditions stipulated by the Cyberspace Administration of China.
Whereas the GDPR specifies a clear timeline for a processing entity to respond to the requests made by data subjects, the PIPL only requires processing entities to “timely” respond to the requests rather than defining a specific timeline for responding. Under the PIPL, individuals are given the right to carry out lawsuits against processing entities if they happen to reject the individuals’ request to exercise their rights (Article 50).
GDPR covers only living people. In comparison, under the PIPL, the close relatives of a deceased person can exercise the rights that person held over while alive, e.g. the right to access or the right to be forgotten.
5. Cross-border transfer of personal information
The PIPL and the GDPR share similar requirements regarding the cross-border transfer of personal information. However, there are some additional provisions as well stipulated under the PIPL which the exporter, who is an operator of critical information infrastructure, or the amount of data being transferred outside by it reaches a threshold as defined by the Cyberspace Administration of China (CAC), may require to satisfy in order to carry out the cross-border transfer of personal information.
- Provide individuals with certain specific information related to data transfer and obtain their separate consent (Article 39);
- Ensure safety maintenance of the personal information by the overseas recipients as required under the PIPL (Article 38);
- Conduct a personal information protection impact assessment (Article 55);
- CII (critical information infrastructure) operators–or entities processing large amounts of personal information, in general–need to store personal information locally and shall pass a security assessment administered by the CAC (Article 40) for transferring personal information overseas.
6. Personal information impact assessment
The GDPR requires data processors to carry out an impact assessment known as Data protection Impact Assessment(DPIA) under Article 35 of EU GDPR where the processing may create a high risk to the data subjects, including large-scale processing of sensitive data, automated decision making, and systematic monitoring takes place. Most of the impact assessment provisions under PIPL are inspired by the GDPR. The PIPL requires data processors to conduct a privacy impact assessment (Article 55)–and retain the processing records for three years–for processing sensitive personal information, making automated decisions with an individual’s personal data involved, sharing PII with third parties, and transferring PII abroad.
7. Handling data breaches
GDPR lays out a detailed framework for handling a data breach, compared to China’s PIPL. Unlike GDPR which directs data controllers to inform of a breach as soon as possible–within 72 hours of the breach–PIPL mandates data controllers or processors to inform of a breach to the relevant authorities without mentioning a timescale. Even if the data controllers deem the breach as not risky enough to cause potential harm to the affected individuals, authorities may ask data controllers to inform the affected individuals anyway.
8. Penalties for breaching
GDPR-devised penalty bifurcates into two tiers. Less severe violations may result in fines of up to 10 million euros or 2% of a company’s entire global turnover of the preceding fiscal year, whichever is higher. For more severe violations, the fine can be up to 20 million euros or 4% of the company’s global turnover of the preceding fiscal year, whichever is higher.
In contrast, breach of PIPL carries a maximum penalty of 50 million Chinese yuan(Approx USD 7.9 million) or 5% of turnover from the previous financial year.
China PIPL provides for stringent penalties in the event of violations that includes confiscation of any unlawful income and suspension of any personal information processing services. The persons who are directly responsible for processing the personal information can be subjected to fines between 10000 Yuan and 100000 Yuan(between 2000 USD and 18000 USD). Fines for persons directly responsible for serious and grave violations of China PIPL can vary from 100000 Yuan and 1 Million Yuan( Between 18000 USD and 170000 USD).
These are clearly defined in Article 62, 63 and 65 of PIPL.
PIPL also embodies some key provisions that supersede the EU counterpart. Let’s explore what makes China’s PIPL different from GDPR:
● Personal Information Processor
What GDPR specifically calls personal data, the PIPL refers to as personal information. An entity that decides how data is processed (whether or not they physically carry out the processing) is called a “data controller” under the GDPR but a “Personal Information Processor” under the PIPL. Somebody who physically processes data on behalf of some other party and follows their instructions is called a “data processor” under the GDPR but an “entrusted party” under the PIPL.
Many a times due to the business requirements of processing the personal information, the Personal Information Processor will be involved in the following:
- Jointly Processing as per Article 21
- Entrusted Processing as per Article 22
- Third Party Processing as per Article 24
However, the most stringent condition for any personal information processor that is processing the personal information outside the territory of People’s Republic of China is that to establish a special agency or designate a representative within the territory of the People’s Republic of China that will be responsible and accountable for various relevant matters related to personal information protection etc. This is very clearly defined in Article 52.
● Blacklist provision
The PIPL authorizes the government to prepare a blacklist of overseas data controllers and processors who they find violating China’s national security of public interests. Recognition follows up barring them from processing personal data of Chinese citizens.
● National security concerns
In addition to empowering individuals’ data privacy, China’s PIPL also accentuates the national security issue. Data localization and conducting security assessment in regards to national security is a must under the PIPL, before transferring data overseas. The PIPL also bundles some strict administrative and criminal punishments for the violators who on purpose or unintentionally process personal information that breaches China’s national security requirement.
● Retaliatory measures against other countries
If China finds a country adopting discriminatory prohibitions, limitations, or other similar measures in relation to personal data protection against China, in the way that a country or a region refuses to provide adequacy status to China and thereby, refuses to sign a data-sharing treaty with China, it may retaliate in response.
● Unified data protection authority
Unlike the GDPR that allows independent DPAs to administer proper functioning in respective areas, the Republic of China has centrally controlled departments like the Cyberspace Administration of China (CAC) and the Ministry of Public Security to ensure PIPL regulation.
China Personal Information Protection Law (PIPL) differs significantly from several other comprehensive data protection laws, such as the EU General Data Protection Regulation (GDPR).
In particular, PIPL limits the legal basis for processing personal information and does not include legitimate interests as a basis for processing information, contains stringent consent requirements for certain types of personal information handling such as sharing personal information with other entities that handle personal information. It imposes special cross-border data transfer rules under certain circumstances such as where the amount of personal information being processed reaches a certain threshold to be determined by the PRC, national cyberspace authority in China.
Both laws correlate with each other in many ways. Since PIPL came after the enactment of GDPR, it is much more refined and repurposed to meet the Chinese way of data governance. Except for some conditions, compliance with one can make a data-driven company compliant with the other.
However, the Personal Information Protection Law of China gives authorities the power to impose huge fines and blacklist companies (based outside the territories of People’s Republic of China) that are found in violation of PIPL.
We at Data Secure (DATA SECURE – Privacy Automation Solution) can help you to understand Privacy and Trust while dealing with personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.
We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to India PDPB 2019. For more details, kindly visit DPO India – Your outsourced DPO service (dpo-india.com).
For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at firstname.lastname@example.org or email@example.com.
For downloading various Global Privacy Laws kindly visit the Resources page in DATA SECURE – Privacy Automation Solution