Demystifying China’s Personal Information Protection Law: PIPL vs. GDPR

On 20 August 2021, the National People’s Congress (NPC) passed the final version of the Personal Information Protection Law of the People’s Republic of China (PIPL), a comprehensive privacy law that covers multiple facets of personal information protection.

The PIPL went into effect on 1 November 2021. It is applicable not only within the territory of the People’s Republic of China but also beyond its borders. It has provisions for extraterritorial application under any of the following circumstances:

• Providing products or services for people inside China.
• Analyzing or evaluating the behaviors of people within the territory of China.
• Any other circumstance as provided by any law or administrative regulation.

Part 1: PIPL vs. GDPR

The PIPL parallels the EU General Data Protection Regulation (GDPR) in various aspects, but differences exist in the details. Below are the 15 key points of comparison of China’s PIPL relative to the EU’s GDPR.

Personal Information Processing Principles

1. Significant differences in the legal basis for processing. Both laws require a similar legal basis for processing personal information (PI), however, the PIPL adds human resources management and disclosed information as legal bases for processing, as well as omits legitimate interest. Instead of the explicit consent required under the GDPR, the PIPL requires obtaining individuals’ separate consent in five specific PI processing scenarios.
2. Sets stricter rules on notifications. Internet companies are suggested to notify mobile application users with dual lists that fully protect their right to know.
3. Imposes specific rules for processing sensitive PI and the disclosed PI. The PIPL is like the GDPR in PI processing principles, while the PIPL sets specific rules for processing sensitive PI and the disclosed PI.
4. Imposes obligations for important platform service providers. Under the PIPL, the PI processor, which is deemed as important platform service provider (i.e., gatekeeper), requires specific obligations.
5. Highlights the prohibition on unreasonable differential treatment of individuals in trading conditions, such as trade price. Without the exemptions of automated decision-making defined in GDPR, PIPL highlights that PI processors may not label individual trade price, other trade conditions and user behavior data to establish an internal decision-making mechanism, which could result in unreasonable differential treatment to individuals regarding service prices and service quality by analyzing such labels.

Compliance Obligations on PI processor

6. Extends individual rights to deceased natural persons. PIPL expands the scope of data subjects’ rights to deceased people by providing the close relatives of the deceased with rights regarding the processing of PI of the deceased, e.g., consultation, duplication, rectification and deletion.
7. Requires assessment of the impact on personal information protection under broader scenarios. Two triggers of an impact assessment under PIPL—processing sensitive PI and automated decision making—are like those in the GDPR. However, there are additional triggers in PIPL, e.g., cross-border transfer of PI, providing PI to the third party, etc.
8. Lack of practical know-how and uncertainties and ambiguities still exist. At the time of this writing, there is no clarification on the following issues – what is the threshold for appointing a person in charge of PI protection for organizations within and outside China respectively, as well as requirements related to the individual’s qualifications, position, tasks and safeguards; as well as what is the response time restriction for PI incident notification? In addition, there are no official guidelines to solidify organizations’ understanding of cross-border data transfer – i.e., what constitutes a transfer in the regime of laws and regulations of China, and how to calculate the size of datasets that will trigger government assessment.
9. Lack of provisions for privacy by design. Although both laws require PI processors to adopt corresponding technical security measures, the PIPL lacks provisions for data protection by design and by default in GDPR. Instead, the requirement is mandated by the national standards.

Cross-Border Data Transfer Requirements

10. Significant differences in rules for critical information infrastructure operators (CIIOs) and other PI processors. Rules depend on what type of organization transfers PI overseas – i.e., whether it is deemed as a CIIO and whether it belongs to certain industries – as well as depend on the status of organizations, such as the amount of PI or sensitive PI they process.
11. Stricter data localization requirements. Once the organization is deemed as CIIO and other PI processors, it must store PI in China and may only transfer PI abroad with the approval of the National Cyberspace Department.
12. Fewer transfer mechanisms provided. Both laws require a transfer mechanism for organizations to transfer PI beyond the borders of the People’s Republic of China, with the PIPL providing fewer transfer mechanisms.

Enforcement

13. No independent enforcement authority. Similar to the GDPR, Chinese regulators appoint rulemaking authority and fining authority. However, there is no independent enforcement authority yet in China.
14. Establishes criminal penalties and strengthens personal liability. For example, a violator who illegally sells or otherwise illegally provides PI to third parties may be held criminally liable. Additionally, directly liable people in charge shall be fined.
15. Strengthen private right of action. The burden of proof is shifted to the PI processor in proving that there is no misconduct. The PIPL also enables a public interest class-action legal action where a PI processor contravenes the PIPL and infringes upon the rights and interests of many individuals.

Part 2: Cross-Border Data Transfer Operational Guidelines

It is suggested that a PI processor outside the territory of the People’s Republic of China should take the following five steps.

Step 1. Identify the types of PI processors.
Step 2. Determine whether a government assessment is required.
Step 3. Determine whether a cybersecurity review is required.
Step 4. Determine whether there is an exception.
Step 5. Choose the transfer mechanism.

Figure 1 shows the step-by-step procedures for the transfer of PI across the borders of China and Figure 2 shows the step-by-step assessment procedures required for cross-border data transfer approvals.

Figure 1: Step-by-Step Procedures for Cross-Border Transfer of Personal Information

Figure 2: Cross-Border Data Transfer Security Assessment Procedures

Editor’s note: For further insights on this topic, download ISACA^®’s new publication, “Insights Into China’s Personal Information Protection Law.”