China's PIPL vs. Europe's GDPR: A comparison
China’s PIPL vs. Europe’s GDPR. The latest data protection regulation (and one with potentially the greatest reach) is China’s Personal Information Protection Law.
It deserves your attention if you conduct business in China. The consequences for failing to comply could include high penalties and even government blacklisting and restriction of activities.
Let’s compare PIPL vs. GDPR. We will look for key points to keep in mind to comply with both.
PIPL: November 1, 2021
GDPR: May 25, 2018
Scope and extraterritorial effect
PIPL: Besides regulating organizations’ and individuals’ handling of personal data belonging to natural persons within the jurisdiction of China, PIPL’s Article 3 extends the territorial scope beyond the borders of China.
Data processing activities established outside of China are also covered if one of the following circumstances is present:
The purpose is to provide products or services to natural persons inside China’s border
Other circumstances provided in laws or administrative regulations.
Conducting analysis or assessment of activities of natural persons inside the borders
So, all websites, companies and organizations in the world should comply with the PIPL if they offer goods or services to Chinese citizens.
GDPR: Protects persons in the EU (regardless of nationality) and regulates organizations established in the EU, as well as organizations located outside the EU if the organization:
Offers goods or services to, or monitors the behavior of data subjects located in the EU.
Has a website that is accessible to anyone living in or visiting the EU.
So, all websites, companies and organizations (data controllers) in the world should comply with the GDPR if they offer goods or services to individuals within the EU.
PIPL vs. GDPR key takeaway: If you offer your services to, or your website is accessible to Chinese citizens/anyone living in or visiting the EU, you should be prepared to comply with their respective regulations.
PIPL: Up to 5% of a company’s annual revenue of the previous year or CNY 50 million(about €6.7 million).
GDPR: Up to €20 million or 4 percent of worldwide turnover for the preceding financial year, whichever is higher.
PIPL vs. GDPR key takeaway: PIPL’s upper limit for fines is for “grave” violations (an undefined term). Although it is not as high as the EU max, Chinese authorities may also: suspend offending business activities, stop business activities entirely, cancel administrative and business licenses, or place offending organizations on a blacklist and restrict or prohibit them from collecting personal data.
PIPL: The Cyberspace Administration of China is the primary body responsible for data protection enforcement under the PIPL, however, there are several other state council departments that may also regulate the PIPL and issue implementing regulations.
GDPR: The relevant supervisory authority is the enforcement body having a variety of administrative and investigative powers. Data subjects have a right to an administrative remedy including the right to lodge a complaint with the relevant supervisory authority as well as the right to an effective judicial remedy against a controller or processor.
Types of data protected
PIPL: All kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons.
GDPR: Any information related to an identified or identifiable natural person.
PIPL vs. GDPR common ground: The language used allows Chinese and European authorities to take a broad approach when interpreting what constitutes personal information in practice. Both regulations exclude anonymized data.
Sensitive data defined
PIPL: Personal information that, once disclosed or illegally used, may easily cause grave harm to the dignity, personal, or property security of natural persons, including information on biometric characteristics, religious beliefs, specially designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14. Article 29 states that to process sensitive personal information, an individual’s separate consent must be obtained. It is unclear whether the separate consent in this provision is the only prerequisite for processing sensitive personal information, or whether the other legal basis in Article 13 can also be applied. Certain categories of sensitive personal information, such as medical health data, financial accounts, are specifically regulated in other laws and regulations, companies should classify different types of personal information accordingly.
GDPR: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
PIPL vs. GDPR key takeaway: PIPL has an open list that describes sensitive data that “may easily cause grave harm”, while the GDPR has a closed list that focuses on specific categories, allowing the PIPL to consider some data as sensitive that the GDPR may not.
Consent and lawful basis of processing
PIPL: The most common legal basis is consent, which must be informed, voluntary and explicit. (Art. 13 lists other legal bases). If the processing purpose, processing method, and type of personal information processed are changed, the individual’s consent shall be re-obtained.
GDPR: Consent must be freely given, specific, informed, an unambiguous indication of the data subject’s wishes. (Art. 6 lists other legal bases).
PIPL vs. GDPR point of difference: The PIPL does not recognize “legitimate interests pursued by the controller” as a legal basis for personal information processing. This and other aspects of the PIPL put extra emphasis on always obtaining consent.
PIPL: Businesses must provide consumers with a comprehensive description of their online and offline practices regarding collection, use, disclosure, and sale of personal information and data rights in clear and easy-to-understand language.
GDPR: Organizations are required to provide a variety of information to data subjects prior to the processing of their personal data, whether or not personal data is collected directly from data subjects. All privacy notices must be:
In clear and plain language
PIPL: Legality, Appropriateness, Necessity and Good Faith, Clear and Reasonable Purpose (includes data minimization), Openness and Transparency, Quality Assurance and Accountability (includes accuracy and security).
GDPR: Lawfulness and Necessity, Purpose Limitation, Collection Limitation, Openness and Transparency, Accuracy, Accountability and Security
PIPL vs. GDPR key takeaway: PIPL requires a “clear and reasonable purpose” for processing data, and that the collection of personal information be minimized and not excessive, along with the security of personal information. The PIPL requires PIPEs to establish policies and procedures on personal information protection, implement technological solutions to ensure data security, and carry out risk assessments prior to engaging in certain processing activities.
PIPL: Offshore organizations that process data belonging to Chinese citizens must establish a dedicated office or appoint a representative inChina to be responsible for personal information protection in China.
GDPR: A EU representative is also required for offshore organizations.
Sensitive personal information processing requirements
PIPL: Only collect information necessary to achieve the specified purpose, adopt strict protective measures, and obtain separate, specific consent when processing sensitive information. You must also inform individuals of the necessity and impact on individuals’ rights and interests of processing of their sensitive personal information.
GDPR: Only process sensitive personal data with the data subject’s explicit consent (some exceptions).
PIPL vs. GDPR key takeaway: The PIPL takes a risk-based approach, imposing heightened compliance obligations in specified high-risk scenarios, for example, internet platforms with large numbers of users, large volumes of data, and sensitive data.
Data subject rights fulfillment
PIPL: Specifically provides that organizations shall establish a mechanism for receiving and processing individuals’ rights requests. No specific timeline or extension period requirements. If an individual’s request for the exercise of their rights is rejected, the reasons shall also be explained. Individuals may in turn file a lawsuit with a People’s Court according to the law to challenge the rejection of their DSR requests.
GDPR: Data controllers to respond to data subjects’ rights requests ‘without undue delay’ and usually within one month of the receipt of the request. The response time may be extended to two further months in case of complex requests.
PIPL vs. GDPR point of difference: PIPL has not set a timeline for request response, while there is a 30-day deadline for GDPR requests.
Right to know and decide/be informed
PIPL: Individuals have ‘the right to know and the right to decide’ when it comes to their personal information; and request handlers explain their handling rules.
GDPR: The right to be informed requires the controllers to provide certain information to the data subject when personal data is collected. Any relevant information in connection to the data processing must be given in a concise, transparent, intelligible, and easily accessible form, using clear and plain language to the data subject.
PIPL vs. GDPR key point of difference: The PIPL includes an additional requirement for personal information handlers to notify individuals of the name/personal name and contact method of the receiving party when sharing their data with third-parties. The GDPR only requires the data controller to notify data subjects of the type of third-party recipient.
Right to access
PIPL: Individuals have the right to access and copy their personal information from the data controllers. Following are few exceptions to this right:
Where state organs process personal information for the purpose of fulfilling statutory duties and responsibilities.
Where laws or administrative regulations provide that confidentiality of personal information shall be preserved.
GDPR: Under the GDPR, the right of access includes the right to obtain confirmation from the controller as to whether or not personal data is being processed, access to the personal data and more.
Did you know? A unique characteristic of the PIPL is that all data rights extend beyond an individual’s death and can be exercised by close relatives of the deceased unless otherwise arranged by the decedent during their lifetime.
Right to deletion/blocking/restriction
PIPL: Individuals have the right to deletion and requires a data controller to proactively delete personal information where one of the following circumstances occurs; if the personal information handler has not deleted their data in these circumstances, individuals have the right to request deletion when:
The processing purpose has been achieved, is impossible to achieve, or the personal information is no longer necessary to achieve the processing purpose.
Data controllers cease the provision of products or services, or the retention period has expired.
The individual rescinds consent.
The data controller processed the personal information in violation of laws, administrative regulations, or agreements.
Other circumstances provided by laws or administrative regulations.
Where the retention period provided by laws or administrative regulations has not expired, or personal information deletion is technically hard to realize, data controllers shall cease personal information processing except for storage and taking necessary security protective measures. The PIPL also provides individuals the right to limit, or refuse the processing of their personal information by others, unless laws or administrative regulations stipulate otherwise.
GDPR: The right to deletion of personal data applies in the following instances:
When the personal data is no longer necessary for the purposes it was collected.
When consent is withdrawn by the data subject.
When the data subject objects to data processing based on legitimate interest.
When the data subject objects to data being processed for direct marketing purpose.
When the personal data is unlawfully processed.
When personal data has to be erased for compliance with a legal obligation.
When a child wants to erase data in case of the provision of information society services to a child.
The right to restrict processing applies when the data subject contests data accuracy, the processing is unlawful, and the data subject opposes erasure and requests restriction. The controller must inform data subjects before any such restriction is lifted.
Right to correct and amend
PIPL: Individuals have the right to request personal information handlers correct or complete their personal information. Where individuals request to correct or complete their personal information, data controllers are required to verify the personal information and correct or complete it in a timely manner.
GDPR: Data subjects have the right to obtain from the controller the rectification of inaccurate personal data and to have incomplete personal data completed. This right has close links to the accuracy principle of the GDPR (Article 5(1)(d)), which requires data controllers to keep personal data accurate.
Right to data portability
PIPL: Individuals have the right to request a data controller to transfer their personal information to another data controller. However, specific conditions for moving data will be determined by state cybersecurity and information departments.
GDPR: The right to data portability is defined as the right to receive the data in a structured, commonly used, and machine-readable format and to transmit the data to another controller without any hindrance, when it is technically feasible to do so. The GDPR limits the exercise of the right to data portability where it adversely affects the rights and freedoms of others.
Right to object
PIPL: Not explicitly addressed
GDPR: The GDPR provides data subjects with the right to object and withdraw consent to personal data processing. Data subjects have the right to object to the processing of their personal data where the processing is based on legitimate interests, public interest, or the consent of the data subject. As a consequence of a valid objection, the data controller must no longer process the data subject’s personal data unless it can demonstrate compelling, legitimate grounds for the processing. These grounds must be sufficiently compelling to override the interests, rights, and freedoms of the data subject. Data subjects also have the right to object to their data being processed for direct marketing purposes.
Right to withdraw consent
PIPL: Individuals have the right to withdraw consent.
GDPR: None, however, the right to object could be used in this way.
Note: PIPL states that withdrawal of an individual’s consent does not affect the effectiveness of the personal information processing activities that have been carried out based on the individual’s consent before the withdrawal.
Right to object to automated decision making
PIPL: The PIPL does not provide an explicit right to object automated decision. However, it requires that if the data controller conducts information push delivery or commercial sales to individuals through automated decision-making methods, the data controller shall provide the option to not target an individual’s characteristics, or provide the individual with a convenient method to refuse to the automated decision-making processing.
GDPR: The GDPR provides data subjects the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects them. The prohibition against automated decision-making does not apply if the processing is authorized by law, necessary for the preparation and execution of a contract, or done with the data subject’s explicit consent. In such situations, the GDPR requires data controllers to implement suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Data protection impact assessment (DPIA) requirements
PIPL: Organizations should conduct risk assessments and record them before conducting “specific personal information processing activities” that have a significant impact on individuals, such as processing sensitive PI, automatic decision-making, entrusting processors, providing PI to third parties and so on.
GDPR: A Data Protection Impact Assessment (DPIA) is required under the GDPR any time you begin a new project that is likely to involve “a high risk” to other people’s personal information.
Did you know? One of the most important ways to demonstrate to authorities that your organization complies with the PIPL and the GDPR is to prepare a DPIA for each of your high-risk data processing activities. Even when the high-risk standard is not met, it is still prudent to conduct a DPIA to minimize liability and ensure best practices for data security and privacy are being followed in your organization.
Cross-border data transfer requirements
PIPL: Transferring personal information outside the territory of China should meet three necessary conditions: (1) obtaining the personal information subject’s separate and informed consent; (2) conducting personal information protection impact assessment and making record; and (3) adopting one of the measures set forth in the PIPL to ensure that adequate safeguards would be provided for the transfer.
The PIPL also imposes an obligation on personal information exporters to ensure data protection standards are met after transfer. The PIPL stipulates that without the approval of the Chinese regulatory authority, personal information stored in China shall not be provided to judicial or law enforcement agencies outside China. This provision is in line with the newly enacted Data Security Law of China.
GDPR: Data controllers must inform the data subject of their intention regarding the transfer of data to a third country at the time personal data is collected from the data subject including information on the existence of an adequacy decision by the Commission, or in case of transfers based on appropriate safeguards, the means by which to obtain a copy of them.
As per the GDPR, personal data transfers to a third country or international organization may take place only where an adequate level of protection is ensured (adequacy to be determined by the EU Commission) or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU.
Suppose there is no decision on an adequate protection level. In that case, a transfer is only permitted when the data controller or data processor provides appropriate safeguards that ensure data subject rights.
Appropriate safeguards include:
Binding Corporate Rules with specific requirements (e.g., a legal basis for processing, a retention period, and complaint procedures)
Standard data protection clauses adopted by a supervisory authority and approved by the EU Commission)
An approved code of conduct
An approved certification mechanism
Legally binding instruments for cross-border transfers between public authorities
PIPL: The data controller must have an internal management structure and operating rules, processing limits framework, and technical security measures such as encryption & de-identification. Data controllers should also have a mechanism for the categorized management of personal information. Data controllers should conduct audits of their processing activities and compliance with other laws; conduct security education and training of its employees; and implement additional safeguards for sensitive personal information and processing.
GDPR: Requires organizations to adopt appropriate technical and organizational measures to ensure personal information processing security. These measures may include the following:
Encryption and pseudonymization of personal data
Ensuring integrity, confidentiality, and availability of processing system
Restoring the availability and access to personal data promptly
Assessing and evaluating the effectiveness of technical and organizational measures.
In case of data breach
PIPL: You must take immediate action and notify the relevant agency and affected individuals. When the measures taken can effectively avoid damages to personal information, you do not have to notify individuals.
GDPR: You must notify supervisory authorities of any personal data breach that is likely to result in a risk to natural persons’ rights and freedoms without undue delay and not later than 72 hours after becoming aware of the breach.
Point of difference: The PIPL does not set out an exact deadline for notifying supervisory authorities of data breaches, while the GDPR allows 72 hours.
PIPL: If data controllers engage entrusted parties for the processing of personal information, they are required to conclude an agreement with the entrusted parties on the purpose for entrusted handling, the time limit, the handling method, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information handling activities of the entrusted person.
Entrusted parties are required to handle personal information according to the agreement, and are required to take necessary measures to safeguard the security of the personal information they handle and assist data controllers in fulfilling the obligations provided in the PIPL.
GDPR: Data controllers are allowed to engage with only those processors that provide sufficient guarantees to implement appropriate technical and organizational measures and protect data subjects’ rights as per the requirements of the GDPR. Data processors are required to process the personal data only on documented instructions from the controllers.
Data protection officer (DPO) requirement
PIPL: Data controllers are required to appoint Personal Information Protection Officers in specific situations, depending on the volume of personal information they process. China’s state cybersecurity and informatization department will provide clarity on the volume threshold. Data controllers are also required to disclose the methods of contacting Personal Information Protection Officers and report the names of the officers and contact methods to the departments fulfilling personal information protection duties and responsibilities.
GDPR: Under the GDPR, organizations are required to appoint a data protection officer where data processing activities are carried out by a public authority (except for courts in their judicial capacity), where the core activities of the organization consist of regular and systematic monitoring on a large scale, or where the core activities of the organization consist of the sensitive personal data or personal data relating to criminal convictions and offenses. Organizations must publish the contact details of the DPO and communicate them to the supervisory authority.
PIPL vs. GDPR common ground: Both require a DPO to be appointed.
Internet platform services obligations
PIPL: Data controllers that provide internet platform services to a large (undefined) number of users and have complex business models must:
Establish and complete personal information protection compliance structures
Establish an independent body to supervise personal information handling
Follow the principles of openness, fairness, and justice
Immediately cease their service offerings when in serious violation of the law
Regularly publish reports on the social responsibility of personal information handling.
GDPR: Internet platforms are not addressed separately.
PIPL vs. GDPR key point of difference: PIPL provides additional obligations for organizations that deal with internet platform services, while the GDPR does not separately define or provide obligations for internet platform service providers.
Records and documentation
PIPL: Does not provide an explicit requirement for having a record of data processing activities. However, the PIPL imposes obligations on data controllers to regularly engage in audits of their personal information activities and compliance with laws and administrative regulations. It also requires personal information protection impact assessment reports and handling status records shall be preserved for at least three years.
GDPR: Data controllers are required to maintain a record of processing activities. This obligation does not apply to organizations with fewer than 250 persons unless the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offenses. For the purposes of demonstrating compliance, data controllers are also required to document personal data breaches and consent statements where data processing is based on data subjects’ consent.
PIPL vs. GDPR key point of difference: The GDPR requires specific records of data processing activities, the PIPL does not. But both hold you accountable for compliance. Documentation demonstrates compliance.