The EU's GDPR vs China's PIPL

China's PIPL has been compared to the European Union's General Data Protection Regulation (GDPR).

This article will compare and contras PIPL's provisions and compliance requirements with those of the GDPR.

The official text of PIPL (in Chinese) can be found here.

You can find a full English translation by the DigiChina Project, based at the Stanford University Cyber Policy Center, here.

Key Definitions

Personal Data vs. Personal Information

Today, most businesses are at least passingly familiar with the GDPR's term, "personal data." Under the GDPR, the term's definition relates to an identified or identifiable natural person or data subject.

It defines a natural person as someone who is identifiable, directly or indirectly, by referencing something that can identify them, such as:

• A name
• An identification number
• Location data

• An identifier about an individual related to the following categories of information:

  • Physical
  • Physiological
  • Genetic
  • Mental
  • Economic
  • Cultural
  • Social identity

PIPL uses the term "personal information" instead of personal data.

According to PIPL, personal information is "various types of electronic or otherwise recorded information relating to an identified or identifiable natural person."

Some believe that because the definition includes the words "related to," it automatically includes information gathered on an individual indirectly.

It's also considered vague and thus could be interpreted by the courts in a loose, expansive manner. It will be fascinating how it all turns out because companies will need to gain explicit consent for the personal information they collect and process.

When addressing this topic in a Privacy Policy to comply with either PIPL or the GDPR, you'll need to disclose the types of personal information or personal data you collect and/or process. Regardless of the specific types of information or data you collect or use, your clause should look something like the following:

Personal Sensitive Information vs. Special Category Data

PIPL includes a category of personal information called "personal sensitive information." It's a class of data that could be used to discriminate against an individual or cause them harm if leaked or used in an illegal manner.

Some of the types of information on this list include:

• Nationality
• Personal biological features
• Race
• Personal location
• Financial accounts
• Medical history

Be aware that your business will face tighter restrictions and must follow stricter regulations when it comes to collecting and processing these kinds of personal information.

With that said, some see a fight in the courts over the stringency outlined in PIPL for sensitive personal information. Many types of financial account information are already regularly processed for tax and payroll purposes or fraud prevention. Peoples' locations are regularly processed for location-based services such as taxis and rideshares, map applications, and GPS.

However, the new rules under PIPL make it much harder to collect and process that information. In turn, this may make the entire process overly burdensome for both individuals and organizations.

The GDPR tightens restrictions for data that fall within this category in a similar manner to how PIPL handles "personal sensitive information."

The difference is that instead of the types of data included by PIPL, the GDPR puts tighter restrictions on the collection of information concerning sensitive content such as the following:

• Trade-union status
• Political opinions
• Genetic and biometric data
• Sex life or sexual orientation

Here's how you can address the topic of sensitive information in a Privacy Policy clause:

Personal Information Processor vs. Data Controller

According to PIPL, "personal information processors" are "organizations or individuals that independently determine the purposes, means, or any other matter relating to the processing of any personal information."

The GDPR, meanwhile, incorporates "data controllers" and "data processors."

A data controller under the GDPR is a "natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law."

A data processor is an organization or person that processes data on behalf of the controller.

PIPL's personal information processor can be compared to the GDPR's data controller, while third parties, which the personal information processor entrusts with processing the data under PIPL, can be compared to the GDPR's data processor.

Scope of Jurisdiction

PIPL applies to any company doing business in China regardless of physical location, which collects and processes the personal information of Chinese residents. It also applies to cross-border transfers of personal information when the purpose of such transfers is to:

• Provide services or products to residents of China
• Analyze and evaluate an individual's activities, or
• Any other applicable reason allowed by Chinese laws or regulations

Additionally, before your company transfers data obtained in China outside the country's borders, it must sign the government's "standard contract," published by the Cyberspace Administration of China (CAC). *Note that the CAC website may not be accessible from all locations.*

Moreover, you'll need to establish either a representative or a special entity within China to handle all issues related to the security of the personal information you collect. You must also provide the name and contact information of that representative or special entity to the relevant Chinese authorities.

Additional requirements include:

• The need to acquire separate consent from individuals for any cross-border transfer of information
• An internal risk assessment before any cross-border transfer of information
• Keeping records of all cross-border data transfers, and
• The need to undergo a CAC security assessment or obtain a certification from a CAC approved "professional institution"

The GDPR applies to businesses that either operate from within the EU, or collect or process personal information about individuals located in the EU. These are relatively similar, although China has more complex and strict requirements surrounding its requirements.

Legal Grounds for Processing Personal Information

Data processors under PIPL can collect and process personal information only based upon:

• Gaining informed and voluntary consent of the individual
• A need to execute or perform a contract
• A need to fulfill a legal obligation or duty
• A need to protect public health or the safety of an individual's life or property
• The publication of news and supervision by public opinion for public interests, or
• Any other situations allowed by Chinese law and administrative regulations

For comparison, companies can only collect and process data under the GDPR when based upon:

• Consent given by the individual ("data subject" in the GDPR) for data processing for one or more specific purposes
• Necessary to execute a contract where the individual is a party
• Necessary to comply with a legal obligation or duty to which the data controller is subject
• Necessary to protect the primary interests of the individual or another natural person
• Necessary to perform a task carried out in the public interest or to exercise official authority, and
• Necessary to fulfill the purposes of a legitimate interest pursued by the data controller or by a third party, except in cases where those interested are overridden by the fundamental rights and freedoms of the data subject

Here's an example of what GDPR-compliant consent can look like, with granulated options and checkboxes users must actively check to consent:

The more clear and specific the consent is that you request and hopefully obtain, the fewer issues you're likely to run into when it comes to compliantly processing data under that consent.

Principles of Data Protection

PIPL's draft lays out seven principles for the processing of personal information. These include:

• Legality
• Explicit purpose
• Minimum necessity
• Transparency
• Accuracy
• Accountability and data security, and
• Storage limitation

In comparison, the GDPR's principles for data processing are:

• Lawfulness
• Transparency and fairness
• Further processing and purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality, and
• Accountability

Rights Granted to Individuals

PIPL gives Chinese residents extensive rights when it comes to their personal information.

For example, people have the right to know, decide upon, object to, or limit their information processing. They also have the right to access their information and to copy it from personal information processors. They can also ask to have their information corrected if there are errors or to complete it if it is incomplete.

PIPL also provides for the right of individuals to have their information completely deleted under certain circumstances. Finally, people can withdraw any consent they may have previously given.

The GDPR provides for everything PIPL grants, but the GDPR goes a step further by giving data subjects (individuals who gave you the right to collect their personal information) the right of data portability. This means that individuals in the EU can request to receive data and then have it transmitted to another data controller.

When drafting your Privacy Policy for compliance with either law, make sure to include a list of user rights that are legally available, as seen here:

The GDPR protects the autonomy of the data subject, whereas PIPL keeps ultimate control in the hands of the Chinese government.

The Obligations of Personal Information Processors

Personal information processors have several obligations under PIPL. These include ensuring the security and safety of all personal information that you collect.

Security measures must be both technical and organizational in nature and must consist of such things as:

• Implementing encryption measures
• Establishing an internal data management system, and
• Establishing a special entity in China or appointing a designated representative to take charge of all issues related to the security of personal information

Use your Privacy Policy to disclose to authorities and the public that you have security measures in place. You don't have to detail every specific, but you should make mention that you do take privacy seriously.

Here's an example of a simple yet sufficient security clause in a Privacy Policy:

It's possible that if your company entrusts a third party with data processing, then that organization must have an entity or representative in China to comply with the obligations outlined above.

Further, your company must implement policies that provide regular education and training, establish contingency plans, establish measures to ensure anonymization of data, and conduct regular security and processing audits.

You should be aware that these facts could impact your company in various ways, some of which may not be clear until the PIPL draft becomes law and goes into effect.

The main difference between PIPL and the GDPR regarding the obligations of personal information processors or data controllers has to do with time limits. Under the GDPR, data processors are required to notify data subjects and relevant regulators in the event of a data breach.

For instance, the GDPR requires that data controllers notify data subjects of a data breach within 72 hours after the event occurs.

PIPL, on the other hand, demands that personal information processors provide notification "immediately," although the draft law doesn't provide an exact definition of that term.

Transferring Personal Data Across Borders

One of the interesting things PIPL demands is that businesses submit to a mandatory security assessment before they transfer data across the Chinese border.

Alternatively, if the information being transferred isn't deemed quite as critical, a company can work to obtain a personal information protection certificate through a Chinese government-approved "professional institution." The regulating body that a company would have to go through is the Cyberspace Administration of China (CAC).

A final alternative is for businesses to sign a cross-border transfer agreement with a third party located outside of China and then ensure that the data processing meets PIPL standards.

Additionally, the personal information processor must ensure that individuals from whom they collect data are made aware of the name and contact information of the data processor outside of China.

Here there is a significant divergence between PIPL and the GDPR. In the EU, data transfers may be made across the border without acquiring consent from the data subject as long as the data processor ensures adequate security measures are in place.

These include:

• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)
• Codes of Conduct, or
• Certification Schemes
• Frameworks such as the EU-U.S. Data Privacy Framework

If none of the above are in place, then the data processor must obtain explicit consent from the data subject to transfer data across EU borders.

Legal Liabilities

Under PIPL, companies that do not comply may face a maximum penalty of RMB 1 Million (approx. $152,000 in USD) if you fail or refuse to fix the problem after being warned by the relevant Chinese regulatory body.

If the Chinese regulatory body deems your breach to be "serious" in nature, then you could face sanctions, which could include the following:

• Closure of your business in China without warning
• You could also potentially be subject to a fine of up to 5% of your total revenue from the preceding financial year or up to RMB 50 Million (approx. $7.6 Million)

In contrast, the GDPR allows for administrative fines up to €20 million or 4% of your total revenue from the preceding financial year if you fail to comply. In addition, each member state of the EU has the right to subject your company to their own penalties in addition to those of the GDPR.

Conclusion

China is going through a developmental period when it comes to data protection and privacy laws. There are three main laws, which China intends to form the core foundation of their data security and privacy efforts.

The Chinese legislature passed the second draft of their law on personal information protection on April 29, 2021.

It is quite possible that PIPL will undergo further revisions. How the law will be interpreted and enforced by Chinese courts is up in the air. GDPR compliant companies should not allow that fact to lull them into complacency. Although you may also be compliant in many areas of PIPL, there is no guarantee that GDPR compliance extends to all areas of the Chinese law.

Since PIPL has not become Chinese law yet, it is in your interest to begin reviewing your personal information collection and processing policies now in preparation for PIPL compliance.