What is China's Personal Information Protection Law (PIPL)? 🔐 Compared to GDPR

The Personal Information Protection Law ("PIPL") which took effect on November 1, 2021, is China's first law specifically designed to protect personally identifiable Information (PII).

Before this law, there were laws that had certain provisions for the protection of personal data (such as the law on cybersecurity and the law on data security). But none of those laws were specifically designed to protect personal data.

The PIPL is a detailed and comprehensive law in China that complements and improves the general provisions set forth in China's Cybersecurity and Data Security Laws. It sets out detailed rules regarding data privacy and personal information protection in China, clarifying any ambiguities from the previous two laws.

In this article, we take a closer look at China's Personal Data Protection Law and clarify important issues such as penalties, rights, and scope of application.

Below, you'll learn whether this law applies to you – and how it relates to GDPR.

The PIPL scope of application

Article 3 of PIPL explains to whom this law applies to. At first, it is worth noting that it protects only the data of natural persons and not of legal persons.

You must comply with the China data privacy law if:

1. Your company/organization processes personal information in China;

2. Your corporation handles personal data outside of China, but complies with at least one of the following conditions:

• The processing of personal information must be done to provide products or services to individuals residing in China;

• The processing of personal information is done to analyze and assess the conduct of individuals residing in China;

• Or there are other circumstances prescribed by law

In doing so, the company/organization must have received consent from the owner of the personal data for the processing of such data. But such consent must be explicit. The opt-out consent mechanism (required by the CCPA) is considered invalid consent under the PIPL. In general, it remains to be said that data may only be collected to the extent and for the duration that it is necessary.

But there are a few exceptions when consent is not required for data processing.

Exceptions to PIPL

• If the processing is necessary due to the conclusion of contracts to which the data owner is a party;

• Processing of personal data due to the performance of legal duties or obligations;

• If the personal data is processed due to the need to protect the health, life, and safety of the property of natural persons in an emergency situation;

• Processing, to a reasonable extent, for actions of public interest;

• Processing, to a reasonable extent, under the PIPL, of personal information that has been made public by the data subject

The PIPL data subject rights

PIPL grants individuals the following data subject rights as outlined in Articles 44-49.

• Right to receive information, right to express dissent, and right to restrict processing

• Right of access and right to transfer data

• Right to correction

• Right to be forgotten (right to erasure)

• Right to clarification on processing regulations

• Right for immediate family members of a deceased individual

In parallel with the rights of the subject, there are obligations for the data processor.

The data processor’s obligations according to PIPL

It is important to first note that under the PIPL, there is a controller and a processor, just like in GDPR. But this law uses different terms for them. Thus, according to PIPL, the data processor is actually the data controller under the GDPR.

Any processor of personal data of Chinese citizens is required to comply with the Personal Information Protection Law of China. Compliance with the law implies obligations for the processor of personal data in order to protect them.

Data processor’s obligations checklist:

1. Develop an internal arrangement system

2. Implement categorized management of personal information;

3. Taking appropriate security technical measures (encryption and de-identification)

4. Reasonably determine the operational permission for the processing of personal information,

5. Regular implementation of safety education and training for employees;

6. Organizing and developing the implementation of emergency plans for personal information security incidents; and

7. Undertaking all other measures prescribed by laws and administrative regulations.

What is sensitive information?

To better understand the law and its application, let’s take a closer look at what the legal definition of sensitive information is.

According to PIPL, sensitive information is considered to be those whose leakage or use may cause a violation of the dignity of natural people or damage to their person or property. Including:

• Biometric identifiers of the individual,

• Religious faith,

• Medical records and health status,

• Financial status and location tracking,

• Personal data of minors under the age of 14.

The definition of sensitive data under the PIPL shares several characteristics, but is not the same as personally identifiable information (PII) under GDPR. Because PIPL goes a little further. This law defines sensitive data as any information that can cause material damage to an individual if leaked or used illegally.

PIPL and GDPR

PIPL is heavily impacted by the European GDPR. Compliance with PIPL will be much easier for companies that are already GDPR-compliant. However, companies need to be aware of the differences between these two laws in order not to risk violations and penalties. Therefore, let’s take a look at the main differences between PIPL and GDPR.

PIPL vs. GDPR – the differences

• For the purposes of personal data processing, PIPL categorizes minors under 14 years of age. While the GDPR categorizes a minor as a person under the age of 16 – allowing some EU member states to set this limit as high as 13.

• The GDPR does not automatically categorize all personal data of minors as SPI (requires consent from a parent or guardian). While PIPL has automatic categorization.

• Penalties for non-compliance and violation of PIPL may reach up to RMB 50 million
  GDPR max fines for non-compliance may reach up to 20 million euros.

• Under GDPR, the Data Protection Officer (DPO) is not responsible for the organization’s non-compliance. PIPL doesn’t say this explicitly.

• GDPR has a lawful basis of legitimate purposes, but PIPL hasn’t. Financial data is not sensitive under the GDPR, but under the PIPL is sensitive.

• The GDPR diesn’t have a strong data localization, the PIPL does. The data breach notification deadline, under GDPR, is 72 hours, while under PIPL it must be “immediate” – but this is not specified.

PIPL compliance for your company

As you learned from our article, the chances that your company will also have to comply with the PIPL guidelines are very likely due to the extraterritorial scope of application. It is best to seek advice on this from data protection experts. The good news is that if you are already taking the GDPR into account in your day-to-day business, PIPL compliance is not rocket science.