GDPR VS PIPL | Key Similarities and Differencesrussonxiao
China’s Personal Information Protection Law (PIPL), effected on November 1, 2021, is a significant step for the country and is expected to have a profound impact on both local and foreign-invested companies doing business in and with China. Foreign companies in particular must be aware of the differences between the respective regulations to ensure cyber data compliance. We compare the PIPL vs GDPR and discuss the steps that companies should take to be compliant.
The drafting of the PIPL was heavily influenced by the EU General Data Protection Regulation (GDPR) and closely follows the GDPR in many areas, but the two do not perfectly overlap. Similar to the provisions of the GDPR, the PIPL has extraterritorial jurisdiction. Meaning that companies outside of the territorial jurisdiction area (that is, outside the EU and China, respectively) still need to obey the PI laws if they provide services or products to consumers or monitor people within the territorial jurisdiction of the laws. Simply put, the PIPL is the first comprehensive data protection law regulating the processing activities of personal information. It will significantly expand the legal basis for the processing of personal information. Essentially, the PIPL requires companies to obtain consent from users before collecting personal data. As a result, the PIPL addresses issues related to personal data breaches. It has unique characteristics, and scope that global companies need to understand.
Beyond that, there are many similarities/differences between the PIPL and the GDPR.
- Definition of Personal Information (PI)
- Both the GDPR and the PIPL have a similar definition for general PI, either direct or indirect.
- Both the GDPR and the PIPL subject some categories of PI to more stringent protection requirements – “special category” data in the GDPR and “sensitive” PI in the PIPL.
- Both the GDPR and the PIPL define similar rights for individuals.
- The PIPL excludes anonymous information from the definition of PI.
- The PIPL has a much wider scope of what is considered “sensitive” PI than GDPR’s “special category” data.
Both the GDPR and the PIPL have a similar definition of PI, but the PIPL explicitly excludes “anonymized” PI from the definition. Anonymous information is not considered personal information under PIPL. “Anonymization” is a process in which personal information cannot be used to identify a specific natural person and cannot be recovered after processing.
An important difference between the GDPR and the PIPL is the scope of “sensitive” PI (defined in the PIPL) and “special category data” (defined in the GDPR). The scope of sensitive PI under the PIPL is much broader than the special category data under the GDPR. Art. 28 of the PIPL specifies that sensitive personal information refers to the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14.
The GDPR treats the PI of minors under the age of 16 as special category data (though specific EU member countries have different rules on age limits, with some lowering it to 13) while the PIPL specifies the age of 14, which means high-school students’ personal info will not be treated as sensitive PI by default. Easy to see that the PIPL’s definition is more descriptive.
- Applicable Scope
Both the GDPR and the PIPL are extraterritorial in the application.
- The GDPR focuses more on where the business is established.
- The PIPL focuses more on where the personal information processing activity happens.
The GDPR focuses more on the “establishment” of the company which conducts business that involves the processing of personal information (PI), and most of the time, this “establishment” usually means where the company is set up. If the company is set up in the EU, all PI processing activity carried out by the company – regardless of whether it is within the EU or outside the EU – will be regulated by the GDPR.
In contrast, the PIPL focuses more on where the PI processing activity takes place. If the PI processing activity occurs within the territory of China, either by a company in China or a foreign company without an office in China, the PIPL is applicable. That means if a company established in China processes the PI of people in other countries, such as in an ASEAN country, the PIPL does not apply to the company’s processing activity, as it does not take place in China and it is not processing the PI of the people in China. Considering how stringent the PIPL is, this offers a certain amount of leeway for companies that rely on the large-scale processing of PI to operate in other countries, especially if the local PI protection laws are looser than the PIPL.
- Legal Basis for Processing PI
Both the GDPR and the PIPL define obtaining consent, performing contracts, legal obligations, vital interests, and public interest as the legal bases for processing PI.
- The PIPL requires “separate consent” in specific situations, such as processing sensitive PI or cross-border data transfer (CBDT) activities.
- The PIPL doesn’t define the “legitimate interest perused by data controller” as a legal basis for processing PI.
- The PIPL explicitly allows the processing of PI for news reporting.
Both the GDPR and the PIPL set common basic principles for PI processing, however, there are still few differences between the legal bases upon which companies are permitted to process PI in the GDPR and the PIPL.
Consent from individuals or data subjects is one common legal basis for processing PI under both the GDPR and the PIPL. However, the PIPL stipulates more requirements for consent based on the sensitivity of the PI and the scenario in which the processing is conducted. For example, the PIPL requires the PI handler to obtain separate consent from individuals when processing sensitive PI, or in scenarios such as sharing the PI with another party or transferring it outside of China. This means the company needs one general consent form plus several special consent forms for these scenarios.
- Data Protection Impact Assessment
Both the GDPR and the PIPL require companies to assess the potential risks to individual or data subjects before they can process their PI in certain circumstances.
- The PIPL calls it a Personal Information Protection Impact Assessment (PIPIA), while the GDPR calls it Data Protection Impact Assessment (DPIA).
- The GDPR defines scenarios in which a DPIA must be conducted rather ambiguously, requiring it when processing PI with new technology, creating a high risk for the data subject.
- The PIPL defines the scenarios in which a PIPIA must be conducted more specifically.
- Cross-Border Data Transfer
Both the GDPR and the PIPL request the recipient party to provide adequate protection for the PI they receive and that the level of protection should be equivalent to the requirements of the GDPR or the PIPL.
- The GDPR defines a few channels for cross-border data transfer (CBDT), which include “adequacy decision” (for destination country), SCC, and BCR (for MNCs).
- The GDPR allows CBDT when obtaining explicit consent from the data subject, for the public interest, or for purposes of performing a contract.
- The PIPL’s CBDT rules are binding with other laws, such as the CSL and the DSL.
- The PIPL requests the CBDT on the basis of “security assessment”, “certification”, or “standard contract with the recipient”.
The maximum fine for violating the PIPL is 5% of the total annual turnover, which is very similar to the maximum 4% of GDPR.
However, significantly different from the GDPR, violations of the PIPL can also affect a company’s credit rating in social credit scoring systems (Art.67), which may affect a company’s ability to access business-related resources.
If you are confused about one question: Are we compliant with the PIPL if we are already compliant with the GDPR? We believe that through the explanations above, you can have a blue picture. Companies that are already compliant with the GDPR will be at an advantage as similar concepts are applied in both the GDPR and the PIPL. Similar processes and procedures can also be taken to be compliant with both sets of regulations. However, by analyzing the difference between the GDPR and the PIPL, we can see that companies still need to put in a considerable amount of effort to comply with the PIPL as well as other related compliance requirements, even if they are GDPR-compliant already.
Here we list a few key points for companies to consider when following compliance processes in China.
- Understanding the complexity of regulatory frameworks
- Resources required for compliance
- Planning and implementing an action plan
Certainly, there remains some other similarities and differences between the two, more or less. Some of the provisions may also require further guidance and detailed judicial interpretation to clarify.
Our sharing will continue. If you have any further question, please contact us.
- Personal Information Protection Law of the People’s Republic of China