Comparison between the EU’s GDPR and China’s PIPL in a nutshell

The highly anticipated Chinese equivalent of the EU’s General Data Protection Regulation (GDPR), the Personal Information Protection Law (PIPL), came into effect as per 1 November 2021. The PIPL regulates all handling activities involving personal information (PI) within and outside China that affect Chinese individuals. Although the PIPL and the GDPR have strong similarities, there are some significant differences for the handling of PI activities.

In this article we will deepen the key differences between the GDPR and the PIPL and what the implications are for the practice.

Terminology
Different terminology is used in the PIPL and the GDPR. The PIPL uses “personal information handler” which is similar to a “data controller” under the GDPR. The “trusted party” under the PIPL is the equivalent of the GDPR “data processor”. The PIPL “individuals” are referred to as “data subjects” under the GDPR.

The PIPL further includes a broader definition of PI in comparison with the GDPR. Under the PIPL, personal financial information (i.e. bank accounts, deposits, loans, credit records) is considered as sensitive PI under the PIPL but which is not the case under the GDPR.

Legal grounds for processing
Both the GDPR and the PIPL requires organizations to have legal grounds for their PI processing activities. However, the PIPL lacks the “legitimate interest” as legal basis in comparison with the GDPR. Under the GDPR, the legitimate interest allows businesses, under certain circumstances, to process PI without consent as long as collecting personal data is lawful and there is a justifiable reason behind it.

Instead of legitimate interest, the PIPL has other grounds for processing PI without obtaining consent including:

• Necessary for the entry into and/or performance of a contract;
• Necessary to fulfil a statutory duty;
• Necessary to respond to public health emergencies or for the protection of the life, health, and property of a natural person;
• Reasonable purpose for news reporting, public opinion or other similar purposes;
• Reasonable processing of PI which has been disclosed by individuals themselves or was otherwise legally disclosed; or
• Under other circumstances specified by Chinese laws and administrative regulations.

Unlike the GDPR, the PI handlers are not required under the PIPL to indicate and communicate the legal ground for processing PI towards individuals.

Data localization and security assessment
Pursuant to article 40 of the PIPL, a critical information infrastructure provider or a large-scale PI handler need to store the PI involved within China. The Cyberspace Administration of China (CAC) will most likely define the large-scale PI handler if there is PI of either 1 million individuals or 100,000 individuals of which 10,000 is sensitive PI going overseas in accordance with the draft Measure on Security Assessment for Outbound Data Transfer.

If it is deemed necessary to transfer the PI overseas, the critical infrastructure provider or large-scale PI handler needs to pass the security assessment organized by the CAC. For the other PI handlers, they can choose to obtain a PI protection certification by an organization authorized by the CAC or to conclude an agreement with the overseas recipient following the standard template of the CAC of which the form still needs to be issued.

Also, the PIPL requires the PI handler to conduct a security assessment in the following situations, which is not required under the GDPR: cross-border transfer of personal data, engaging a third-party data processor, providing PI to another PI handler and making PI publicly available.

Personal information protection officer
The PIPL requires data processors outside China to appoint a special agent or designated representative in China for the handling of PI matters. There are currently no specific requirements on the qualification of such an agent or representative. Solely the name and contact information of the PI protection officer needs to be registered with the Chinese authorities.

The GDPR also knows the concept of a data protection officer and the extra-territorial application in case the business is located outside the EU. The difference with PIPL is that the tasks of the data protection officer are described more extensively.

Data breach notification
The PIPL as well as the GDPR requires companies to take measures in the event of a personal data breach. As the GDPR includes a time limit of 72 hours after becoming aware of the breach, the PIPL does not specify any time limit within the data breach notification needs to be made.

Another nuance is that the notification obligation under the PIPL applies not only in the event a data incident has occurred, but also if the incident is likely to occur. This extends the notification obligation to circumstances that do not involve any loss or disclosure of personal information. For example, if the PI has been manipulated, the PI handler needs to notify the Chinese authorities. PI processors may elect not to notify individuals affected if it is considered that effective measures have taken to prevent the harm caused by the data incident, but this decision may be overridden by the Chinese authorities.

Additionally, there is no obligation under the PIPL for the data processors to notify their data controllers in the event of data breach. This is in contrast to the GDPR, which does include an obligation for data processors to notify without undue delay.

Penalties
Any breach of the PIPL could incur administrative fines up to RMB 50 million or 5% of the PI handler’s annual turnover in the preceding year. It remains unclear whether the annual turnover will be calculated based on the global turnover or solely the turnover generated in China. Under the GDPR, this is set at 4% of the worldwide annual revenue in the preceding year of the data controller.

Other forms of penalties under the PIPL are warnings, termination of services, rectification orders, revocation of business licenses or prohibition of doing business in China. For any overseas organization whose PI processing activities endangers the national security or public interest of China, the overseas organization could risk the restriction or prohibition of Chinese entities for not being able to provide any PI to them.

Summary
Although there are similarities between the GDPR and the PIPL, it is important to be aware of the nuances between both legislations. Even if your company meets the GDPR requirements, this does not mean that you also will be PIPL compliant. This applies in particular to overseas companies providing products or services to Chinese individuals or analysing behaviour of people in China. We do advise to re-examine the data privacy policies and practices of the company.

At BUREN we are well positioned to advise on these issues by combining our legal and regulatory expertise in cross-border transactions.