Is China’s New Personal Information Privacy Law the New GDPR?

17 September 2021 Foley Launch Blog
Authors: Catherine Zhu

This article originally appeared in Bloomberg Law and is republished here with permission. 

Reproduced with permission. Published September 17, 2021. Copyright 2021 The Bureau of National Affairs, Inc. 800-372-1033. For further use, please visit http://www.bna.com/copyright-permission-request/

China’s first comprehensive law for the protection of individual personal information will soon take effect. Foley & Lardner attorney Catherine Zhu says some aspects appear to be based off the EU’s General Data Protection Regulation (GDPR), but global companies need to understand the material distinctions between these two privacy protection frameworks.

China’s new Personal Information Protection Law (PIPL)—the first comprehensive law in China for the protection of personal information of individuals in China—will take effect Nov. 1. Given that China makes up almost a fifth of the world’s population, this means the PIPL’s privacy regulatory framework will soon apply to one in five individuals on the planet.

Given the magnitude of its applicability, the PIPL cannot be ignored by companies who operate globally.

The new law comes on the heels of the Data Security Law (DSL), which was passed in June, establishing rules on how companies must classify collected data based on its economic value and potential impact on national security. Together, the enactment of the PIPL and DSL are part of an overall tightening of regulations by the Chinese government around data collection and sharing.

When the EU General Data Protection Regulation (GDPR) went into effect in 2018, it became the most stringent comprehensive data protection regulation in the world and set a new global standard for data protection. While the PIPL appears in some aspects to be based off the GDPR, there are material distinctions between these two privacy protection frameworks.

What Companies Need to Comply With PIPL?

The PIPL applies to companies who are handling (i.e., processing) personal data of individuals within China. For companies who operate outside of China, the law will apply if the purpose of processing is to (a) provide goods or services to those in China, (b) analyze or assess activities of individuals in China, or (c) other circumstances provided by laws and administrative regulations.

The scope of applicability of the PIPL appears to be based off of the GDPR in that it applies extra-territorially to companies who offer goods or services to or monitors behaviors of covered individuals. However, the overall scope may be broader than the GDPR since the PIPL reserves broad discretion for Chinese regulators to prescribe other circumstances where the PIPL is applicable.

Basis for Data Processing

Like the GDPR, the PIPL establishes certain rights of individuals with respect to their personal data and also the requirement for companies to have a proper legal basis for processing individual’s personal data. However, the legal bases for data processing under the PIPL as compared to the GDPR is noticeably narrower for companies, while reserving broader discretion for the regulator.

In particular, the PIPL does not provide for legitimate interests as a justified basis for data processing, which is often relied on by businesses as a legal basis under the GDPR. Rather, outside of consent, under the PIPL companies may only process data in narrowly defined circumstances.

One distinction to note is that a separate consent is required under the PIPL, regardless of the original basis of processing, in the event of a disclosure of personal information to a third party, the processing of “sensitive” personal information, or international transfer of the personal information.

Data Transfers

Like the GDPR, the PIPL places restrictions when it comes to cross-border data transfers. 

Under the PIPL, a company may only transfer personal data outside the country if it meets one of the following conditions: (a) where it has passed a security assessment by the Cyberspace Administration of China (CAC), (b) undergoes a personal information protection certification from a specialized regulatory body, (c) enters into a contract in accordance with a standard contract formulated by the CAC, or (d) does so in accordance with other laws or regulations prescribed by the CAC.

As compared to the GDPR, the PIPL grants significant broad discretion to the CAC to regulate and authorize (or restrict) international data transfers. It’s likely we will see a PIPL counterpart to the EU standard contractual clauses as a template to be used in international data transfers.

Moreover, under the DSL, if a company is considered a critical information infrastructure operator (CII), defined broadly as infrastructure that might seriously endanger national or public interests, then the CII will be required to store data locally in China. A company who is not a CII but processes personal information “in a volume that reaches the threshold specified by the CAC” will also be required to store data locally.

Penalties for Noncompliance

The PIPL and GDPR both carry hefty fines for violations of the laws calibrated to a company’s annual revenue, with PIPL fines up to 50 million RMB (about $7.76 million) or 5% of the company’s annual revenue the prior fiscal year for “grave violations” and a fine of up to 1 million RMB (about $155,000)for less serious violations.

However, unlike the GDPR, the PIPL additionally provides for the personal liability of “responsible personnel” within a company. Under the PIPL, responsible individuals can be fined between 10,000-100,000 RMB (between $1,500 and $15,500) for less serious violations and between 100,000 to 1 million RMB (between $15,500 and $155,000)for “grave” violations, and responsible individuals may also be prohibited from holding leadership positions within the company for a certain period.

What Does This Mean?

The PIPL is more stringent than the GDPR in many respects, and, unlike the GDPR, provides significant discretion for the government regarding personal data and promotion of national security interests.

With the passage of the PIPL, China has declared its intent to “vigorously participate” in the development of consumer data privacy protection regulation. The CAC is likely to aggressively enforce the PIPL and DSL as part of a larger crackdown on tech platforms currently taking place.

Companies must ensure they are in compliance with the PIPL if they are doing business on an international level. At a minimum, this will require clearly understanding the distinctions between the PIPL and GDPR, and tailoring internal compliance programs with precision.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Authors

Related Services