Comparing Privacy Laws: GDPR v. PIPL
The China Personal Information Protection Law (PIPL) was adopted by the National People’s Congress (NPC) Standing Committee on August 20, 2021. The law took effect on November 1, 2021, and regulates the use of personal information by companies operating in China as well as offering data subjects a greater level of protection and control over their personal data. The PIPL follows China’s Data Security Law (DSL), which took effect on September 1, 2021.
The PIPL mirrors certain provisions found under the General Data Protection Regulation (GDPR) such as the purpose limitation principle and the concept of a data protection officer - known as a Personal Information Protection Officer under the PIPL. However, the new Chinese law and the GDPR do have some key differences such as personal liability for certain breaches of its provisions and different data localization requirements for personal information handlers.
The report Comparing Privacy Laws: GDPR v. PIPL provides a side-by-side comparison of key definitions, sets out applicable legal bases, highlights controller and processor obligations, and more. Each section also includes a consistency rating to give quick insight into the level of similarity or differences between the two laws.
Key Requirements of China’s PIPL
Controller and Processor
The PIPL defines different types of organizations based on their role in the processing of personal information. Under the PIPL, Personal Information Handlers have similar responsibilities to that of a Data Controller under the GDPR, and, although not explicitly defined, Entrusted Persons have a similar role to a Data Processor. The PIPL also specifies that organizations collecting personal information must have a clear and reasonable purpose for doing so as well as introducing specific conditions for collecting personal information including obtaining individual consent.
China’s PIPL provides several new individuals’ rights. These include:
- The right to know
- The right to decide relating to their personal information
- The right to consult and copy
- The right to data portability
- The right to correction
- The right to deletion
- The right to withdraw consent
- The right to request personal information handlers explain personal information handling rules
Data Protection Impact Assessments (DPIA)
Organizations subject to the PIPL are required to conduct regular audits of their PIPL compliance program. This includes performing regular risk assessments, known as personal information protection impact assessments, before processing activities that include sensitive personal information (e.g., biometrics, medical and health data, financial accounts, geolocation, etc.), making cross-border data transfers, and disclosing personal information, among other things.
Enforcement and Penalties
Enforcement of the PIPL will be the responsibility of individual departments of Chinese authorities at a local level and by the Cyberspace Administration of China (CAC) on a national level. The CAC will have special rule-making powers under Article 62 of the PIPL.
Violations of the PIPL can result in the suspension or termination of services for illegal processing activities, and in more serious cases personal information processors may be subject to fines up to RMB 50 million (approx. $7,400,000 ) or up to 5% of the prior year’s annual revenue.
GDPR v. PIPL Report: Key Takeaways
This report highlights many similarities between the GDPR and the PIPL regarding the definitions of personal information, sensitive personal information, controller and processor, and pseudonymization. Similarly, requirements for the appointment of a data protection officer, conducting DPIAs, and data breach reporting generally align between the GDPR and the PIPL. However, these areas of compliance are referred to with different terminology under the PIPL.
Additionally, there are some differences between the two laws when it comes to data transfers. The GDPR provides for the cross-border transfer of personal information based on adequate protection, while the PIPL does not. However, both laws do outline mechanisms to enable international data transfers. Furthermore, the PIPL empowers next of kin to exercise the rights of deceased persons and introduces personal liability for certain violations.
Download the report to analyze the GDPR and the PIPL and leverage detailed comparisons of the key areas of PIPL compliance.
Further reading on the GDPR and the PIPL:
- OneTrust Blog: China’s Personal Information Protection Law to Take Effect November 1, 2021
- OneTrust DataGuidance: China's PIPL and DSL Portal
- OneTrust DataGuidance: General Data Protection Regulation (GDPR) Portal
- OneTrust DataGuidance Insight: China: The PIPL - Frequently asked questions